The Battle Over Personal Data, and the Dealers Caught in the Crossfire

Bill Bowerman and a waffle iron. The Trojan Room coffee pot. The unsolicited car advice from a young tractor mechanic. The common thread? These brief events seemed trivial at first, but what came of them in the decades that followed would make these seemingly inconsequential events become defining moments in history that would dramatically change our future.* What if I told you that as you are reading this article, a similar event is unfolding right? The event is a very public dispute between Apple and Facebook over the collection and use of personal information. Much like how many saw it as an obsessive track coach ruining his wife’s waffle iron, a few computer science buffs wanting a fresh pot of coffee, and a jaded Italian all those years ago, any disinterested passerby would think, “Big whoop. It’s just two giant tech companies squabbling over how they make money.” I see it differently. I see the concepts of consumer’s rights and personal data finally making its way across the pond from the European Union (and the General Data Protection Regulation) and fundamentally changing the way we do business forever.

The State-By-State Approach and Silver Linings in the Golden State

Ask any dealer from California at these national conventions and they will tell you that one of the worst things about owning a business in California is . . . owning a business in California. It is a joke that works a crowd, but there is some truth to it: the taxes are exorbitant, the real estate is expensive, and the employment and consumer protection laws are extensive. Also, dealers are increasingly burdened by having to navigate these outside factors on top of balancing their existing automaker relationships with the actual business of selling cars.

However, there are a few good things about the Golden State. From a legal standpoint, California usually sets the table for new laws and regulations for other states to follow. In true fashion, California was the first state to adopt a major data privacy law in the United States, which is called the California Consumer Privacy Act of 2018 (CCPA). The CCPA has been a test case with a large sample size and using California as a “proof of concept” of sorts, other states have been slowly adopting laws and regulations that provide consumers similar protections like the CCPA. At the time of this writing, Virginia is poised to become the second state with a comprehensive online data protection law on the books. The bill passed with broad support — 89-9 in the Virginia House and 39-0 in the state Senate – and the government is expected to sign it within the coming days. New York, Washington, Oklahoma, North Dakota, and Minnesota all have some kind of data privacy bills under consideration.

Another silver lining is that if you meet California’s standards, then you will most likely meet any standards that other states, or even the federal government, would possibly adopt. Virginia’s new law will be called the Consumer Data Protection Act and is modeled very closely to the CCPA. (For example, both laws define a “covered business” in a similar fashion, give consumers the ability to delete or know the personal data collected about them, and exempt specific types of data and entities that are already regulated under federal laws such as HIPPA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act). Having lived and breathed CCPA compliance and provided our dealer-specific suite of tools to over 265 California dealerships, we can say that the room for error is slim as the CCPA imposes extremely strict requirements on California businesses and stiff penalties for violations. And, with dealerships operating drastically differently from a typical brick-and-mortar store or online retailer just by the sheer amount of personal data dealerships collect and the vast number of interactions a consumer can have at a dealership, the room for error even becomes even more narrow.

The rest of this article will be skewed toward a California audience as it will discuss the confusing language of the CCPA, its constantly changing regulations, and the California Privacy Rights Act (CPRA) that was passed in November of 2020. However, at the minimum, we believe that having a personal data policy and standards in place as to how your dealership collects and handles personal information would be viewed as mitigating factors by both state and federal enforcement agencies in other situations that may be tangentially related, such as a data breach. Privacy is also becoming a matter of corporate social responsibility, as many consumers start to evaluate companies based on how they use and protect their consumers’ personal information.

Also, if there is a lesson to be learned here, it is this: regardless of which state you work in, if you were not paying attention to personal data rights in 2018, you should be now. With personal data taking centerstage by popular Netflix documentary “Social Dilemma,” the events at the Nation’s Capital, and a very public fight between two of the largest technology companies in the world, we enter 2021 with an increased sense of how we share our personal data in our daily lives and what we can do to control it. It is only a matter of time before your state (or the federal government) adopts some form of consumer data privacy laws, and I would not be surprised if it mimics California’s existing laws and regulations.

Inherent Problems with the CCPA

By now, California attorneys have probably gone to enough seminars, webinars, and training sessions to hear long-winded diatribes about the confusing nature of the CCPA–and for good reason. They are all right: the CCPA is complex and it is difficult to fulfill. But, what if I told you the complexity and difficulty was built-in to the CCPA? A phrase most software developers like to say to explain away a flaw in their program is “It’s not a bug, it’s a feature.” I would argue that the same applies with authors of the CCPA. In hoping to increase consumers’ rights to their personal data, the authors unknowingly created almost impossible situations for businesses to comply with manually, especially dealerships. Keeping this language intact–and not dealing with these inherent problems in subsequent regulations–suggests that this was the intent all along (or that they were too lazy to correct it). Pointing out these shortcomings will help us understand and apply these laws to our dealerships. Things are about to be somewhat technical, so bear with me.

