Personal Data: Update on California’s Personal Data Laws (CCPA) and Lessons from the VW-Audi Data Breach


By Chris Cleveland (CEO) and Hao Nguyen (General Counsel) of ComplyAuto 

Personal data continues to be a hot topic in 2021, and there is nothing to suggest that it will subside any time soon. From the numerous data breaches that have occurred since the beginning of the year to the ever-changing landscape of privacy and personal data laws in each state, the way businesses handle personal information that they collect from consumers is now becoming a brand promise that consumers come to expect. Given that Defender is meant specifically for attorneys in the automotive retail space, we will discuss two very important issues that arose in 2021: (1) the press release by the California Attorney General (AG) summarizing its enforcement actions over the California Consumer Privacy Act (CCPA) since July of 2020 (Spoiler Alert: It’s not good for our industry.); and (2) the VW-Audi data breach and the lessons we can learn from it. 

California AG Takes CCPA Enforcement Action Against Dealership-Manufacturer.

On July 19, 2021, California AG Rob Bonta announced several enforcement actions relating to the CCPA, the nation’s toughest privacy law, and urged more Californians to take advantage of their new rights. To many people’s surprise, a California dealership-manufacturer made it to the top of the Attorney General’s list of offenders.

The AG’s press release, which did not identify the name of the dealership, cited that the business “failed to notify consumers of the use of personal information when collecting personal information from consumers seeking to test drive vehicles at a dealership location, in addition to other omissions in its privacy policy.”

The AG’s more detailed enforcement data showed that the dealership was also cited for other somewhat technical issues, such as failing to have a process for authorized agents to submit requests, not having a toll-free number for CCPA requests, and not providing an in- person notice at collection. The AG also announced a new tool where consumers can easily report businesses to the AG’s office that violate the CCPA (i.e., a “snitching tool”) and draft their own notices of violation. The AG even urged consumers to report businesses who do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their homepages. Let’s break down the press release and accompanying enforcement data and what it means for dealers.

Every Dealer Should Start Taking the CCPA Seriously.

The AG made an example out of the automotive industry and by listing a dealership enforcement action as the first example in their press release. Dealerships and manufacturers are likely on the AG’s radar due to the vast amount of information they collect and share with service providers and other third parties, including sensitive personal information collected as part of test drives and vehicle financing. The new online tool for reporting violations will also make it much easier for consumers to report offending dealers, giving new meaning to the old adage “The consumer is always right.” As such, dealerships must take a closer look at their CCPA compliance programs and ensure they comply with the latest laws and regulations.

AG Is Enforcing the CCPA’s More Technical Provisions

The press release and accompanying enforcement data had one common theme: the AG cares about the technical provisions of the CCPA. Prior to this press release, many, including us, thought the AG would just be looking for obvious, low-hanging fruit. But, the AG even cited the dealership for what seems to be relatively minor technical violations, such as the failure to have a designated toll-free number and process for authorized agents to submit CCPA requests. The AG’s enforcement data revealed other common technical violations:

  1. Non-Compliant CCPA service provider contracts;
  2. Failure to link to CCPA notice in marketing emails;
  3. Failure to acknowledge and respond to request within designated time limits;
  4. Missing a clear and easy-to-find “Do Not Sell My Personal Information” link;
  5. Requiring that authorized agents provide notarized documentation; and
  6. Requiring government-issued identification for exercising rights.

AG Considers Third-Party Tracking Cookies and Exchanges of Data with Analytic Companies to Be a “Sale” Subject to Opt-Out Requirements

We have always taken this position in numerous other articles, but through their multiple enforcement actions, the AG reinforced our belief that a “sale” of information (i.e., an exchange of information for “valuable consideration”) occurs in the context of analytics and retargeting services. Since most dealerships deploy third-party tracking cookies and work with website analytics companies, this means that almost every dealership is likely “selling” information as that term is defined under the CCPA. Bottom line – make sure your clients have the required “Do Not Sell My Info” link or button on their websites.

What Should My Dealership Do Now?

