Inherent Problems with the CCPA

Posted by

on

Written by: Hao Nguyen, General Counsel of ComplyAuto

By now, we have probably gone to enough seminars, webinars, and training sessions to hear long-winded diatribes about the confusing nature of the CCPA – and for good reason. They are all right: the CCPA is complex and it is difficult to fulfill, but what if I told you the complexity and difficulty was built-in to the CCPA? A phrase most software developers like to say to explain away a flaw in their program is “it’s not a bug, it’s a feature.” In hoping to increase consumers’ rights to their personal data, the authors of the CCPA unknowingly created almost impossible situations for businesses to comply with manually, especially dealerships. Keeping this language intact – and not dealing with these inherent problems in subsequent regulations – suggests that this was the intent (or that they were too lazy to correct it). Things are about to be somewhat technical, so bear with me.

Dry Oatmeal Macadamia Cookies. I thought that these were the worst kind of cookies ever created, but they aren’t. Thanks to the CCPA, web-browser cookies have vaulted to the top of my list. The California Attorney General has opined that businesses should treat a visitor’s website browser’s universal “do-not-track signal” as an “opt-out” if a visitor comes to your website. In English, the AG is saying that you have violated the CCPA if the visitor has as “do-not-track signal” and you load third-party advertising cookies. These third-party cookies collect information from the visitor to use for advertising, marketing, and other reasons.

A popular solution is to have a working cookie banner on your website that prevents third-party cookies from loading unless the visitor expressly opts-in and selects something like “I Accept.” Do most of them work? Probably not. Most businesses put in a banner simply for the optics and to “hide in plain sight.” However, these banners rarely do anything and cookies load regardless of what choice the user makes. I think that this avails your dealership to significant liability. If not having one is a blatant violation, any plaintiff’s attorney worth their fees will be able to argue that purposely having a “fake cookie banner” is an intentional violation that misleads the consumer and is possibly an unfair and deceptive business practice. 

The Identity Verification Trap. The most prevalent (and generally acceptable) method of identity verification in our industry is the driver’s license. Though the CCPA requires that we verify the consumer’s identity in a request to know or delete, it will not allow us to use the driver’s license. The regulations prevent this because of its sensitive nature and difficulty involved in securely obtaining that information. Additionally, using facial recognition software is heavily scrutinized. I call this a “trap” because the authors didn’t realize that the CCPA would adversely affect industries where violations could occur in a business’s normal course of business. They are setting up dealership’s to fail here.

The Encryption Catch-22. A consumer sends a request to know the specific pieces of information you have collected about him (referred to as a “data portability request” in some laws). You take all the necessary steps to verify the consumer’s identity and everything checks out. All that is left is to send this information to the consumer. Most businesses attach the information to an email and send it off. You may think this is “okay,” but the lack of security here potentially violates the CCPA because the law requires that the business use reasonable security measures when transmitting personal information. The lack of encryption here potentially subjects the sensitive information to a data breach. A requirement that they come down to the dealership can be viewed as too burdensome or outright unfeasible (especially with COVID-19). So, if you don’t have the proper measures in place, damned if you, damned if you don’t (fulfill the request).

Not only is the CCPA already a nightmare to comply with, the text of the laws themselves continue to confuse and confound all of us. However, pointing out these shortcomings will help us understand these laws and apply them to our dealerships. We at ComplyAuto are working closely with CNCDA to identify these issues and to advocate modifications to regulators and policy makers to reduce such compliance traps going forward.

The Battle Over Personal Data, and the Dealers Caught in the Crossfire
New CCPA Regulations Already Went into Effect. Are You Covered?

Mock OSHA Assessment

FEATURES:

  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite

    FEATURES:

    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification

      FEATURES:

      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals

      FEATURES:

      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging

        FEATURES:

        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite

          FEATURES:

          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.

            FEATURES:  

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Program to Fulfill BAR Remedial Training - $299/student

            As part of their authority to levy fines and corrective actions against repair facilities, the Bureau of Automotive Repair may direct them to take a remedial training program. This program is intended for facilities who have already been identified by the BAR as needing corrective action and have committed to taking a remedial training course in lieu of specific penalties.The California Attorney General (AG) has required violating automotive repair dealers to take a course that instructs students on the laws and regulations of the Automotive Repair Act as part of the disciplinary order.

            FEATURES:

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            • Automated notification to the Bureau of Automotive Repair

             

            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            Provide advisors and technicians with the knowledge and tools necessary to comply with California laws and regulations and be viewed favorably by the Bureau of Automotive Repair.

            FEATURES:

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security

                FEATURES:

                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement