Written by: Hao Nguyen, General Counsel of ComplyAuto
The early bird gets the worm, and personal data lined up yesterday. The Office of Administrative Law (OAL) remained busy through the year by releasing a fourth set of proposed modifications to the regulations relating to the California Consumer Privacy Act (CCPA) in early December. These modifications are a result of a public comment period in which the general public submitted questions and comments to further clarify the text. Here is a summary of the modifications. For the full text, please see a link on the Office of Attorney General website here.
Offline “Do Not Sell My Info” Disclosure Requirement
In addition to posting the required opt out disclosures online, businesses that “sell” consumers’ personal information (“PI”) must now also provide offline instructions on how consumers can opt-out of the sale of their PI. In other words, dealers will need to post conspicuous signage that informs consumers of how they can exercise their right to stop the “sale” of their PI to third parties. If you do not currently have a sign, please review our sample made available on our website (“Sample CCPA Sign” in the upper-right).
Am I Actually “Selling” Personal Information?
Probably. While this warrants a longer discussion that is outside the scope of this article, the CCPA broadly defines the term “sale” beyond just an exchange of PI for monetary value. Several vehicle manufacturers have already taken the position that data sharing arrangements such as through the dealer’s DMS, CRM, and other integrations constitute a “sale” of information under the CCPA. Further, other types of sharing, such as data pushes to direct mail or email marketing companies, may constitute a sale since the consumers’ PI is being provided in exchange for the vendor’s advertising services. Finally, third-party cookies that track consumers across websites (e.g., retargeting ads) may also be considered a sale.
Reminder to Obtain CCPA Service Provider Agreements
It’s important to remember that the CCPA provides an exception to the broad definition of “sale” so long as the dealer is sharing PI with a “service provider” that has signed a written agreement containing certain contractual restrictions. Therefore, dealers are going to want to have qualifying vendors sign a CCPA service provider agreement so that they can limit their liability and exposure to CCPA “do not sell” and “opt out” requirements. See the CNCDA’s CCPA Handbook for a sample agreement, or chat with us at ComplyAuto about how we can help you automatically identify and track the vendors that need to sign the agreement.
What do I do?
To satisfy the new requirement for the offline disclosure, we recommend posting CCPA signage (or updating your existing signs) to inform consumers of their right to opt-out of the sale of their information in areas where personal information is collected, including, but not limited to, your sales, finance, service, and parts departments. Make sure the sign directs the consumer to where they can submit their request, such as the required interactive webform. ComplyAuto clients already have access to these signs that direct consumers to client’s unique interactive online request portal that we implemented directly into their website.
Standardized Opt-Out Button
Businesses that sell PI must also add a newly designed (and government-prescribed) “opt-out” button to their website. Specifically, the button must be added to the left side of the “Do Not Sell My Personal Information” link and, when clicked, must direct the consumer to the same webpage or online location where they can submit their request. The regulations also require that the button be approximately the same size as any other buttons used on your webpage.
What do I do?
All existing ComplyAuto clients – nothing. You have a working “Do Not Sell My Information” link in your cookie banner and this button will be automatically added when it becomes necessary. For everyone else, you will need to contact your website provider to get this button added if, and when, these new regulations are adopted. In the meantime, you might want to evaluate the current size of your website’s standard buttons since this new opt-out button will need to match them in size.
ComplyAuto: A Purpose-built Solution for your Auto Group or Single-Point Dealership
Looking for a full suite of CCPA compliance tools for your dealership and want to be covered from state enforcement penalties? Please visit our website to learn more about us and our ComplyAuto Compliance Guarantee.