In March 2025, Honda reached a settlement with the California Privacy Protection Agency (CPPA), agreeing to pay a fine of $632,500 (approximately 2,373,000 Saudi riyals) due to violations related to the use of cookies in a manner that was not compliant with the California Consumer Privacy Act (CCPA)
This case highlights the growing importance of complying with privacy regulations, including the Personal Data Protection Law (PDPL) in the Kingdom of Saudi Arabia. It also emphasizes the ongoing challenges that companies face in ensuring the protection of personal data and fulfilling the requirements imposed by the relevant regulations.
Honda Case:
Investigations revealed that Honda provided unequal options for managing cookies on its website. Users could accept all cookies with a single click (“Allow All”), while rejecting them required additional and more complicated steps. This approach violates the “proportionality” principle under the CCPA, which requires that acceptance and rejection options be equally accessible and straightforward.
Moreover, Honda did not enter legal contracts containing the provisions required by the CCPA with third parties that use cookies to collect personal data, resulting in the sharing of user information without adequate legal safeguards. The violations also included requesting excessive information to verify users’ identities when they exercised their rights, such as when submitting requests to opt out of data sales.
Global Requirements for Cookie Compliance
EU: General Data Protection Regulation (GDPR) The European regulation is considered one of the strictest laws governing the use of cookies. Its requirements include:
Prior Consent: Explicit consent must be obtained before storing any non-essential cookies.
Transparency: Users must be clearly informed about the types of cookies and their purposes.
Right to Withdraw: Users must be able to easily change their preferences or withdraw consent at any time.
California: California Consumer Privacy Act (CCPA) and Its Update via the California Privacy Rights Act (CPRA)
The CCPA, which was later amended by the CPRA, does not require prior consent for the use of cookies. Instead, it focuses on a set of requirements to protect user privacy, most notably:
Clear Notice: Providing transparent information about the use of cookies.
Opt-Out or Do Not Sell/Share Option: Enabling users to refuse the sale or sharing of their personal data with third parties by offering a clear “Do Not Sell or Share My Personal Information” link.
Support for Do Not Track Signals: Respecting browser settings such as “Do Not Track” and Global Privacy Control (GPC) signals as valid opt-out requests.
Enhanced Oversight: Under the CPRA, the California Privacy Protection Agency (CPPA) was established to enforce the law and monitor compliance.
Saudi Arabia: Personal Data Protection Law (PDPL)
The Personal Data Protection Law (PDPL), issued by Royal Decree No. M/19 dated 9/2/1443H, regulates the processing of personal data, which includes any information relating to an identifiable natural person. The use of cookies is considered a form of personal data processing under the PDPL, as they can be used to collect and store information such as browsing history or user preferences, even though cookies are not explicitly mentioned in the law. The law requires:
Consent: Explicit consent is generally required for processing personal data through non-essential cookies, such as those used for advertising or marketing purposes.
Transparency: Companies must clearly explain the purposes of data collection and how the data will be used, providing clear notices to users.
Exceptions: Consent is not required in limited cases, such as processing mandated by judicial requirements or for security purposes, in accordance with Article 6 of the PDPL.
Lessons Learned from the Honda Case
The Honda case highlights the importance of:
Providing equal and user-friendly options for accepting or rejecting cookies.
Entering into legal agreements with third parties that include the necessary provisions to protect shared data.
Adhering to transparency in explaining how data is collected and used.
Avoiding the collection of unnecessary information for verifying users’ identities.
Recommendations for Companies in Saudi Arabia
To comply with the PDPL regarding cookies, it is recommended to:
Implement clear and easily accessible consent mechanisms on websites, such as cookie notices that allow users to easily choose their preferences.
Obtain explicit consent for non-essential cookies, such as those used for advertising or behavioral analytics.
Provide detailed and clear information in the privacy policy about the types of cookies, their purposes, and their storage duration.
Regularly review and update privacy policies to ensure compliance with current regulations.
Train employees on PDPL requirements, with a focus on personal data protection and ensuring user privacy.
Conclusion:
Cookies are a vital tool for enhancing user experience and collecting data, but they are subject to strict regulation worldwide. In Saudi Arabia, the Personal Data Protection Law (PDPL) requires companies to obtain explicit consent and maintain transparency when using cookies as part of personal data processing. Adhering to these requirements is not only a legal obligation, but also an opportunity to build customer trust and strengthen reputation in the growing digital market.
You Might Also Like
