Data Protection and California's Consumer Protection Act
Evolution of Data Protection, California’s Consumer Privacy Act, and Colorado’s Response
If you have been following Automotive News, you have probably read about the FTC enforcement action taken against DMS provider DealerBuilt. The FTC found that the DMS failed to utilize “readily available measures to protect personal information obtained from dealer clients.” While DealerBuilt has since remedied these issues, this is a recent example of consumer data stealing the spotlight of federal enforcement and underlies a series of issues that dealers must watch going forward. It is also a segue into the 2020 legislative session in the Colorado capitol.
Historically, data protection measures focused on financial data and identity theft. This was largely governed by Gramm Leach Bliley (GLB) that Congress passed in 1999. GLB required auto dealers to share with customers what information was being collected, with whom it was being shared, and provide an option for the consumer to opt out where possible. However, it limited the places where the opt out applied. This was the genesis of the Model Privacy Notice, which satisfies notification under GLB’s dealer requirements.
For over a decade, the Model Privacy Notice was enough. However, the data world was shaken in 2016 when the European Union passed the General Data Protection Regulation, or “GDPR.” This regulation was designed to protect European citizens’ privacy but was unique in that it carried an extraterritorial provision. That meant, if even if you were an American company doing business with a European citizens, you had to treat that data in accordance with GDPR standards.
While GDPR really did not impact auto dealers in a significant way, it did take a significant toll on American technology companies. Institutions like Apple, Google, and Amazon had to amend the way they were doing business, which opened the door for the US Congress to adopt a similar bill.
As often happens when Congress is faced with a dilemma, it did nothing. In its absence, individual states began adopting their own privacy regulations, in varying degrees of GDPR requirements. First was California with it’s California Consumer Protection Act of 2018 (CCPA). This act intended that consumers would know what data is being collected, whether that data is sold, to whom that data is sold, provide them the ability to opt-out or access their data, request that the dealer delete their personal information, and ensure that they are not subject to discrimination for exercising their privacy rights.
Notably, the CCPA also has an extraterritorial provision. So, if a dealer is doing business with Californians – which is likely for used car sales, parts, or service – the requirements of this law will apply to that Colorado dealer. Being a relatively new law in 2018, then amended in 2019, CCPA provisions will come into effect on January 1, 2020.
Immediately after California passed the CCPA, New York, Illinois, and various other states passed ‘similar but non-identical’ bills in their own states. Still, at a nationwide level, CCPA is the compliance challenge in front of all dealers – for now.
I say for now because, Colorado has not yet passed its own consumer data legislation. It is suspected that such a bill will be introduced in the 2020 legislative session, beginning in January. While details of the proposed bill are not yet known, preparing now for compliance with CCPA will almost certainly put the Colorado dealer in a sound position to comply with whatever law Colorado may pass.
So, how does the Colorado dealer comply with CCPA?
Consensus is slim, even this close to the deadline. There are a variety of contractors offering a CCPA Audit, or software that will help you assess where you stand. But all are hesitant to qualify their advice as ‘legal advice’ given the immense uncertainty surrounding the regulation. Having sat through several compliance sessions, a few ‘best practices’ have emerged to help dealers conduct a self-assessment:
1) Assess whether you are covered. If you have $25 million in revenue per year; handle personal data for 50,000 people OR devices from California, OR make at least half of your revenue from Californians, the CCPA applies to you. Note that the 50,000 people or devices could be devices logging on to your website without ever visiting your dealership. If you collect data, this will subject you to the bill’s requirements.
2) Catalog the type of information your dealership collects. In order to make consumers aware of what data you are collecting, you must first understand it yourself. Consultation with title clerks, finance and service managers, and your DMS provider will help you understand what types of data is being collected. This is the foundation for compliance.
3) Rewrite your Dealership’s Data Policy. Develop a process for the storage and removal of consumer data. In what capacities will you disclose or sell it? Note, that if the data is collected through your contractors, like your DMS system, they are likely updating their processes as well.
4) Develop Consumer Notices for Customers. Make it clear to consumers at purchase what type of data you will collect, how that data is used or disclosed, and what processes they need to follow to access or request that it be removed from your records. Bear in mind that data collected pursuant to federal laws, like Gramm Leach Bliley, will not be covered by the CCPA.
5) Let your employees know. You collect data on your employees as well. However, employee data used solely for employment purposes is exempt from the Act. Dealers should notify employees and applicants that certain data will be collected for employment purposes only and that data for this purpose is exempt from CCPA regulation. All data that is not ‘exclusively for employment purposes’ becomes subject to the CCPA in January 2021.
6) Connect with Contractors and Service Providers. CCPA provides dealer liability for unauthorized access to data in situations where ‘reasonable efforts’ to protect the data were not implemented. This liability follows regardless of any actual damage to the consumers. Dealerships should set policies and procedures surrounding access control, both in the sense of unattended terminals or access points, paperwork monitoring, storage and security, and password security. Ensure your contractors are also taking such precautions.
While these precautions do not guarantee success at this early stage, they will give the dealer a good head start in compliance efforts. This is a topic on which you should consult your attorney for compliance. The California Attorney General has recently released 20+ pages of regulations clarifying the intent and specifics of this rule. With that said, not all questions have been addressed and early enforcement actions will likely highlight discrepancies in expectations between the states and the industry.
CADA will follow the Colorado legislature and the version of Privacy Act they introduce this year. Please watch for a subsequent update as that bill works its way through the legislative process.