The AG’s press release and enforcement data highlights that a lackadaisical or half-baked approach to CCPA compliance simply is not good enough to let businesses slide. Not only does the AG care about dealerships, but also it cares about what some would call the more “nitpicky” violations described above. With over 120 pages of text and four sets of modified regulations, the existing CCPA is becoming increasingly complex, and things are going to get even more complicated when the California Privacy Right Act (“CPRA” or “CCPA 2.0”) goes into effect in the beginning of 2023. By now, hopefully every dealer has already implemented an online CCPA Notice at Collection and updated their Privacy Policy to start getting into compliance. Below is a checklist of some of the more non-obvious requirements that the AG has taken a keen interest in:

  • Ensure your CCPA Notice at Collection and Privacy Policy are WCAG 2.1 compliant for consumers with disabilities and that they are translated into foreign languages.
  • Document and implement processes for handling and verifying authorized agent requests. Do not require a notarized power of attorney document.
  • Post a clear and easy-to-find “Do Not Sell My Info” link or button as designed by the AG on your website. Make sure it links directly to an interactive webform. 
  • Postcompliant CCPA signage wherever you collect personal information in the dealership. 
  • Ensure your online request form has all four requests types (categories, specific pieces, do-not-sell, and deletion).
  • Do not require government-issued identification for CCPA requests.
  • Use something like SMS texting and email verification instead. § Put a link to your CCPA Notice at Collection in your emails and text messages, and provide the disclosure in your pre-recorded voice messages.
  • Ensure you are responding timely to CCPA requests (fifteen business days for opt-outs and forty-five calendar days for all others). § Have all eligible vendors sign a compliant CCPA Service Provider Addendum in which they promise not to use consumer personal information for purposes outside the scope of your contract. 
  • Use a tool to map your data across all your dealership departments to ensure your privacy disclosures are accurate and up-to-date. When you add a new vendor, make sure to update your privacy policy to reflect any new ways that consumer information is being collected or shared.

The Volkswagen-Audi Debacle: Some Takeaways

As most of us know by now, Volkswagen and its Audi subsidiary discovered that an unauthorized third party had obtained a significant amount of customer information from over 3.3 million customers. An investigation by Volkswagen confirmed that hackers identified and exploited a weakness in a third-party vendor’s security protocols. Coincidentally, this vendor is one that Volkswagen and Audi incentivized their dealerships to use called “ShiftDigital.” Though issues of data breach and ransomware in the oil and meat packing industries have been dominating the news recently, this is the latest to involve the automotive industry and leaves dealers rethinking their current procedures (and rightfully so). Even if you do not work with a Volkswagen or Audi dealership, we will analyze how an event like this affects all of us and outline steps to shore up dealers’ data processing and cyber security protocols.

Should Dealers Be Concerned?

The short answer is “yes.” In a concerted push to remain competitive and bring stores up-to-date with current standards, dealerships across the country have enlisted the help of hundreds of third-party vendors to help digitize and streamline their existing marketing and advertising efforts, and other standard operational processes. It is not like you can get away from them either. Not only are these vendors extremely effective, but also many automakers have required their dealers to use these vendors to remain eligible for incentive programs. These vendors often have access to your customer information through an integration (or data push/pull) with your DMS or CRM. As long as these vendors continue to do business with dealers, dealers should have proper response plans in place.

What is at stake here? Not only do these data breaches mean significant costs to the customer, dealerships risk taking a major financial hit in remediation efforts and harsh reputational damage, and a non-trivial level of legal liability exists at both the federal and statutory level if dealerships do not shore up their cybersecurity protocols.

Do Dealers Need to Notify Customers of the Breach if the Automaker Already Has?

Under California law businesses must notify consumers of a data breach using a specific form where unencrypted personal information was acquired by an unauthorized person “in the most expedient time possible and without unreasonable delay.” If the breach involves more than 500 California residents then the business must send a sample notice to the State Attorney General. Dealer counsel should verify the data breach notification requirements of their respective states as they may vary wildly.

