The Battle Over Personal Data, and the Dealers Caught in the Crossfire

Bill Bowerman and a waffle iron. The Trojan Room coffee pot. The unsolicited car advice from a young tractor mechanic. The common thread? These brief events seemed trivial at first, but what came of them in the decades that followed would make these seemingly inconsequential events become defining moments in history that would dramatically change our future.* What if I told you that as you are reading this article, a similar event is unfolding right? The event is a very public dispute between Apple and Facebook over the collection and use of personal information. Much like how many saw it as an obsessive track coach ruining his wife’s waffle iron, a few computer science buffs wanting a fresh pot of coffee, and a jaded Italian all those years ago, any disinterested passerby would think, “Big whoop. It’s just two giant tech companies squabbling over how they make money.” I see it differently. I see the concepts of consumer’s rights and personal data finally making its way across the pond from the European Union (and the General Data Protection Regulation) and fundamentally changing the way we do business forever.

The State-By-State Approach and Silver Linings in the Golden State

Ask any dealer from California at these national conventions and they will tell you that one of the worst things about owning a business in California is . . . owning a business in California. It is a joke that works a crowd, but there is some truth to it: the taxes are exorbitant, the real estate is expensive, and the employment and consumer protection laws are extensive. Also, dealers are increasingly burdened by having to navigate these outside factors on top of balancing their existing automaker relationships with the actual business of selling cars.

However, there are a few good things about the Golden State. From a legal standpoint, California usually sets the table for new laws and regulations for other states to follow. In true fashion, California was the first state to adopt a major data privacy law in the United States, which is called the California Consumer Privacy Act of 2018 (CCPA). The CCPA has been a test case with a large sample size and using California as a “proof of concept” of sorts, other states have been slowly adopting laws and regulations that provide consumers similar protections like the CCPA. At the time of this writing, Virginia is poised to become the second state with a comprehensive online data protection law on the books. The bill passed with broad support — 89-9 in the Virginia House and 39-0 in the state Senate – and the government is expected to sign it within the coming days. New York, Washington, Oklahoma, North Dakota, and Minnesota all have some kind of data privacy bills under consideration.

Another silver lining is that if you meet California’s standards, then you will most likely meet any standards that other states, or even the federal government, would possibly adopt. Virginia’s new law will be called the Consumer Data Protection Act and is modeled very closely to the CCPA. (For example, both laws define a “covered business” in a similar fashion, give consumers the ability to delete or know the personal data collected about them, and exempt specific types of data and entities that are already regulated under federal laws such as HIPPA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act). Having lived and breathed CCPA compliance and provided our dealer-specific suite of tools to over 265 California dealerships, we can say that the room for error is slim as the CCPA imposes extremely strict requirements on California businesses and stiff penalties for violations. And, with dealerships operating drastically differently from a typical brick-and-mortar store or online retailer just by the sheer amount of personal data dealerships collect and the vast number of interactions a consumer can have at a dealership, the room for error even becomes even more narrow.

The rest of this article will be skewed toward a California audience as it will discuss the confusing language of the CCPA, its constantly changing regulations, and the California Privacy Rights Act (CPRA) that was passed in November of 2020. However, at the minimum, we believe that having a personal data policy and standards in place as to how your dealership collects and handles personal information would be viewed as mitigating factors by both state and federal enforcement agencies in other situations that may be tangentially related, such as a data breach. Privacy is also becoming a matter of corporate social responsibility, as many consumers start to evaluate companies based on how they use and protect their consumers’ personal information.

Also, if there is a lesson to be learned here, it is this: regardless of which state you work in, if you were not paying attention to personal data rights in 2018, you should be now. With personal data taking centerstage by popular Netflix documentary “Social Dilemma,” the events at the Nation’s Capital, and a very public fight between two of the largest technology companies in the world, we enter 2021 with an increased sense of how we share our personal data in our daily lives and what we can do to control it. It is only a matter of time before your state (or the federal government) adopts some form of consumer data privacy laws, and I would not be surprised if it mimics California’s existing laws and regulations.

