Note: This post was created prior to the implementation of the CCPA. The law is now in effect as of January 1, 2020. Keep reading to learn more about CCPA compliance and how your dealership may be affected.
The California Consumer Privacy Act (CCPA) has made a lot of California business owners nervous. When the law takes effect on January 1st, 2020, certain businesses will be subject to fines and lawsuits if they fail to comply with all of the regulations detailed in the approved legislation.
Unfortunately for business owners, CCPA readiness isn’t exactly cut and dry. The law has many different parts that are as yet untested in court, so there’s no exact framework to follow in order to prepare. There are, however, solid recommendations that can dramatically reduce your risk of breaking the law.
Are you subject to the CCPA?
Many auto and truck dealers won’t need to prepare for CCPA compliance urgently because they are exempt from the law. The CCPA specifically applies to for-profit businesses in California that meet any of the following three criteria:
- Generate annual gross revenue of more than $25 million
- Receive or share personal information of more than 50,000 California residents each year
- Derive 50% or more of their annual revenue by selling the personal information of California residents
A business that meets any of the tests listed above should start their CCPA compliance efforts immediately. However, businesses that don’t meet the tests shouldn’t ignore the CCPA. Privacy laws are becoming more popular around the world; similar legislation at a federal level or amendments to the law could change compliance requirements.
How can you know if your dealership is ready?
The CCPA covers two major areas: data privacy and cybersecurity. The data privacy requirements require businesses to allow consumers to exercise a certain amount of control over their personal information. This includes:
- Requesting information about the types of data that you collect
- Asking you to delete personal information under certain circumstances
- Opting out of having their information shared with third parties
Work with a qualified IT services provider to determine if your website and data management practices are aligned with these requirements.
The CCPA also requires businesses to enact “reasonable security procedures and practices” to protect consumer data. The California AG has stated that these measures include, at a minimum, the 20 critical cybersecurity controls recommended by the Center for Internet Security. To determine preparedness, businesses should work with their IT services provider to check their cybersecurity controls against this list.
What should you do to prepare?
If your business is subject to the CCPA, you should start preparing immediately. Get started with our list of six tips to make your dealership CCPA compliant.