Dry Oatmeal Macadamia Cookies. I thought that these were the worst kind of cookies ever created, but they aren’t. Thanks to the CCPA, web-browser cookies has vaulted to the top of my list. The California Attorney General has opined that businesses should treat a visitor’s website browser’s universal “do-not-track signal” as an “opt-out” if a visitor comes to your website. The AG is saying that you have violated the CCPA if the visitor has as “do-not-track signal” and you load third-party advertising cookies. This happens automatically when websites do not have a working cookie banner.

These third-party cookies collect information from the visitor to use for advertising, marketing, and other reasons. A popular solution (and the only practical solution I know of ) is to have a cookie banner on your website that prevents third-party cookies from loading unless the visitor expressly opts-in and selects something like “I Accept.”

The use of cookie banners for this purpose is getting more popular, but is it actually doing what it is supposed to? Unfortunately, the answer is “probably not.” Most businesses put in a banner simply for the optics and fulfill the goal to “not be the tall nail that gets the hammer.” However, these banners rarely do anything if the user declines the cookies (i.e., cookies load regardless of what choice the user makes). I think that this avails your dealership to significant liability. If not having one is a blatant violation, any plaintiff’s attorneys worth their fees will be able to argue that purposely having a “fake cookie banner” is an intentional violation that misleads the consumer and is possibly an unfair and deceptive business practice.

The Identity Verification Trap. When a consumer either submits a request to know or delete their personal information, you will have to verify the consumer’s identity. In the automotive industry, the most prevalent (and generally acceptable) method of identity verification is to use either the customer’s driver’s license or other government issued ID card. However, the CCPA will not allow you to do this. The regulations specifically state that the business should not ask the consumer for their driver’s license or government issued ID card because of its sensitive nature and difficulty involved in securely obtaining that information. Additionally, using facial recognition software in this day and age is heavily scrutinized. I call this a “trap” because the authors did not realize that the CCPA would adversely affect industries where violations could occur in a business’s normal course of business. They are setting up dealerships to fail here.

The Encryption Catch-22. A consumer sends a request to know the specific pieces of information you have collected about him (referred to as a “data portability request” in some laws). You take all the necessary steps to verify the consumer’s identity, and everything checks out. All there is left to send this information to the consumer. Most businesses attach the information to an email and send it off. You may think this is okay, but the lack of security here potentially violates the CCPA because the law requires that the business use reasonable security measures when transmitting personal information. The lack of encryption here potentially subjects the sensitive information to a data breach. A requirement that they come down to the dealership can be viewed as too burdensome or outright unfeasible (especially with COVID-19). So, if you do not have the proper measures in place, you’re damned if you do, damned if you don’t (fulfill the request). 

More Requirements with the Consumer Privacy Rights Act (CPRA)

More Consumer Rights. Proposition 24 was passed by California voters in November 2020 granting more personal data rights to consumers. Among other things, the CPRA grants the consumer additional rights to opt-out of the “sharing” if their personal information and to correct inaccurate information, and requires businesses to identify categories of “sensitive personal information.”

Another State Agency. Additionally, and more notably in my opinion, the CPRA establishes the California Privacy Protection Agency (“Agency”), which is a new state agency whose sole purpose of existing is to enforce the CCPA (and CPRA) and assess fines on any violating California business. Funded by a government loan to the tune of $5M for the first year and $10M in every subsequent year, the Agency will repay this loan by using the money it is anticipated to generate through fines and penalties.

The Fourth (FOURTH!) Modified Texts to the CCPA Regulations

The early bird gets the worm in 2021, and personal data lined up yesterday. The Office of Administrative Law (OAL) remained busy through the year by releasing a fourth set of proposed modifications to the CCPA regulations in early December of 2020. Below is a summary of the modifications. For the full text, please see a link on the Office of Attorney General website here.

Businesses that “Sell” Personal Information

What Changed?

In Section 999.306 of Title 11 of the California Code of Regulations, the suggested modified text requires that a business that “sells personal information that it collects” while interacting with consumers offline must inform these consumers of their right to opt-out using an offline method. Specifically, in subdivision (b)(3), the drafters replaced every instance of “collects personal information” with “sells personal information that it collects” during offline interactions. Put in another way, no longer included are businesses that merely “collect” personal information in offline interactions included under the purview of the CCPA. Rather, any business that “sells personal information that it collects” offline are implicated.

