From CCPA to CPRA 

Everything You Need to Know About the Updated CA Data Privacy Regulations

Beginning on January 1, 2023, the California Privacy Rights Act (CPRA) will modify the California Consumer Privacy Act (CCPA) quite significantly. The two most notable changes are that the business-to-business exemption is gone and the definition of “consumer” has expanded to include employees and job applicants. Expanding coverage to employees and job applicants has always been available, but the other changes, which are just as important, will require more significant updates in our software, which we will go through below. 

It is important to note that at the time of this writing, the new regulations have not yet been published and can change significantly…or not (such is California, unfortunately). In any event, you should rest assured through the holidays knowing that we’ve got you covered. All of the updates to our software noted below will take effect automatically in the new year.



    1.  Modified: Can no longer require state registration in “Authorized Agent” requests.

    Legal Update: Businesses can no longer require that an “authorized agent” be registered with the California Secretary of State.

    ComplyAuto Software: The Data Subject Access Request (DSAR) portal placed on your website will be updated to remove this field as a requirement before sending the request. 


      2. New: “Disproportionate effort” as a reason to decline certain requests.

      Legal Update: A business can claim “disproportionate effort” to decline certain consumer requests if the time and resources expended to respond to the request outweighs the reasonably foreseeable impact to the consumer by not responding. In order for a business to claim “disproportionate effort,” it must already have in place adequate processes and procedures to receive and process requests in accordance with the CCPA and its accompanying regulations.  

      ComplyAuto Software: This new exception will be added to the software for certain request types.


        3. New: Consumer correction of inaccurate information. 

        Legal Update: Consumers now have the right to request that a dealer correct inaccurate information about them. Not only will the dealer have to do this, but the dealer will have to notify all downstream Service Providers of any corrections. 

        ComplyAuto Software: The DSAR portal placed on your website will be updated with this new correction request and the notification of Service Providers will be completed automatically. 


          4. New: Foreign language translations of disclosures.

          Legal Update: All CCPA/CPRA disclosures must be translated into foreign languages commonly used at the dealership. 

          ComplyAuto Software: The DSAR portal placed on your website will be updated to support five languages – Spanish, Korean, Tagalog, Chinese and Vietnamese – in accordance with census data and other California laws. 


            5. Modified: “Dark pattern” designs prohibited. 

            Legal Update: “Dark patterns” describe a user interface that was crafted by the author to trick or manipulate the user either to encourage or discourage certain behavior. In an effort to curb “dark patterns” as it relates to sharing personal data, the CPRA puts in place design parameters around the cookie banner to make it clearer for consumers.  

            ComplyAuto Software: The ComplyAuto cookie banner will now have an “Accept” and “Decline” button in the same size and color to fulfill these new requirements. 


              6. New: Expanding the definition of “opt out”

              Legal Update: The “opt out” of selling data now extends to the “sharing” of information for the purpose of cross-context behavioral advertising or retargeting ads. 

              ComplyAuto Software: The Notice at Collection, privacy policy, and DSAR portal placed on your website will be updated with new disclosures to inform consumers of this right. 


                7. Modified: Disclosures requirements 

                Legal Update: There are various new disclosure requirements in the Notice at Collection and privacy policy. 

                ComplyAuto Software: All privacy policies provided to our clients will be updated on January 1, 2023. 


                  8. Modified: Standardized opt out signals.

                  Legal Update: Dealers must now honor all standardized opt out signals in addition to Global Privacy Controls (GPC). New disclosures are required to notify the consumer that the various signals have been honored.

                  ComplyAuto Software: Cookie banners will be updated to support these standard and popular formats for opt out signals and their associated disclosures. 


                    9. New: Opt out of specific use of “sensitive information”

                    Legal Update: Consumers now have the right to opt-out of the use and disclosure of certain categories of “sensitive information” for the purpose of inferring characteristics about consumers. For example, geo-targeting and geofencing can give precise geolocation data that businesses can use to infer whether someone has shopped at a competitor or where they live. Using other sensitive information, such as Social Security Numbers (SSN), biometric data, government-issued ID numbers, bank account numbers, and health information, is also subject to this right.

                    ComplyAuto Software: The DSAR portal placed on your website will be updated to block geolocation data tracking if the consumer exercises this right. In the Vendor Management System, dealers can identify on a per-vendor basis whether or not sensitive information is being collected and used in this way. The Notice at Collection and privacy policy will be updated with new disclosures to inform consumers of this right. 