Inherent Problems with the CCPA

By now, California attorneys have probably gone to enough seminars, webinars, and training sessions to hear long-winded diatribes about the confusing nature of the CCPA–and for good reason. They are all right: the CCPA is complex and it is difficult to fulfill. But, what if I told you the complexity and difficulty was built-in to the CCPA? A phrase most software developers like to say to explain away a flaw in their program is “It’s not a bug, it’s a feature.” I would argue that the same applies with authors of the CCPA. In hoping to increase consumers’ rights to their personal data, the authors unknowingly created almost impossible situations for businesses to comply with manually, especially dealerships. Keeping this language intact–and not dealing with these inherent problems in subsequent regulations–suggests that this was the intent all along (or that they were too lazy to correct it). Pointing out these shortcomings will help us understand and apply these laws to our dealerships. Things are about to be somewhat technical, so bear with me.

Dry Oatmeal Macadamia Cookies. I thought that these were the worst kind of cookies ever created, but they aren’t. Thanks to the CCPA, web-browser cookies has vaulted to the top of my list. The California Attorney General has opined that businesses should treat a visitor’s website browser’s universal “do-not-track signal” as an “opt-out” if a visitor comes to your website. The AG is saying that you have violated the CCPA if the visitor has as “do-not-track signal” and you load third-party advertising cookies. This happens automatically when websites do not have a working cookie banner.

These third-party cookies collect information from the visitor to use for advertising, marketing, and other reasons. A popular solution (and the only practical solution I know of ) is to have a cookie banner on your website that prevents third-party cookies from loading unless the visitor expressly opts-in and selects something like “I Accept.”

The use of cookie banners for this purpose is getting more popular, but is it actually doing what it is supposed to? Unfortunately, the answer is “probably not.” Most businesses put in a banner simply for the optics and fulfill the goal to “not be the tall nail that gets the hammer.” However, these banners rarely do anything if the user declines the cookies (i.e., cookies load regardless of what choice the user makes). I think that this avails your dealership to significant liability. If not having one is a blatant violation, any plaintiff’s attorneys worth their fees will be able to argue that purposely having a “fake cookie banner” is an intentional violation that misleads the consumer and is possibly an unfair and deceptive business practice.

The Identity Verification Trap. When a consumer either submits a request to know or delete their personal information, you will have to verify the consumer’s identity. In the automotive industry, the most prevalent (and generally acceptable) method of identity verification is to use either the customer’s driver’s license or other government issued ID card. However, the CCPA will not allow you to do this. The regulations specifically state that the business should not ask the consumer for their driver’s license or government issued ID card because of its sensitive nature and difficulty involved in securely obtaining that information. Additionally, using facial recognition software in this day and age is heavily scrutinized. I call this a “trap” because the authors did not realize that the CCPA would adversely affect industries where violations could occur in a business’s normal course of business. They are setting up dealerships to fail here.

The Encryption Catch-22. A consumer sends a request to know the specific pieces of information you have collected about him (referred to as a “data portability request” in some laws). You take all the necessary steps to verify the consumer’s identity, and everything checks out. All there is left to send this information to the consumer. Most businesses attach the information to an email and send it off. You may think this is okay, but the lack of security here potentially violates the CCPA because the law requires that the business use reasonable security measures when transmitting personal information. The lack of encryption here potentially subjects the sensitive information to a data breach. A requirement that they come down to the dealership can be viewed as too burdensome or outright unfeasible (especially with COVID-19). So, if you do not have the proper measures in place, you’re damned if you do, damned if you don’t (fulfill the request). 

More Requirements with the Consumer Privacy Rights Act (CPRA)

More Consumer Rights. Proposition 24 was passed by California voters in November 2020 granting more personal data rights to consumers. Among other things, the CPRA grants the consumer additional rights to opt-out of the “sharing” if their personal information and to correct inaccurate information, and requires businesses to identify categories of “sensitive personal information.”