Does This Affect Dealers?

Most likely. Most automakers have taken a firm position that dealers are in fact selling a customer’s personal information to them in the normal course of business. Aside from this, dealers are still probably selling a consumer’s personal information. To explain this, we need to revisit the meaning of a “sale” under the CCPA.

“Sale,” “selling,” or “sold” means the selling, transferring or sharing of a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration. By redefining what we general understand as a sale associated with money (the drafters could have probably easily defined the term “share” or “sharing” instead”), dealers are most likely selling a consumer’s personal information without even knowing it. For example, when a dealer works with third-party marketing or advertising agencies, dealers give these agencies the consumer’s personal information in exchange for the valuable services that they provide to the dealer, such as mailers, email campaigns, and the like.

Methods to Notify “Offline” Consumers

What Changed?

A business that sells consumers’ personal information that it collects offline must inform them of their right to opt-out and provide instructions on how to do so. Relative to online consumers who are immediately presented the “Do Not Sell My Personal Information” link upon going to a business’s website, this right to opt-out may not be as conspicuous to these offline consumers. This requirement allows offline consumers to be notified of their right to opt-out.

Does This Affect Dealers?

Yes. Dealers collect personal information in offline interactions in a variety of ways. These consumers can go directly to the dealership to test drive a vehicle, service a vehicle, speak to a salesperson, finance a vehicle, call into the dealership, and more. There only needs to be one instance of “selling” to any one of the dealership’s vendors to sweep the dealership into this requirement.

What Should Dealers Do?

Dealers should post signage that informs the consumer of their right to opt-out in areas where personal information is collected, including, but not limited to, the finance and service departments. Additionally, dealers should train their staff who regularly communicate with consumers to inform them of their right to opt-out and where to go if they wanted to exercise this right. Not only is training and record- keeping a requirement under the CCPA, it is just simply bad optics if a dealership employee has no idea what a consumer is talking about if the customer wants to submit a request. ComplyAuto clients already have access to these signs and a script to provide your staff.

Another Opt-Out Button

What Changed?

All businesses that sell or share consumer personal information must add an “opt-out” button to their website. Specifically, the button must be added to the left side of the “Do Not Sell My Personal Information” link and, when clicked, must directs the consumer to the same webpage or online location. 


Does This Affect Dealers?

Most likely. As discussed above, dealers most likely sell and share the consumer personal information they collect. This button provides more clarity to consumers of their right to opt-out in a not-so-subtle way.

What Should Dealers Do?

Dealers should contact their website providers to get this button added if, and when, these new regulations are adopted.

*Those “trivial” events:

Bill Bowerman, a track coach at the University of Oregon, used his wife’s waffle iron to create the rubber outsole of a shoe to provided traction on an artificial surface. Debuted in 1974, the “Waffle Trainer” quickly became the flagship running shoe of what is now known as the global multi-billion-dollar powerhouse called Nike.

The Trojan Room coffee pot was a coffee machine at the University of Cambridge. Many people in the office were left disappointed when they took the long journey to the machine to find the coffee pot empty. To solve this, a camera was set up in front of the coffee pot to provide a live feed to all desktops on the office network. A few years later, the camera was connected the Internet and provided inspiration for the first webcam.

A successful tractor mechanic modified and raced many of his luxury cars. After modifying a Ferrari and finding many imperfections, he decided to tell the founder, Enzo Ferrari, of these issues as a sense of “professional courtesy.” At the time, Ferrari’s vehicles were the top-of-the-line luxury cars, so as one would imagine, Ferrari didn’t take the advice well and berated the mechanic. The mechanic used these insults to fuel his passion to create a competing line and debuted his own luxury vehicle in 1963. This tractor mechanic’s name was Ferruccio Lamborghini.

Hao Nguyen has spent his entire legal career in the automotive industry. After a stint with the California New Car Dealers Association (CNCDA), he joined Auto Advisory Services in Southern California and was there through its acquisition by KPA. While there, he provided legal support in all functions at the dealership: from sales operation and registration to service department compliance and vehicle advertising. He now furthers the interests of automotive dealers in a different capacity at ComplyAuto, a cloud-based SaaS company offering a full suite of tools for complete compliance under the California Consumer Privacy Act. For more information about ComplyAuto and its guarantee against state enforcement, please go to:

Comments are closed.