The California Consumer Privacy Act, effective Jan. 1, 2020, gives California consumers the right to take more ownership of their data. Among other requirements, the new law requires businesses to honor consumer demands to access personal information collected about them; be informed to whom their personal information is sold or disclosed; and allow the consumer to opt out of the sale or sharing of their personal information. Consumers can also demand that a business and its affiliates, such as third-party vendors, delete their personal information.
Dealers should pay close attention because similar laws are being considered in other states as well. Those states include Connecticut, Hawaii, Maryland, Massachusetts, Minnesota, Pennsylvania and Rhode Island.
Any dealership that does business with a California consumer and that meets any of the following criteria must comply with the California Consumer Privacy Act:
- Earns annual gross revenue of more than $25 million
- Buys, sells and/or shares personal information of 50,000 consumers, households or devices for commercial purposes annually
- Derives 50% or more of annual revenue from selling consumers’ personal information
Dealerships collect a tremendous amount of data about consumers and they share necessary customer data with a number of third-party vendors, automakers and finance sources. Few dealers currently have the ability to efficiently log where that data is shared. The California law will now require consistent tracking of data use and sharing.
Steps California auto dealers should take to prepare for the state’s consumer privacy act include (1) determining exactly what types consumer data the dealership collects; (2) making sure vendors are aware of the law and intend to comply; (3) updating dealership privacy policies and disclosures; (4) performing cyber security risk assessments; (5) updating safeguards for consumer data; (6) working with qualified vendors to ensure ability to comply with consumer information and data purge requests; and (7) taking appropriate steps to account for ongoing compliance requirements.
Compliance will be a serious challenge for dealers due to the vast array of third parties with whom consumer data is shared. It is imperative that all dealers, no matter where they are located, immediately begin reassessing data collection, storage and sharing practices.