New CCPA Regulations Already Went into Effect. Are You Covered?

Fellow Dealers:

Earlier this year, Attorney General Xavier Becerra announced yet another set of regulations that changes the laws under the California Consumer Protection Act (CCPA), which went into effect immediately. A copy of the modified regulations can be found here, but here is a high-level overview of what you will need to do:

1. Update CCPA signage. The regulations now require that the “Do Not Sell My Personal Information” disclosures be posted in the areas where the dealer collects personal information. Therefore, you’ll want to ensure you update your CCPA signs to include this disclosure that links the consumer to your interactive web form for submitting CCPA opt-out requests. Remember, dealers are indeed deemed to be “selling” information as that term is broadly defined under the law.

2. Ensure your CCPA forms allow for authorized agents requests. The regulations have clarified the requirements for verifying CCPA requests submitted by a consumer’s authorized agent. Many dealerships are using CCPA forms that do not comply with these requirements. The identity verification requirements for authorized agents are complex and somewhat counterintuitive, so it’s important to ensure you have a process set up for complying with these regulations.

3. Add the new opt-out icon. The regulations now specify a particular design and colors for the CCPA opt-out icon. It is highly recommended that dealers conform to this design and use a cookie banner that allows users to accept or decline third party tracking cookies, which are considered a “sale” of information under the CCPA. Unfortunately, most dealerships are using cookie banners that do not support compliance with these rules.

4. Stop requiring unnecessary information for opt-out requests. There are four different types of requests a consumer can submit under the CCPA and each has its own identity verification requirements. The standard is the lowest for opt-out requests, and the new regulations prohibit businesses from asking for information that is not necessary to process the request. Again, many dealership web forms do not comply with this requirements because they aren’t set up to differentiate between the different types of requests. For example, many will require the customer enter a VIN or address in order to process an opt-out request.

5. Ensure all “opt-out” links take the consumer directly to an interactive CCPA web form. After clicking on the “opt-out” or “do not sell” button, many websites simply direct the consumer to the dealer’s privacy policy. This is now prohibited. Rather, the consumer must be taken directly to the interactive CCPA web form where they can immediately submit the opt-out request.

Don’t Have a Sign Yet?

If you do not have a sign that properly gives a “notice at collection” to consumers who enter your dealership or service department, please go to our website and download a sample copy of your own: (In the upper right corner, select “Sample CCPA Sign.”)

Chris Cleveland
P: (385) 277-5882 E:

Comments are closed.