At its July 24, 2025 meeting, the California Privacy Protection Agency (CPPA) Board approved substantial updates to the California Consumer Privacy Act (CCPA) regulations. While some notable provisions, such as Automated Decision-Making Technology (ADMT) rules and new risk assessment obligations, will become effective in 2027, numerous critical updates will become effective very soon, and require automotive dealerships’ immediate attention and action to maintain compliance. Here is an overview of some of the significant changes that will become effective first.
1. Expanded Notice and Consent Requirements
One major update involves clearer guidelines on consumer notices and consent procedures. The CPPA clarified that dealerships must prominently display the CCPA “Do Not Sell or Share My Personal Information” link on every webpage where personal information is collected, not just the homepage. Given the variety of personal data collected via dealer websites—including vehicle inquiries, financing applications, and service scheduling—dealers should thoroughly audit their websites to comply with this requirement.
The updated regulations also clarify consent practices, especially regarding cookie banners. Visually misleading designs intended to influence user choices, such as emphasizing acceptance options or using distinct colors, are expressly prohibited. The regulations also confirm that closing or ignoring the banner does not count as user consent. Additionally, architecture that creates a false sense of urgency or otherwise prevents informed and voluntary decisions are prohibited.
Furthermore, the regulations prohibit bundling privacy disclosures with unrelated terms of use because this practice undermines informed consent. General acceptance of a terms of use through cookie banners or similar mechanisms is insufficient to obtain consent or make privacy-related disclosures; instead, cookie banners should clearly detail personal information usage and link directly to a specific, compliant privacy policy.
Dealerships must immediately review and update their cookie consent practices and privacy policies.
2. New Requirements for the Notice of Right to Limit
The current CCPA regulations require that businesses provide consumers with a notice of right to limit the use of their sensitive personal information as an online link, either on its own or via the alternative opt-out link. The updated regulations specify that businesses must deliver the notice of right to limit sensitive personal information using the same methods they use to collect it—such as phone calls or in-person interactions. Dealers should therefore integrate this notice into their existing collection practices, such as adding it to showroom notices and including it at the start of telephone conversations.
3. Clarified Disclosure and Contractual Requirements
The updated regulations require businesses to provide clearer disclosures about third parties and service providers that receive or provide personal information. The regulations state that the categories of these sources must be described in a manner that provides consumers a meaningful understanding of where the information is collected or to whom the information is sold or shared, as applicable. Dealers can no longer use vague terms like “third parties” or general categories. Instead, privacy policies must clearly identify specific recipient categories, such as manufacturers (OEMs), finance companies, or marketing vendors.
The updated regulations also make clarifications regarding the required contractual language that businesses must have in place with third parties. Dealerships must also review and update their contractual language with third parties and service providers to comply with new requirements. Given recent enforcement actions, dealerships should ensure these contracts contain precise, compliant language to avoid regulatory scrutiny.
4. Stricter Consumer Request Processing
The updated regulations introduce additional complexity around processing consumer privacy requests, particularly concerning sensitive information such as Social Security numbers and driver’s license details. Dealerships must now allow consumers to verify sensitive personal data either through secure electronic means or via toll-free phone verification. These enhanced verification requirements could pose significant operational challenges unless dealerships employ efficient, compliant verification processes and trained personnel.
5. Enhanced Third-Party Communication Obligations
The new regulations confirm that dealerships must explicitly notify all downstream third parties of consumer opt-out requests. This requirement highlights the necessity of robust internal tracking systems to accurately document and manage data-sharing practices and consumer preferences. Dealerships need to ensure systems are in place to automate and document these notifications reliably.
6. Recognition of Opt-Out Requests
The updated regulations reaffirm dealerships’ obligations to recognize and honor the Global Privacy Control (GPC) signals, explicitly requiring websites to communicate clearly when these consumer requests have been processed and honored.
Websites must also confirm processing of consumer opt-out requests not initiated via GPC. This can be achieved by displaying an “Opt-Out Request Honored” message and updating consent toggles or buttons accordingly. Dealerships using outdated consent management systems must upgrade to effectively acknowledge both GPC signals and consumer opt-outs, highlighting the necessity of a properly configured consent banner and privacy settings portal.
7. On-Premises Compliance Enhancements
Dealerships must also be attentive to the updated guidelines regarding physical signage and on-premises practices related to sensitive personal information collection. Dealers will need to update signage to clearly notify consumers of their rights to limit the use of sensitive personal data, aligning on-site communication strategies with online compliance practices.
8. Stay Tuned for Information on Other Updates
The updated regulations also introduce significant new obligations, including the requirement for businesses to conduct privacy risk assessments when processing personal information that poses substantial privacy risks. Examples include the sale or sharing of personal information, processing of sensitive data, or using automated decision-making technology (ADMT) for important consumer decisions. Additionally, the regulations establish new consumer rights regarding ADMT and add cybersecurity audit requirements for businesses and service providers.
These particular requirements will become effective beginning January 1, 2027, with a staggered implementation timeframe. Dealers should therefore prioritize addressing the updates taking effect sooner. ComplyAuto will provide further guidance on these upcoming requirements to ensure dealerships are well-prepared. However, dealerships should be aware that the obligations effective in 2027 are extensive, involving measures comparable to the GLBA’s reporting and security mandates, and will require additional steps beyond current CCPA compliance practices.
How ComplyAuto Helps Dealers Stay Ahead
These comprehensive regulatory updates pose significant challenges for dealerships, requiring precise and sophisticated compliance solutions. Not to worry, ComplyAuto has you covered. ComplyAuto offers tailored compliance tools specifically designed for the automotive industry, enabling dealers to manage privacy compliance effectively. With advanced consent management systems, precise consumer disclosures, robust opt-out processing, and automated third-party notifications, ComplyAuto helps dealerships remain fully compliant, efficiently navigating this evolving regulatory environment. Schedule a demo to learn more.