ComplyAuto was formed by a dealer who hired software developers to create tools for retailers to comply with complicated privacy laws.
In 2019, months before the California Consumer Privacy Act was set to take effect, Chris Cleveland started to figure out how much data his dealership group, Galpin Motors, collected about its customers.
Cleveland, Galpin’s compliance director, spent months mapping out consumer data to prepare for the new law, which gives consumers rights to know the data businesses collect about them and to limit how businesses can use it.
During his research, Cleveland realized that notifying vendors of a consumer’s request under the law, figuring out which vendors had access to an individual customer’s data and understanding what data vendors even kept was practically a full-time job.
“There’s got to be software out there that can do this for us, automatically, right? There’s no way that this is a sustainable process to have to manually respond to every one of these requests,” Cleveland said. “To our surprise, there really wasn’t any software out there that did anything like that.”
So Cleveland and friend Shane McCallan, who also had worked in automotive compliance, decided to hire software developers to build their own. ComplyAuto was built for their own dealerships, but by October 2020, the pair began to offer the services to other stores. It’s now a standalone business with more than 330 dealerships as customers.
Cleveland, 32, who is ComplyAuto’s CEO and continues to work at Galpin, spoke with Staff Reporter Lindsay VanHulle. Here are edited excerpts.
On the challenges of privacy compliance: The average dealership — what I’m learning is — they don’t have compliance professionals. They don’t have a compliance director. They don’t have an in-house attorney.
A lot of the dealerships we’re working with, it’s the [general manager] who’s been tasked with CCPA compliance, or it’s the marketing director, and they’re just like, “This is way outside of my wheelhouse.”
You think it was hard for us, Shane and I, to do it in our own groups — [it] took us months and months to figure out. Imagine a dealership [that] doesn’t have a legal department. And so the pain points are even harder for them to get their arms around. They don’t even know where to start.
On why dealerships should care: Privacy is just becoming a brand promise. Consumers are rightfully concerned about their privacy, which is why you see this movement throughout the U.S. of states enacting privacy legislation.
It goes a long way for dealerships to say, “Hey, we care about your privacy. We’re going to allow you to make decisions on how we share your information. We’re going to allow you to opt out to tracking third-party cookies that track you across Facebook and things like that.”
I think people want that. It’s almost like social responsibility.
On how the tool works: Do you ever use TurboTax? [It] takes a very complex process like filing your state and federal taxes and turns it into simple yes-or-no questions. We have a dealer-centric approach to that.
So, for example, for each category of personal information, we’ll ask targeted questions like, “Do you track your service loaners?” Because if you do, you’re obviously collecting geolocation data on those customers, and you got to disclose that.
So we kind of go through this wizard with simple yes-or-no questions that takes that eight-month process into literally 20 minutes or less.
On ComplyAuto’s future plans: I can’t share too much about it right now, but it will just be the ultimate compliance solution for everything else that isn’t data security.
So think of traditional sales and F&I compliance. We’re going to modernize that — make deal jacket audits and the old-school methods of compliance a thing of the past and turn it into something where you don’t need to train your salespeople to be lawyers.
On staying ahead when it comes to data privacy: Under the CCPA, dealerships are one of the few industries that collect literally every category [of] information covered under the law, just because of the nature of the dealership. You’re doing finance transactions. You’re doing test drives, so it’s driver’s license info. You’re doing service; they’ve got vehicle information. Some dealerships even collect geolocation data when they’re tracking loaners. We’re doing digital marketing and all the website stuff
We’re collecting a lot of personal information. And it’s just naive of dealers to think that this isn’t going to be an issue moving forward. And to just kind of wait until it affects them is a mistake because, as I learned at Galpin, it is not a quick, overnight process.