Written by: Hao Nguyen, General Counsel of ComplyAuto
By now, we have probably gone to enough seminars, webinars, and training sessions to hear long-winded diatribes about the confusing nature of the CCPA – and for good reason. They are all right: the CCPA is complex and it is difficult to fulfill, but what if I told you the complexity and difficulty was built-in to the CCPA? A phrase most software developers like to say to explain away a flaw in their program is “it’s not a bug, it’s a feature.” In hoping to increase consumers’ rights to their personal data, the authors of the CCPA unknowingly created almost impossible situations for businesses to comply with manually, especially dealerships. Keeping this language intact – and not dealing with these inherent problems in subsequent regulations – suggests that this was the intent (or that they were too lazy to correct it). Things are about to be somewhat technical, so bear with me.
Dry Oatmeal Macadamia Cookies. I thought that these were the worst kind of cookies ever created, but they aren’t. Thanks to the CCPA, web-browser cookies have vaulted to the top of my list. The California Attorney General has opined that businesses should treat a visitor’s website browser’s universal “do-not-track signal” as an “opt-out” if a visitor comes to your website. In English, the AG is saying that you have violated the CCPA if the visitor has as “do-not-track signal” and you load third-party advertising cookies. These third-party cookies collect information from the visitor to use for advertising, marketing, and other reasons.
A popular solution is to have a working cookie banner on your website that prevents third-party cookies from loading unless the visitor expressly opts-in and selects something like “I Accept.” Do most of them work? Probably not. Most businesses put in a banner simply for the optics and to “hide in plain sight.” However, these banners rarely do anything and cookies load regardless of what choice the user makes. I think that this avails your dealership to significant liability. If not having one is a blatant violation, any plaintiff’s attorney worth their fees will be able to argue that purposely having a “fake cookie banner” is an intentional violation that misleads the consumer and is possibly an unfair and deceptive business practice.
The Identity Verification Trap. The most prevalent (and generally acceptable) method of identity verification in our industry is the driver’s license. Though the CCPA requires that we verify the consumer’s identity in a request to know or delete, it will not allow us to use the driver’s license. The regulations prevent this because of its sensitive nature and difficulty involved in securely obtaining that information. Additionally, using facial recognition software is heavily scrutinized. I call this a “trap” because the authors didn’t realize that the CCPA would adversely affect industries where violations could occur in a business’s normal course of business. They are setting up dealership’s to fail here.
The Encryption Catch-22. A consumer sends a request to know the specific pieces of information you have collected about him (referred to as a “data portability request” in some laws). You take all the necessary steps to verify the consumer’s identity and everything checks out. All that is left is to send this information to the consumer. Most businesses attach the information to an email and send it off. You may think this is “okay,” but the lack of security here potentially violates the CCPA because the law requires that the business use reasonable security measures when transmitting personal information. The lack of encryption here potentially subjects the sensitive information to a data breach. A requirement that they come down to the dealership can be viewed as too burdensome or outright unfeasible (especially with COVID-19). So, if you don’t have the proper measures in place, damned if you, damned if you don’t (fulfill the request).
Not only is the CCPA already a nightmare to comply with, the text of the laws themselves continue to confuse and confound all of us. However, pointing out these shortcomings will help us understand these laws and apply them to our dealerships. We at ComplyAuto are working closely with CNCDA to identify these issues and to advocate modifications to regulators and policy makers to reduce such compliance traps going forward.