By Hao Nguyen, Chief Legal Officer
As was predicted, 2023 continues to be the year of data privacy as more states adopt their own personal data laws. Specifically, at the time of this writing, the governors of the states of Iowa, Indiana, Montana, Tennessee, Texas, Oregon, and Delaware have either signed or introduced bills to create their own states’ data privacy laws. This brings the total number of data privacy laws in the United States to twelve. The specific laws for each state are:
- Iowa – Iowa Data Privacy Law (“IDPL,” Senate File 262)
- Indiana – Indiana Consumer Data Protection Act (“ICDPA,” Senate Bill 5)
- Montana – Montana Consumer Data Privacy Act (“MCDPA,” Senate Bill 384)
- Tennessee – Tennessee Information Protection Act (“TIPA,” House Bill 1181)
- Texas – Texas Data Privacy and Security Act (“TDPSA,” House Bill 4)
- Oregon – Oregon Consumer Privacy Act (“OCPA,” Senate Bill 619)
- Delaware – Delaware Personal Data Privacy Act (“DPDPA,” House Bill 154)
In an attempt to not bore you with the details, we will discuss each of these new laws in very broad strokes. Specifically, we will touch on what new requirements are placed on Controllers (i.e. “Dealers”), what new rights are afforded to consumers, the penalties for violating these laws, and their respective effective dates.
As each of these dates draws nearer, we will take a deeper dive into each of the laws so that you will be well prepared to take on these new consumer protection laws. Rest assured, ComplyAuto has you completely covered in our Privacy Rights Management system, which will account for the more state-specific requirements as their respective deadlines approach. It is a brave new world we live in and we can no longer stand idly by.
Controller (i.e. Dealership) Requirements:
Requirement #1: Securing Your Data by Reinforcing Cybersecurity Protocols
States recognize that dealerships collect a wealth of consumer data and have used personal data laws as an opportunity to require that businesses secure this information from unauthorized access. Dealerships in these states must establish, implement, and maintain reasonable technical and physical security practices to protect the confidentiality, integrity, and accessibility of consumer personal data. We believe the intent of the respective authors is for dealerships to adopt security measures that are similar to the data protection and cybersecurity standards as required by the Safeguards Rule. Meaning, if you fulfill the Safeguards Rule, you will more than likely meet the threshold that is required by these laws.
- a description of the Data Subject Access Request (DSAR) portal – more about this below;
- the categories of personal data it processes;
- the purpose for which the personal data is collected and processed;
- instructions on how consumers may exercise their consumer rights;
- the categories of personal data that are shared with third parties; and
- the categories of third parties with whom the consumer’s personal data is shared.
- Delaware requires an email address the consumer may use to contact the dealer.
Requirement #3: Cookie Consent Banner
Dealerships will also need to clearly and conspicuously disclose if it sells or uses a consumer’s personal data for “targeted advertising”. In all of these laws, “targeted advertising” means displaying advertisements to consumers based on personal information obtained from that consumer’s activities over time and across non-affiliated websites or online applications to predict the consumer’s preferences or interests.
Practically speaking, this can all be easily achieved by using a cookie consent banner that blocks very specific cookies (i.e. cross-contextual behavioral advertising cookies for targeted advertising as defined above) from loading on a consumer’s device until the consumer consents.
Additionally, dealerships in these states are required to first obtain the consumer’s consent before they can collect a consumer’s “sensitive data.” The most prevalent form of sensitive data that a dealership may unknowingly collect is “precise geolocation data” from website traffic or consumers in the showroom (through their smartphones). A functioning cookie consent banner will achieve this requirement for website visitors and collections from in-person visits will need a discussion with your advertising agency.
Requirement #4: Contracts with Data Processors
All of a dealership’s processors must sign a binding contract with the dealership that provides for each of the following:
- instructions for processing personal data,
- the nature and purpose for processing personal data,
- the type of personal data subject to processing;
- the duration of processing;
- the rights and obligations of both parties;
- reasonable risk assessments by the dealership; and
- contractually require subcontractors to meet the same obligations as the processor with respect to the personal data.
