One addition brought about by passage of the CPRA is the creation of a new government agency called the California Privacy Protection Agency which is “vested with full administrative power, authority and jurisdiction to implement and enforce” the CCPA as amended by the CPRA. So, if you were thinking that CCPA was something you didn’t need to worry about because California didn’t have the resources to enforce it – you might want to think again.
A key aspect of the CCPA is that businesses take “reasonable measures” to secure consumers’ personal and identifiable information (PII) – such as names, addresses, social security numbers, credit card numbers, credit scores, and bank account numbers. The California Attorney General defines “reasonable measures” as compliance with the 20 controls established by the Center for Internet Security (CIS). The implementation and ongoing management of these IT best practices are essential to keeping a dealer’s data, systems, and finances secure. If a dealership suffers a cybersecurity breach and has failed to take “reasonable measures” to secure consumer data, then the dealership will be liable to pay any state imposed fines as well as handle legal action brought forth by individual consumers. Yes, this law provides individual consumers private right of action.
The CPRA is considered to be the toughest consumer privacy law in the world. It is likely that this law will serve as a model for potential federal legislation. So, the passage of CPRA is something that dealers across the country should consider.
Passage of CPRA – also known as CCPA 2.0 – serves as a signal to dealers that it is time to evolve your IT environment and bring it up to current IT standards. Cybercrime isn’t going away and consumer frustration with businesses who are incapable of securing the data they entrust to the business is mounting. The implementation of IT best practices takes time and expertise. Now is the time to begin the process of modernizing your dealership’s IT.