                      10. New: A “Your California Privacy Rights” button. 

                      Legal Update: A new button and link titled “Your California Privacy Rights” will replace the “Do Not Sell My Personal Information” link for those Dealers who both “sell” and “use sensitive data” as those terms are defined under the CCPA. The button must be conspicuously displayed on the website and in the footer of the site.

                      ComplyAuto Software: The new button and link will be changed in the banner and in other applicable disclosures. This should be a welcomed change for dealers as it removes the “do not sell” language. We will also add a footer with the required language. 


                        11. Modified: Notify “Third Parties” of deletion requests.

                        Legal Update: Upon receiving (and subsequently fulfilling) a consumer’s deletion request, dealers must now notify all vendors of the deletion request and not just the “Service Providers.” The dealer must manually delete the data if possible. If not, the vendors must be notified with a specific legal notice. 

                        ComplyAuto Software: All “Service Providers” and “Third Parties” will be notified of fulfilled deletion requests.


                          12. Modified: Notify “Third Parties” of opt out requests.

                          Legal Update: Upon receiving (and subsequently fulfilling) a consumer’s opt out request, dealers must now notify all downstream “Third Parties” regardless of when the personal information was last shared. There are also specific disclosure requirements pertaining to these notifications.

                          ComplyAuto Software: All “Third Parties” will be notified of fulfilled opt out requests and new legal disclosures will be added to these notifications.

                            13. Modified: Service Provider CCPA addendum updated.

                            Legal Update: “Service Providers” must sign a new CCPA addendum that lists the specific “Business Purposes” (as defined by the CCPA) for which the “Service Providers” use or process the dealer’s data. This contract also places new restrictions and obligations regarding the use of the data. Dealers must now regularly assess the “Service Providers” compliance with those obligations.

                            ComplyAuto Software: The CCPA addendum will be revised and the prior version will be voided. A new assessment for Service Providers will be made available to show annual compliance with the terms of the contract. 

                              14. New: Third Party CCPA addendum required for if they “sell” data.

                              Legal Update: Now, a “Third Party” to whom the dealer “sells” data has to sign a specific CCPA addendum. This includes OEMs. The contract contains specific provisions as required by new CPRA regulations. 

                              ComplyAuto Software: A new template has been added for Third Parties to whom the dealer “sells” data. The software will automatically determine which vendors will need to sign this contract. 

                                15. Modified: Employee training.

                                Legal Update: Applicable employees will need to be trained on these new CPRA laws and regulations. 

                                ComplyAuto Software: The CCPA training course will be updated with new course content to meet this requirement. 

                                Leave a Reply

                                Myths & Misconceptions About the Revised FTC Safeguards Rule
                                All Cookies are Not Created Equal: FTC Cracks Down on Targeted Advertising Without User Consent

                                We want to enroll our employees in preventative training to prevent BAR citations and fines.

                                We received a citation or disciplinary action and need to take remedial training.

                                Mock OSHA Assessment


                                • On-demand eight-hour assessment that imitates a real OSHA audit.
                                • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
                                • Simulated employee interviews
                                • Issue tracking and task management
                                • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

                                  Privacy & Cyber Compliance Suite


                                  • Custom legal policies with real-time updates, including the Information Security Program (ISP)
                                  • Customized Incident Response Plan (IRP)
                                  • Internal risk assessment tools and hands-on guidance
                                  • Biannual penetration testing (2) 
                                  • Biannual vulnerability scans (2)
                                  • Employee security awareness training and completion tracking
                                  • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
                                  • Device & systems inventory automation and mapping tools
                                  • Unlimited industry-specific internal phishing simulations to train staff
                                  • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
                                  • Website cookie consent banners and unique consumer privacy request portals
                                  • Annual report to the Board of Directors generated every year
                                  • Compliance Guarantee

                                    CPR/AED Certification


                                    • Instruction provided by Certified American Red Cross Instructors.
                                    • Practical, hands-on training sessions to practice CPR and AED techniques
                                    • Proper automated external defibrillator (AEDs) instruction and operation
                                    • American Red Cross exam and certification
                                    • Access to study materials, manuals, and resources for continued education and reference.
                                    • Available for organizations and groups, allowing for tailored training sessions.

                                    HR Fundamentals


                                    • Customized policy builder with real-time updates
                                    • E-sign functionality for required employee policies 
                                    • Online HR training with employee completion tracking
                                    • State-specific policies and training
                                    • Employee management tool
                                    • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
                                    • HR Fundamentals access is included with any other ComplyAuto product

                                      Encrypted Messaging


                                      • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
                                      • Track usage and detect violations in real-time
                                      • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
                                      • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

                                        Safety Compliance Suite


                                        • Concierge on-site onboarding 
                                        • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
                                        • Comprehensive Online Training Library and employee progress tracking
                                        • Automated 50-State Legal Injury & Illness Reporting
                                        • Policy Builders with Automatic Updates
                                        • Simplified SDS Creation and Management
                                        • Guided risk mitigation
                                        • Signage builder & tracking
                                        • Efficient equipment inspections with QR Codes
                                        • Tier 1 Spill Prevention Control and Countermeasure Plan 
                                        • Automated Tier 2 environmental reporting for all 50 states 
                                        • Unlimited one-on-one support from our dedicated team
                                        • Workplace Violence and Active Shooter Policy and Training
                                        • Unlimited one-on-one support from our dedicated team
                                        • Automated Tier II environmental reporting for all 50 states.

                                          EduTech Course 3

                                          Program to Fulfill AG Disciplinary Order - $299/student

                                          The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


                                          • Comprehensive online course about the Automotive Repair Act

                                          • Access to training materials anytime (24/7/365)

                                          • Comprehensive companion manual to the training material

                                          • Quizzes and final exam to track engagement and learning ability

                                          • Certificate generated upon completion

                                          EduTech Course 2

                                          Remedial Training and Attorney General Disciplinary Order - $299/student

                                          The Bureau of Automotive Repair (BAR) has allowed violating automotive repair dealers to take a remedial training program in lieu of having their information posted on a public website. Additionally, automotive repair dealers are required to take a training course as part of the California Attorney General’s disciplinary order. 

                                          This course fulfills both of these requirements.

                                          Created by California attorneys with over 35 years of combined experience in the automotive repair industry, this course is the only course on the market that is taught by instructors who are certified by the BAR.


                                          • Comprehensive online course about the Automotive Repair Act
                                          • Instruction by providers certified by the BAR
                                          • Access to training materials anytime (24/7/365)
                                          • Comprehensive manual that is a companion to the course
                                          • Quizzes and final exam to track student engagement and information retention
                                          • Certificate generated upon completion
                                          • Automated notification to the Bureau of Automotive Repair, if applicable


                                          EduTech Course 1

                                          Automotive Repair Act Certification Training - $49/month per rooftop

                                          With new regulations giving the Bureau of Automotive Repair (BAR) more authority to find violations and enforce citations upon repair facilities, it is now more important than ever to make sure your staff is knowledgeable about the Automotive Repair Act. Protect your repair facility from BAR scrutiny by enrolling into EduTech’s Automotive Repair Act Certification Training. This is the only training in California that is approved by BAR. 

                                          “Evidence of voluntary participation in retraining [of]…employees” as a mitigating factor. – Guidelines for Disciplinary Orders and Terms of Probation, BAR

                                          BAR has allowed retraining to be a “factor in mitigation” when investigating a repair facility. Therefore, as a preventative measure, it is strongly recommended that all technicians and service writers enroll into this course to show the BAR that you acknowledge and understand these rules before any investigation ever occurs. 

                                          All students enrolled in this product will be eligible for our “EduTech Guarantee” which financially protects repair facilities from enforcement by the Bureau of Automotive Repair. For more information, please visit our Terms of Service.


                                          • Online training course about the Automotive Repair Act
                                          • Only training course that is approved by BAR
                                          • Access to training materials anytime (24/7/365)
                                          • Quizzes and final exam to track student engagement and information retention
                                          • Certificate generated upon completion


                                          • Lower risk of BAR scrutiny by standardizing correct practices
                                          • Increased customer satisfaction
                                          • Establishes good faith efforts and may avoid BAR citation and fine
                                          • Professional development for service writers and technicians
                                          • Eligibility for the EduTech Guarantee

                                          Students enrolled in this product will also have complimentary access to HR training materials and policy builders. Topics include:

                                          • Sexual harassment (supervisory and non-supervisory)
                                          • Active shooter
                                          • Workplace violence
                                          • Social media use
                                          • Biometric data (timekeeper or key lockbox)

                                          F&I Compliance Suite

                                            • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
                                            • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
                                            • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
                                            • Spot Delivery & Unwind Management
                                            • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
                                            • Online F&I Compliance Training 
                                            • Compliance Guarantee

                                              Device & Email Security


                                              The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                                              • Continuous threat detection and response powered by Coro:
                                                • EDR (Endpoint Detection and Response) 
                                                • MDR (Managed Detection and Response) 
                                                • 24/7 Security Operations Center team
                                                • Swift response and alert to potential security breaches
                                              • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                                              • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                                              • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                                              • Device-level encryption for Windows and macOS
                                              • Public & unencrypted wifi blocking
                                              • Next-gen antivirus
                                              • Automated password policy and session locking enforcement