Here, the automaker has already notified the affected parties and the question of whether or not the dealer needs to send an additional notice arises. First, dealerships must determine whether its customers’ data was affected by this breach, and if so, how many records were compromised. California law provides for a specific form that needs to be distributed to California residents in situations of a data breach. Unless the automaker’s notification looks significantly similar to what California requires, any breach notification the looks different would suggest that the dealer must send out an additional breach of data notice to its customers. Again, dealer counsel should check the data breach notification requirements in their state.

What Is the Potential Exposure Under the GLBA?

The Gramm-Leach-Bliley Act (GLBA) only accounts for “nonpublic personal information” (NPI), which includes any personally identifiable information that a financial institution collects about an individual in connection with providing a financial product or service. In regards, to the Volkswagen-Audi breach, of the 3.3 million records affected approximately 90,000 contained NPI. The Safeguards Rule of the GLBA requires dealers to maintain a comprehensive information security system that contains appropriate safeguards given the type of NPI collected. As part of this security system, dealers must ensure contractually that the service providers they work with are also capable of maintaining these safeguards. If dealers are working with vendors that actually collect or store this NPI on your behalf, they should have GLBA addendum as the Safeguards Rule dictates. Therefore, you may want to ensure that the dealer’s vendors, like ShiftDigital, have signed such an agreement.

What Should Dealers Do?

As it pertains to information stored on a vendor’s database, existing laws focus on the fact that vendors need to have reasonable security procedures and practices in place to protect customer information. Nothing speaks to whether or not the dealer is left “holding the bag” if a potential data breach happens on the vendor’s watch. It seems to be more of a contractual matter. (We discuss this more below).

Given that the PI dealers collect (and are ultimately responsible for) exchanges hands so frequently and is housed in multiple databases that are outside of the dealers’ control, it is imperative that the dealers have stopgaps in place to provide them some level of protection against the potential for the both the financial and legal burdens of a data breach. We provide some avenues that are worth visiting (or revisiting) to start mounting a proper digital defense strategy.

1. Have the Proper Level of Cybersecurity Insurance.

There are many forms of insurance that will provide you coverage in this area ranging from cyber extortion payments to crisis management expenses. We are by no means insurance experts and claim to know what kinds of insurance will be sufficient for your clients. What we do know is that if your clients do not have a strategy in place, cybersecurity insurance would be a great place to start. Both in the type of coverage and the amount insured, this form of insurance will reduce potential losses that dealerships may incur due to a cybersecurity issue.

2. Seek Additional Assurances from the Vendor.

As stated earlier, dealers are not hubs of data like Facebook, Amazon, or Google. Rather, dealers collect this PI and store it with the many vendors they use in their daily operations. From CDK and DealerSocket to AutoAlert and even ShiftDigital, each vendor collects and stores different categories of PI depending on the type of service they provide to dealerships. To add further potential exposure, other downstream vendors have access to customers’ PI through integrations with these vendor databases. With so many different repositories that store PI and the various transmissions that dealers do not have control over, vendor management is crucial to understand the type of information that is shared with vendors and with whom the information is stored so dealers can take the proper precautions to protect themselves from liability.

With the lack of legal guidance on who is held ultimately responsible if a breach should occur, it is always better to take the most conservative position possible and rely on common sense (because if it gets to that point, you will have to make common sense arguments in court). Here, a consumer would argue that they are entrusting the dealer with their personal information when they interact with the dealership, so the responsibility to protect this information would then logically fall on the dealer. Because the consumer never directly interacts with the vendors, nor would they have any contractual relationships with them, it makes sense that the dealer would be responsible for a vendor’s malfeasance or lack of security protocols that leads to a data breach.

Dealers should require vendors to sign an addendum or data processing agreement to make sure the vendors have proper security measures in place to prevent a data breach or, at the very least, provide aid to dealers if one does. Another option is for the agreements to shift data breach liability to the vendors if a breach occurs on their servers or databases.

3. Map the Personal Data Dealers Collect.

When a customer comes to the dealership, there are many things the customer could do: purchase a vehicle, service a vehicle, purchase an auto part, take a test drive, take a loaner, text a salesperson, or interact with the website. Each of these interactions can generate different kinds of PI. The ability to track this PI as it is collected from different departments within the dealership will significantly reinforce any security protocols dealers already have in place.

