Last year, in response to several data privacy scandals including the Facebook/Cambridge Analytic controversy, the California state legislature passed a new law intended to restrict the way personal information is shared by businesses. It was signed into law in June 2018 and amended over subsequent months.
This law, the California Consumer Privacy Act (CCPA), marks a big shift in how customer data is treated. It requires businesses—including auto and truck dealers—to change some of their data collection and storage practices.
What is the California Consumer Privacy Act?
While not as restrictive as the General Data Protection Regulation (GDPR) that went into effect recently in the European Union, the CCPA does put businesses on notice to improve their transparency and responsiveness to consumer privacy concerns.
What are the main provisions of the CCPA? The goal of the act is for California residents to have greater control over the information that businesses collect about them. These consumers can:
- Request information about the types of data that businesses collect
- Ask businesses to delete personal information under certain circumstances
- Opt out of having their information shared with third parties
- Bring a private right of action (a.k.a a lawsuit) against a company if they are the victim of an unauthorized breach of non-encrypted personal information
The last provision should be particularly worrisome to businesses. Between state and private actions, a business with poor data security policies could be on the hook for thousands, even millions of dollars in fines and lawsuits. Recent proposed changes to the CCPA could make it even less favorable for businesses, with limitations on the ability to cure violations or ward off lawsuits.
Why should auto and truck dealerships care about the CCPA?
Although it may seem like this law mainly targets technology companies, auto and truck dealerships should also pay attention, assess their own data security, and be prepared to make changes.
Dealerships collect data about customers every day. Potential car buyers enter their personal identifying information in web forms, and also disclose financial information in purchasing or credit approval processes. Most online and paper forms that customers fill out to test drive, buy, or lease a car contain sensitive information. It’s important for dealers to have a strong grip on all of this data.
How should dealerships respond?
To deal with changes to consumer privacy policies, dealerships both in and out of California should take some steps to ensure they will be compliant with the CCPA when it becomes active in 2020.
Many of these steps require looking at current data collection practices and improving them. An IT assessment is a good way to learn how strong your current security posture is and how this may affect future CCPA compliance. Knowing where you stand now can help get your dealership to where it needs to be on January 1, 2020.
From here, the next steps include developing new data management techniques, informing employees about the changes, and developing new policies for data collection.
Third-party relationships and vendor management policies should be examined to ensure that flows of consumer data are carefully controlled.
Another essential component is the inclusion of opt-out instructions on your website as well as updated text about data collection policies and CCPA rights. All of these steps can be put together in a checklist to make sure your dealership is being proactive about compliance.
Finally, pay attention to any changes to the CCPA, either in related legislation or regulatory clarifications. It’s likely that this consumer privacy law will continue to evolve, and it’s important for dealerships to stay on top of any changes in order to plan effectively.
Is your dealership prepared for the CCPA? Contact Us.