These contracts must also ensure that the processor is subject to a duty of confidentiality with respect to the personal data and, at the controller’s direction, the processor must delete or return all personal data to the dealership as requested at the end of the provision of services unless its retention is required by law.
Types of Requests
Under each of these laws, consumers will have the right to do each of the following:
- confirm whether or not the dealership is processing the consumer’s personal data and accessing such data;
- request the dealership correct inaccurate information about the consumer that was previously provided to the dealership (other than Iowa);
- request the dealership delete personal data about the consumer;
- request from the dealership a copy or summary of the consumer’s personal data; and
- request to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Time to Respond to Requests
The dealership has forty-five (45) days after the receipt of the consumer’s request to either fulfill or deny the consumer’s request. The response period may be extended by another forty-five (45) days as long as the controller informs the consumer within the initial forty-five (45) days and has a reason for the extension. The dealership must also authenticate the request using commercially reasonable efforts or it may request the consumer to provide additional information reasonably necessary to authenticate the consumer and their request.
If the consumer’s request is denied, the dealership must provide instructions for how to appeal the decision. The appeal process must be conspicuously available and similar to the process for submitting requests.
The most efficient way to fulfill this requirement is to provide a Data Subject Access Request (DSAR) portal that not only provides solutions for each of the types of requirements but also authenticates the request to ensure that the dealership is not fulfilling fraudulent requests.
Oregon, Montana, and Delaware: Authorized Agents
In Oregon, Montana and Delaware, a consumer may designate another person to serve as their authorized agent and act on their behalf to submit opt-out requests. The dealership must comply with an authorized agent’s opt-out request as long as the dealership is able to properly verify the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf. Dealerships in these states must provide a clear and conspicuous link on the dealership’s website to a web page that allows the consumer, or an authorized agent of the consumer, to submit their opt-out request.
Another interesting point here is that Oregon, Montana, and Delaware view a consumer’s global device settings or controls on their device as a valid opt-out request from an authorized agent that dealerships must fulfill. Meaning, dealerships’ websites must be able to respond to these universal opt-out signals accordingly.
In Iowa, Indiana, Montana, Tennessee, Texas, and Oregon, the Attorney General maintains exclusive authority to enforce their respective personal data laws. In Delaware, the Department of Justice has enforcement authority and may investigate and prosecute violations. In every state except Montana, the AG may seek an injunction against any business that violates the respective personal data law as well as levy a civil penalty of no more than $7,500 per violation. The bill in Delaware does not state a limit on a violation.
The Iowa Data Privacy Law has an effective date of January 1, 2025.
The Indiana Consumer Data Protection Act has an effective date of January 1, 2026.
The Montana Consumer Data Protection Act has an effective date of October 1, 2024.
The Tennessee Information Protection Act has an effective date of July 1, 2025.
The Texas Data Privacy and Security Act has an effective date of March 1, 2024.
The Oregon Consumer Privacy Act has an effective date of July 1, 2024.
The Delaware Personal Data Privacy Act has an effective date of January 1, 2024 or 2025 (depending on when the governor signs the bill).
How to Prepare:
With the earliest effective date potentially five months away, dealerships in these states should begin thinking about what they need to do in order to comply with these personal data laws. If these states are anything like those with existing laws in place, the Attorneys General will not grant businesses a significant grace period after the laws become enforceable. For example, shortly after their respective effective dates, the AGs in California and Colorado have sent letters to businesses reminding them of their responsibilities and asking what they are currently doing. In California’s case, a $1.2 million penalty against Sephora signaled to the rest of the Golden State that the AG is serious about consumer privacy.
ComplyAuto has built a multi-state solution to meet each of these comprehensive requirements. If you are interested in achieving full compliance with the laws in your state, please contact us at firstname.lastname@example.org for more information.
This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it.