Another State Agency. Additionally, and more notably in my opinion, the CPRA establishes the California Privacy Protection Agency (“Agency”), which is a new state agency whose sole purpose of existing is to enforce the CCPA (and CPRA) and assess fines on any violating California business. Funded by a government loan to the tune of $5M for the first year and $10M in every subsequent year, the Agency will repay this loan by using the money it is anticipated to generate through fines and penalties.

The Fourth (FOURTH!) Modified Texts to the CCPA Regulations

The early bird gets the worm in 2021, and personal data lined up yesterday. The Office of Administrative Law (OAL) remained busy through the year by releasing a fourth set of proposed modifications to the CCPA regulations in early December of 2020. Below is a summary of the modifications. For the full text, please see a link on the Office of Attorney General website here.

Businesses that “Sell” Personal Information

What Changed?

In Section 999.306 of Title 11 of the California Code of Regulations, the suggested modified text requires that a business that “sells personal information that it collects” while interacting with consumers offline must inform these consumers of their right to opt-out using an offline method. Specifically, in subdivision (b)(3), the drafters replaced every instance of “collects personal information” with “sells personal information that it collects” during offline interactions. Put in another way, no longer included are businesses that merely “collect” personal information in offline interactions included under the purview of the CCPA. Rather, any business that “sells personal information that it collects” offline are implicated.

Does This Affect Dealers?

Most likely. Most automakers have taken a firm position that dealers are in fact selling a customer’s personal information to them in the normal course of business. Aside from this, dealers are still probably selling a consumer’s personal information. To explain this, we need to revisit the meaning of a “sale” under the CCPA.

“Sale,” “selling,” or “sold” means the selling, transferring or sharing of a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration. By redefining what we general understand as a sale associated with money (the drafters could have probably easily defined the term “share” or “sharing” instead”), dealers are most likely selling a consumer’s personal information without even knowing it. For example, when a dealer works with third-party marketing or advertising agencies, dealers give these agencies the consumer’s personal information in exchange for the valuable services that they provide to the dealer, such as mailers, email campaigns, and the like.

Methods to Notify “Offline” Consumers

What Changed?

A business that sells consumers’ personal information that it collects offline must inform them of their right to opt-out and provide instructions on how to do so. Relative to online consumers who are immediately presented the “Do Not Sell My Personal Information” link upon going to a business’s website, this right to opt-out may not be as conspicuous to these offline consumers. This requirement allows offline consumers to be notified of their right to opt-out.

Does This Affect Dealers?

Yes. Dealers collect personal information in offline interactions in a variety of ways. These consumers can go directly to the dealership to test drive a vehicle, service a vehicle, speak to a salesperson, finance a vehicle, call into the dealership, and more. There only needs to be one instance of “selling” to any one of the dealership’s vendors to sweep the dealership into this requirement.

What Should Dealers Do?

Dealers should post signage that informs the consumer of their right to opt-out in areas where personal information is collected, including, but not limited to, the finance and service departments. Additionally, dealers should train their staff who regularly communicate with consumers to inform them of their right to opt-out and where to go if they wanted to exercise this right. Not only is training and record- keeping a requirement under the CCPA, it is just simply bad optics if a dealership employee has no idea what a consumer is talking about if the customer wants to submit a request. ComplyAuto clients already have access to these signs and a script to provide your staff.

Another Opt-Out Button

What Changed?

All businesses that sell or share consumer personal information must add an “opt-out” button to their website. Specifically, the button must be added to the left side of the “Do Not Sell My Personal Information” link and, when clicked, must directs the consumer to the same webpage or online location. 


Does This Affect Dealers?

Most likely. As discussed above, dealers most likely sell and share the consumer personal information they collect. This button provides more clarity to consumers of their right to opt-out in a not-so-subtle way.

What Should Dealers Do?

Dealers should contact their website providers to get this button added if, and when, these new regulations are adopted.

*Those “trivial” events:

Bill Bowerman, a track coach at the University of Oregon, used his wife’s waffle iron to create the rubber outsole of a shoe to provided traction on an artificial surface. Debuted in 1974, the “Waffle Trainer” quickly became the flagship running shoe of what is now known as the global multi-billion-dollar powerhouse called Nike.

