Given the numerous and complex requirements of the CCPA and CPRA, dealers should seriously consider adopting privacy management software to help them navigate and maintain compliance with these regulations. Privacy management software can simplify the process of addressing regulatory requirements, reduce the risks of non-compliance, and save valuable time and resources for the dealer so they can rededicate those efforts to selling and servicing motor vehicles.
Please do not hesitate to contact ComplyAuto at firstname.lastname@example.org if you have any questions about this compliance manual.
No doubt dealers have seen some kind of communication sent from their automakers alerting them to the CCPA. Specifically, this notice comes in the form of an updated data sharing agreement that automakers have encouraged dealers to sign, but what does it all mean? Given that there are multiple versions of these data sharing agreements sent to dealers depending on their data collection practices, we cannot capture every single variation or clause within the agreements here, but we can speak to why the automakers are sending them to you. Dealers who require further clarification or advice should reach out to their in-house counsel or attorneys for more information.
Automaker as a Third Party
Under the definitions of the CCPA, automakers generally qualify as Third Parties. As noted earlier, Third Parties are those vendors who (a) collect consumers’ personal information and (b) are not Service Providers. Because Service Providers are defined in the negative in the CCPA, i.e. what they are not allowed to do with the consumer’s personal information that they collect, Third Parties are essentially vendors who perform these prohibited acts. Meaning, Third Parties can do any of the following things:
- Sell or share the personal information;
- Retain, use, or disclose the personal information for any purpose;
- Retain, use, or disclose the personal information outside of their business relationship with the dealer; or
- Combine the personal information it receives with any other information it collects from other vendors.
Automakers and Third-Party Contracts
The new regulations introduce a new requirement in that Third Parties must sign a contract with the dealer that has very specific requirements and prohibitions. Without this contract, the Third Party cannot collect, use, process, retain, sell, or share the personal information that the dealer has made available to the Third Party.
As discussed in a previous chapter, this contract between the dealer and automakers may contain language that does each of the following:
- Identifying the limited and specific purpose(s) for which the personal information is made available to the Third Party;
- Stating that the personal information is made available only for the limited and specific purpose(s) set forth within this contract;
- Requiring the Third Party to comply with all applicable sections of the CCPA by providing the same level of privacy protection as required by the dealer;
- Granting the dealer the right to take reasonable and appropriate steps to ensure that the Third Party uses it in a manner that is consistent with the dealer’s obligations under the CCPA and its accompanying regulations;
- Upon receiving written notice from the dealer, taking appropriate steps to stop and remediate unauthorized use of personal information made available to the Third Party; and
- Notifying the dealer as soon as practicable after the Third Party determines that it can no longer meet its obligations under the CCPA or its accompanying regulations.
These clauses are probably included in the data processing agreement that was discussed earlier in this chapter. Dealers who require further clarification or advice should reach out to their in-house counsel or attorneys for more information.
The CCPA imposes strict enforcement measures and penalties for non-compliance and dealers have been among one of the first targets and top priorities in enforcement sweeps announced by the California Attorney General (AG). A press release announcing the enforcement against a dealership and accompanying enforcement data have one common theme – the AG cares about the technical provisions of the CCPA and will heavily scrutinize the business’s existing practices. Prior to the press release, many thought the AG would just be looking for the more obvious low-hanging fruit. However, the AG cited the dealership for technical violations, such as the failure to have a designated toll-free number and a process for authorized agents to submit CCPA requests. The AG’s enforcement data revealed other common technical violations:
- Non-compliant CCPA service provider contracts.
- Failure to link to CCPA Notice at Collection in marketing emails.
- Failure to acknowledge and respond to requests within designated time limits.
- Missing a clear and easy-to-find “Do Not Sell My Personal Information” link (under the latest regulations, the link can now be titled “Your CA Privacy Choices”).
- Requiring that authorized agents provide notarized documentation.
- Requiring government-issued identification for exercising rights.
It is also worth noting that, on several occasions and most notably its complaint against Sephora, the AG has reinforced its position that a “sale” of information occurs even when there is simply an exchange of information for “valuable consideration” such as that provided in the context of analytics and retargeting services with companies like Meta and Google. As discussed earlier in Chapter 5, since most dealerships deploy third-party tracking cookies for retargeting ads, this means that almost every dealership is “selling” or “sharing” information as those terms are defined under the CCPA. In short, the enforcement data highlights that a lackadaisical approach to CCPA compliance simply is not good enough. It is crucial for dealers to understand the potential consequences and take necessary steps to ensure compliance.
Non-compliance with the CCPA can result in significant financial penalties to the business, ranging from $2,500 per violation for non-intentional violations to $7,500 per violation for intentional violations. These penalties can be assessed on a per-consumer basis, which means the total amount can escalate rapidly.
Private Right of Action
The CCPA provides a limited private right of action for consumers in the event of certain data breaches allowing them to seek damages ranging from $100 to $750 per incident or actual damages, whichever is greater. While the private right of action does not cover all CCPA violations, this has not deterred plaintiff lawyers from filing lawsuits (including class actions) based on the CCPA. Most of these lawsuits involve data breaches, inaccurate privacy policies, and notice at collection requirements. Accordingly, dealers may still face legal challenges and reputational damage even in the absence of direct enforcement action from the AG.
California Privacy Protection Agency (Agency)
The CCPA establishes the Agency as an enforcement authority with the power to issue fines against businesses for non-compliance and allocated at least $10 million from California’s General Fund annually for its operation. The Agency’s funding structure, which relies on penalties levied against non-compliant businesses, creates an incentive for the Agency to actively and eagerly pursue enforcement actions to hold businesses accountable.
The CCPA heightens the risks associated with data breaches as it grants consumers the right to sue businesses for damages resulting from unauthorized access, theft, or disclosure of their personal information. Ensuring that robust data security measures are in place is essential to minimize the risk of breaches and the associated legal, financial, and reputational consequences.
Dealerships should also be mindful of the Web Content Accessibility Guidelines (WCAG) and foreign language requirements of the CCPA.
Web Content Accessibility Guidelines (WCAG)
Foreign Language Requirements
All disclosures under the CCPA must be provided in the languages in which the dealer ordinarily communicates with its consumers or for which it posts other signs or disclosures in a foreign language. For example, if a dealer commonly negotiates in Spanish or has signs and other disclosures in Spanish, all CCPA-related disclosures must be offered in Spanish as well. Dealers must identify the languages in which the dealership ordinarily communicates with its customers and ensure that all CCPA-related materials are translated accurately and professionally into those languages.
CCPA regulations specifically require employee training to ensure that businesses maintain compliance and that their staff members are knowledgeable about the California privacy requirements. Additionally, by investing in employee training and adopting best practices, dealers can promote a culture of privacy compliance, improve customer relations, and minimize the risk of non-compliance with the CCPA. It is also important to note that insufficient employee training would very likely be considered a negative factor by the California Privacy Protection Agency (Agency) when weighing potential enforcement actions against non-compliant businesses.
Identifying Applicable Personnel
According to the regulatory language, businesses should ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or compliance with the CCPA are informed of all the requirements of the CCPA and its accompanying regulations. Due to the ambiguity of this language, dealerships should consider providing training to all consumer-facing employees and human resources personnel (meaning that service technicians probably do not need to take CCPA training if they do not regularly interface with customers). This approach ensures that staff members who interact with customers, job applicants, or employees are well-equipped to effectively address any CCPA-related questions or concerns (or at least know where to direct them) and prevent potential consumer or employee complaints.
Frequency of Training
While neither the law nor regulations specify how often employees should be trained on the CCPA, it is recommended that dealerships provide yearly training for all relevant staff members in order to keep employees updated on the latest privacy regulations and dealership practices. Additionally, new employees who will be responsible for handling consumer inquiries about privacy practices should receive training as part of their onboarding process to ensure that they are familiar with CCPA requirements from the outset of their employment.
The CCPA broadly requires the implementation of “reasonable” cybersecurity measures to safeguard consumer data and minimize the risk of data breaches. In this chapter, we will discuss the data breach liability under the CCPA, the California Attorney General’s reference to the Center for Internet Security (CIS) Controls for achieving reasonable security standards, and the overlap with the federal GLBA Safeguards Rule that dealers should consider maintaining.
California Attorney General’s Reference to CIS Controls for Achieving Reasonable Security
While the CCPA doesn’t clarify what it means by “reasonable” data protection and cybersecurity protocols, the California Attorney General’s office has previously referenced the Center for Internet Security (CIS) Controls as a framework for achieving minimum “reasonable” security measures. In a February 2016 Data Breach Report, Kamala D. Harris, the then State Attorney General, and the California Department of Justice stated that the failure to implement the CIS Controls that apply to an organization’s environment constitutes a lack of reasonable security. The CIS Controls provide a set of best practices that businesses can adopt to protect their networks and data from cyberthreats. By implementing the CIS Controls, dealerships can demonstrate their commitment to data security and compliance with the CCPA’s reasonable security standards.
Data Breach Liability Under the CCPA
The CCPA holds businesses accountable for data breaches resulting from inadequate security measures. In the event of a data breach, affected consumers may have the right to file a lawsuit in a private right of action against the dealership seeking statutory damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater. This potential liability highlights the importance of implementing robust cybersecurity measures to protect consumer data and meet the reasonable security standards required by the CCPA.
Overlap with the Federal GLBA Safeguards Rule
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, recently revised by the FTC and, effective June 9, 2023, sets forth requirements for financial institutions (including dealerships) to protect the security, confidentiality, and integrity of customer information. Compliance with the specific requirements of the Safeguards Rule can help dealerships meet CCPA data protection requirements. For a comprehensive discussion of the revised Safeguards Rule, please refer to the CNCDA guide titled ComplyingwiththeRevisedFTCSafeguardsRule.
Transmitting Data in Response to Right to Know Requests
CCPA regulations require that dealers securely transmit data when responding to Right to Know requests and emphasized the importance of safeguarding consumers’ personal information during the process. Relying on traditional email communication to share this sensitive information is insufficient and may not meet the regulatory requirements to secure the information in transit. Specifically, Right to Know requests may contain highly sensitive data regarding a consumer’s personal information, which necessitates heightened security measures. To comply with the CCPA and protect consumers’ privacy, businesses should utilize a secure and encrypted portal for uploading and transmitting requested data. These portals should also include identity verification processes to ensure that only the authorized consumer can access their personal information.