From Chris Cleveland, Compliance Director for Galpin Motors and Co-Founder of ComplyAuto Privacy
On July 19, 2021, California Attorney General (AG) Rob Bonta announced several enforcement actions relating to the California Consumer Privacy Act (CCPA), the nation’s toughest privacy law, and urged more Californians to take advantage of their new rights. To many peoples’ surprise, a California dealership-manufacturer made it to the top of the Attorney General’s list of offenders.
The AG’s press release, which did not identify the name of the dealership, cited that the business “failed to notify consumers of the use of personal information when collecting personal information from consumers seeking to test drive vehicles at a dealership location, in addition to other omissions in its privacy policy.” The AG’s more detailed enforcement data showed that the dealership was also cited for failing to have a process for authorized agents to submit requests, not having a toll-free number for CCPA requests, and not providing an in-person notice at collection.
The AG also announced a new “snitch” tool where consumers can easily report businesses that violate the CCPA and draft their own notices of violation. The AG even urged consumers to report businesses who do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their homepage. Let’s break down the press release and accompanying enforcement data and what it means for dealers.
Every Dealer Should Start Taking the CCPA Seriously
The AG thought it was important enough to make an example out of the automotive industry and listed the dealership enforcement action as the first example in their press release. Dealerships and manufacturers are likely on the AG’s radar due to the vast amount of information they collect and share with service providers and other third parties, including sensitive personal information collected as part of test drives and vehicle financing. The new online tool for reporting violations will also make it much easier for consumers to report offending dealers. As such, dealerships must take a closer look at their CCPA compliance program and ensure it complies with the latest laws and regulations.
The AG is Even Enforcing the CCPA’s More Technical Provisions
The press release and accompanying enforcement data had one common theme – the AG cares about the technical provisions of the CCPA. Prior to this press release, many thought the AG would just be looking for obvious, low-hanging fruit. But the AG even cited the dealership for technical violations, such as the failure to have a designated toll-free number and process for authorized agents to submit CCPA requests. The AG’s enforcement data revealed other common technical violations:
1. Non-Compliant CCPA Service Provider Contracts.
2. Failure to link to CCPA notice in marketing emails.
3. Failure to acknowledge and respond to request within designated time limits.
4. Missing a clear and easy-to-find “Do Not Sell My Personal Information” link.
5. Requiring that authorized agents provide notarized documentation.
6. Requiring government-issued identification for exercising rights.
The AG Considers Third-Party Tracking Cookies and Exchanges of Data with Analytic Companies to be a “Sale” Subject to Opt-Out Requirements.
We’ve talked about this in numerous other articles, but through their multiple enforcement actions, the AG reinforced their position that a “sale” of information occurs even when there is simply an exchange of information for “valuable consideration” such as that provided in the context of analytics and retargeting services. Since most dealerships deploy third-party tracking cookies and work with website analytics companies, this means that almost every dealership is likely “selling” information as that term is defined under the CCPA. Bottom line – make sure you have the required “Do Not Sell My Info” link or button on your website.
What Should My Dealership Do Now?
If nothing else, the AG’s press release and enforcement data highlights that a lackadaisical or half-baked approach to CCPA compliance simply isn’t good enough. Not only does the AG care about dealerships, it cares about what some would call the more “nitpicky” violations described above. With over 120 pages of text and four sets of regulations, the CCPA is becoming increasingly complex, and things are going to get even more complicated when the California Privacy Right Act (CPRA or “CCPA 2.0”) goes into effect in 2023. By now, hopefully every dealer has already implemented an online CCPA Notice at Collection and Privacy Policy. However, below is a checklist of some of the more non-obvious compliance requirements that the AG has taken an interest in:
· Ensure your CCPA Notice at Collection and Privacy Policy are WCAG 2.1 compliant for consumers with disabilities and that it is translated into foreign languages.
· Document and implement a process for handling and verifying authorized agent requests. Do not require a notarized power of attorney document.
· Post a clear and easy-to-find “Do Not Sell My Info” link or button as designed by the Attorney General on your website. Make sure it links directly to an interactive webform.
· Post compliant CCPA signage wherever you collect personal information in the dealership.
· Ensure your online request portal has for all four requests types (categories, specific pieces, do-not-sell, and deletion.
· Do not require government-issued identification for CCPA requests. Use something like SMS (text-code) and email verification instead.
· Put a link to your CCPA Notice at Collection in your emails, pre-recorded voice messages, and text messages.
· Ensure you’re responding timely to CCPA requests (15 business days for opt-outs and 45 calendar days for all others).
· Have all eligible vendors sign a compliant CCPA Service Provider Addendum where they promise not to use consumer personal information for purposes outside the scope of your contract.
· Use a tool to map your data across all your dealership departments to ensure your privacy disclosures are accurate and up-to-date. When you add a new vendor, make sure to update your privacy policy to reflect any new ways that consumer information is being collected or shared.
Overwhelmed? Dealerships should seriously consider using a tool like ComplyAuto to help automate compliance with these complex rules and regulations. It is difficult to comply with, let alone remember, all of these requirements. Just like software helps most dealers comply with complex rules like the Red Flags and Credit Score Disclosure Rule, technology can make CCPA compliance much easier. ComplyAuto also offers the industry’s only Compliance Guarantee and the software is already being used by over 350 California dealers.
Chris Cleveland is the Compliance Director for the Galpin family of dealerships and is also the CEO and Co-Founder of ComplyAuto Privacy, a software company that helps dealers automate the complexities of the CCPA. Visit complyauto.com/ccpa for more information.