Disclaimer: This content is informational only and should not be taken as legal advice in regard to the California Consumer Privacy Act.
Data is at the core of any business, especially in the auto industry. It’s not uncommon for car dealers to collect sensitive customer info at numerous stages of the buying journey, from financing to warranty management. But most are not thinking about data security on a day-to-day basis. Data breaches are an unfortunate way of tech life—2018 was the second most active year for data breaches, with over 5 billion records exposed.
On January 1, the California Consumer Privacy Act (CCPA) will go into effect. At this year’s Navigate conference, Spurti Kanekar—Director and Corporate Counsel for CarGurus—presented a deep dive on the CCPA and what it means for car dealers across the U.S. Her talk was a highlight of Navigate and is a must-see for dealers in California and beyond as we sneak closer to 2020.
What is CCPA?
The California Consumer Privacy Act was signed into law in 2018 and goes into effect January 1, 2020. This law was created to protect the data privacy of California residents. The law is also a likely stepping stone to future national privacy laws. Under the law, consumers have the right to force companies to tell them what personal information is being collected about them and forbid those companies from selling that information to third parties. The specific five rights consumers have under the CCPA are:
- The right to know what personal information is being collected and if that information was sold
- The right to request a copy of the specific information collected about them during the 12 months before the date of their request
- The right to have that personal information deleted
- The right to request that their personal information not be sold to third parties
- The right not to be discriminated against because they exercised their new rights
Does CCPA apply to my business?
The key question for auto dealers operating outside of California is whether the CCPA applies to them at all. The CCPA applies to a business, or for-profit entity, that collects consumers’ personal data through their website that is available to California residents or physical presence in California; and either:
- Has more than $25 million in annual gross revenue
- Possesses personal data on more than 50,000 California consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information
How to address CCPA
If your dealership meets one of the three criteria, you have a legal obligation to comply. But beyond the legal, there are other reasons to comply. Complying creates a reputation of trust for your dealership. It also can help you create smarter solutions for optimizing your data, while still adhering to the rules. In order to comply, there are a handful of things you need to do.
- Complete data mapping: Map your data to figure out how you collect it, where it lives, and how it travels. When a consumer requests to stop sharing their data, you will need to identify all the appropriate information on the back end. If you do your data mapping, you know exactly where the flow of data is going so you can stop the right information.
- Manage your third-party vendors: Educate your vendors on how to treat the personal information you share with them. Execute data processing agreements with your vendors and add in information about CCPA to any existing agreements.
- Train your staff: Even if you have tools and processes in place, if your staff doesn’t know how to handle it, you’re not prepared. Train your employees on tools and processes to keep personal information safe and on how to respond to CCPA related requests.
Want more information about how CCPA will affect your dealership? This recent AutoNews article includes even more insights from Spurti Kanekar.