If your client has not yet mapped the personal data they collect nor taken stock of its current vendors, now would be the most appropriate time to do it. Data breaches and ransomware are on the rise and having a third-party company to advise dealerships through the process of managing the PI it collects, and the vendors who have access to it, will go far in showing both the customer and any state enforcement official that your dealer clients take personal data seriously

Feeling overwhelmed? Dealers can use the services of privacy software companies, such as ComplyAuto, that help dealerships map their data, manage and track vendors, and display required disclosures. These companies also provide tools to reinforce dealerships’ existing cybersecurity protocols, such as phishing simulation software. s

Disclaimer: Nothing in this article is intended to be legal advice. Please consult with competent legal counsel if you have questions regarding this article, the CCPA or its accompanying regulations.

Chris Cleveland is the co-founder of ComplyAuto and is currently the compliance director of Galpin Motors, an auto group with eleven franchises in Southern California. He has over 10 years of experience in automotive regulatory compliance, which includes issues regarding sales, finance, privacy, information security, and identity theft.

Hao Nguyen has spent his entire legal career in the automotive industry. His experience includes work with the California New Car Dealers Association, Auto Advisory Services, and KPA. While there, he provided legal support in all functions at the dealership: from sales operation and registration to service department compliance and vehicle advertising. He is currently the general counsel of ComplyAuto. 

Software can help retailers comply with privacy laws
Dealer Alert: Attorney General Takes CCPA Enforcement Action Against Dealership-Manufacturer

We want to enroll our employees in preventative training to prevent BAR citations and fines.

We received a citation or disciplinary action and need to take remedial training.

Mock OSHA Assessment


  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite


    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification


      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals


      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging


        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite


          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Remedial Training and Attorney General Disciplinary Order - $299/student

            The Bureau of Automotive Repair (BAR) has allowed violating automotive repair dealers to take a remedial training program in lieu of having their information posted on a public website. Additionally, automotive repair dealers are required to take a training course as part of the California Attorney General’s disciplinary order. 

            This course fulfills both of these requirements.

            Created by California attorneys with over 35 years of combined experience in the automotive repair industry, this course is the only course on the market that is taught by instructors who are certified by the BAR.


            • Comprehensive online course about the Automotive Repair Act
            • Instruction by providers certified by the BAR
            • Access to training materials anytime (24/7/365)
            • Comprehensive manual that is a companion to the course
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion
            • Automated notification to the Bureau of Automotive Repair, if applicable


            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            With new regulations giving the Bureau of Automotive Repair (BAR) more authority to find violations and enforce citations upon repair facilities, it is now more important than ever to make sure your staff is knowledgeable about the Automotive Repair Act. Protect your repair facility from BAR scrutiny by enrolling into EduTech’s Automotive Repair Act Certification Training. This is the only training in California that is approved by BAR. 

            “Evidence of voluntary participation in retraining [of]…employees” as a mitigating factor. – Guidelines for Disciplinary Orders and Terms of Probation, BAR

            BAR has allowed retraining to be a “factor in mitigation” when investigating a repair facility. Therefore, as a preventative measure, it is strongly recommended that all technicians and service writers enroll into this course to show the BAR that you acknowledge and understand these rules before any investigation ever occurs. 

            All students enrolled in this product will be eligible for our “EduTech Guarantee” which financially protects repair facilities from enforcement by the Bureau of Automotive Repair. For more information, please visit our Terms of Service.


            • Online training course about the Automotive Repair Act
            • Only training course that is approved by BAR
            • Access to training materials anytime (24/7/365)
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion


            • Lower risk of BAR scrutiny by standardizing correct practices
            • Increased customer satisfaction
            • Establishes good faith efforts and may avoid BAR citation and fine
            • Professional development for service writers and technicians
            • Eligibility for the EduTech Guarantee

            Students enrolled in this product will also have complimentary access to HR training materials and policy builders. Topics include:

            • Sexual harassment (supervisory and non-supervisory)
            • Active shooter
            • Workplace violence
            • Social media use
            • Biometric data (timekeeper or key lockbox)

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security


                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement