By Gregory Arroyo
The thing that’s so mind-blowing about the California Consumer Privacy Act (CCPA) is its timing. It arrives just as technologies like artificial intelligence and machine learning are about to usher in a major transformation in how dealers stay connected to their customers.
The state of California estimates the CCPA will protect over $12 billion worth of personal information that’s used for advertising in California each year. And as Brian Maas, president of the California New Car Dealers Association (CNCDA), put it, there is “no federacy privacy law with the scope and breadth of this landmark piece of legislation.”
“The biggest challenge is knowing where to start, because the law is so extensive and overwhelming,” Maas says, noting that the association recently published the second edition of its “CCPA Handbook” and is expected to host a series of seminars later this month addressing CCPA compliance.
For California dealers, Jan. 1 — the statute’s effective date — marked 182 days to get into compliance before state Attorney General Xavier Becerra begins enforcing the toughest privacy rule in the United States. State estimates put the cost of compliance at $75,000 in the first year, $2,500 annually.
By the way, fines for each intentional violation is $7,500.
Truth is, this blog entry isn’t directed at California dealers; it’s directed at dealers in Connecticut, Colorado, Maine, Maryland, Massachusetts, Minnesota, New Jersey, New York, North Dakota, Oregon, Pennsylvania, Rhode Island, Texas, and Washington State. Because what happens in California tends to spread, and the states I listed are considering taking similar steps to protect consumer privacy.
The California statute grants consumers the right to know what categories and specific pieces of their information are used, shared and/or sold. It also gives them the right to opt-out of the sale of their data. They can also request that you delete their information.
Honoring those rights means California dealers must determine “the categories” of consumer data they collect, then map out the flow so you know where it’s going. You then need to take steps to ensure the data is protected. Wait, there’s more.
The CCPA also requires that you have a consistent method of tracking where each piece of consumer information goes and how it’s used. And if a customer asks for his or her info to be deleted — and, yes, your website must offer this capability — you must ensure you and all your vendors comply.
All those activities mean coordination with your software vendors is essential. If your planning to make the trip to Las Vegas next month for the 2020 NADA Show, make sure to click here to schedule an appointment with our CRM and DealerFire digital teams. We’ll be in the Las Vegas Convention Center’s Central Hall (Booth No. 3915C), where we also plan to host discussions with compliance experts on the CCPA and its spread to other states.
Now, setting up those consumer rights is a privacy notice California dealers need to hand to their customers “at or before data collection,” the statute says. Compliance guru Randy Henrick with Auto Dealer Compliance says it differs from the model FTC form in that it requires that dealers address the “categories of information described in the CCPA.” It must also inform consumers of their right to learn who their information was shared with during the prior 12 months. The notice must also inform them of their right to opt-out of certain sharing or request that certain pieces of their information be deleted.
Henrick used the word “certain” because the statute does allow businesses to retain consumer data if there is a legal basis. Think of the Equal Credit Opportunity Act, which requires that dealers retain credit applications and any written record used to evaluate the application for 25 months. Governor Gavin Newsom also signed into law a CNCDA-sponsored bill that clarifies that dealers and manufacturers can share information about consumers related to recall and warranty repairs without running afoul of the CCPA. There are questions, however, about whether other federal requirements will take precedence.
“I suspect it will be months, if not years, before we learn if that is the case,” Maas says, noting that he suspects there will be several attempts made to modify the CCPA before its July 1 enforcement deadline.
Attorney General Becerra published the CCPA’s draft regulations in October, which kicked off a public comment period that ended in December. Barring any revisions to the proposed regulations, which will require an additional 15-day comment period, the regulator is now expected to submit final text to the Office of Administrative Law. The OAL will then have 30 working days to review and approve the regulations. If approved, the rules go into effect.
“I don’t believe there will be any delay in the attorney general beginning enforcement of the law on or after July 1,” Maas warned. “We are urging our dealers to comply now.”