The Trojan Room coffee pot was a coffee machine at the University of Cambridge. Many people in the office were left disappointed when they took the long journey to the machine to find the coffee pot empty. To solve this, a camera was set up in front of the coffee pot to provide a live feed to all desktops on the office network. A few years later, the camera was connected the Internet and provided inspiration for the first webcam.

A successful tractor mechanic modified and raced many of his luxury cars. After modifying a Ferrari and finding many imperfections, he decided to tell the founder, Enzo Ferrari, of these issues as a sense of “professional courtesy.” At the time, Ferrari’s vehicles were the top-of-the-line luxury cars, so as one would imagine, Ferrari didn’t take the advice well and berated the mechanic. The mechanic used these insults to fuel his passion to create a competing line and debuted his own luxury vehicle in 1963. This tractor mechanic’s name was Ferruccio Lamborghini.

Hao Nguyen has spent his entire legal career in the automotive industry. After a stint with the California New Car Dealers Association (CNCDA), he joined Auto Advisory Services in Southern California and was there through its acquisition by KPA. While there, he provided legal support in all functions at the dealership: from sales operation and registration to service department compliance and vehicle advertising. He now furthers the interests of automotive dealers in a different capacity at ComplyAuto, a cloud-based SaaS company offering a full suite of tools for complete compliance under the California Consumer Privacy Act. For more information about ComplyAuto and its guarantee against state enforcement, please go to:

Personal Data Gets an Early Start in 2021
Inherent Problems with the CCPA

We want to enroll our employees in preventative training to prevent BAR citations and fines.

We received a citation or disciplinary action and need to take remedial training.

Mock OSHA Assessment


  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite


    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification


      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals


      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging


        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite


          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Remedial Training and Attorney General Disciplinary Order - $299/student

            The Bureau of Automotive Repair (BAR) has allowed violating automotive repair dealers to take a remedial training program in lieu of having their information posted on a public website. Additionally, automotive repair dealers are required to take a training course as part of the California Attorney General’s disciplinary order. 

            This course fulfills both of these requirements.

            Created by California attorneys with over 35 years of combined experience in the automotive repair industry, this course is the only course on the market that is taught by instructors who are certified by the BAR.


            • Comprehensive online course about the Automotive Repair Act
            • Instruction by providers certified by the BAR
            • Access to training materials anytime (24/7/365)
            • Comprehensive manual that is a companion to the course
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion
            • Automated notification to the Bureau of Automotive Repair, if applicable


            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            With new regulations giving the Bureau of Automotive Repair (BAR) more authority to find violations and enforce citations upon repair facilities, it is now more important than ever to make sure your staff is knowledgeable about the Automotive Repair Act. Protect your repair facility from BAR scrutiny by enrolling into EduTech’s Automotive Repair Act Certification Training. This is the only training in California that is approved by BAR. 

            “Evidence of voluntary participation in retraining [of]…employees” as a mitigating factor. – Guidelines for Disciplinary Orders and Terms of Probation, BAR

            BAR has allowed retraining to be a “factor in mitigation” when investigating a repair facility. Therefore, as a preventative measure, it is strongly recommended that all technicians and service writers enroll into this course to show the BAR that you acknowledge and understand these rules before any investigation ever occurs. 

            All students enrolled in this product will be eligible for our “EduTech Guarantee” which financially protects repair facilities from enforcement by the Bureau of Automotive Repair. For more information, please visit our Terms of Service.


            • Online training course about the Automotive Repair Act
            • Only training course that is approved by BAR
            • Access to training materials anytime (24/7/365)
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion


            • Lower risk of BAR scrutiny by standardizing correct practices
            • Increased customer satisfaction
            • Establishes good faith efforts and may avoid BAR citation and fine
            • Professional development for service writers and technicians
            • Eligibility for the EduTech Guarantee

            Students enrolled in this product will also have complimentary access to HR training materials and policy builders. Topics include:

            • Sexual harassment (supervisory and non-supervisory)
            • Active shooter
            • Workplace violence
            • Social media use
            • Biometric data (timekeeper or key lockbox)

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security


                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement