The CCPA and You: Updates Dealers Need to Know

It has been said that, while attending a cocktail party in California, a Google employee stated the following to Alistair Mactaggart: “If people just understood how much we knew about them, they’d be really worried.” Mactaggart, a real estate developer in California, then began contemplating the issue that has been consuming news articles the past few years: privacy in a digital world.

Between the European Union’s General Data Protection Regulation going into effect in May and the Cambridge Analytica scandal having consumed everyone’s attention throughout the spring, privacy has become an inescapable topic. Mactaggart’s main question is this: In a world where most people have no choice but to have a phone or computer, how can they maintain control over their personal data to ensure it stays personal?

With all that in mind, he worked to develop a privacy initiative addressing these issues focusing on transparency, control, and accountability. These three principles form the basis of the California Consumer Privacy Act, a ballot initiative created by Californians for Consumer Privacy. The outcome will have profound implications for auto dealers in the Golden State and beyond.

What Is the CCPA?

The California Consumer Privacy Act provides consumers with three fundamental rights:

• The right to know what personal information is being collected.
• The right to know what personal information is being sold or shared with third parties — as well as the identity of those third parties.
• The right to request that their personal information no longer be sold (i.e., the right to opt out).

In addition to honoring the consumer rights listed above, businesses would be required to provide notice via the privacy policy regarding whether personal data is sold and instructions to opt out of the selling or sharing of this data. Further, businesses must allow consumers to exercise their right to opt out through, at a minimum, two methods, including a toll-free number and a URL. Should a consumer exercise one of the rights listed above, businesses would be required to respond within 45 days of the request.

What Does This Have to Do With Me?

As originally crafted, the CCPA would have applied to any business, regardless of location, that earns $50 million in revenue per year, sells 100,000 consumer records in a calendar year, or makes 50% of its annual revenue from selling personal data. This broad sweeping scope should be familiar to those responsible for ensuring readiness for the GDPR and its applicability to organizations outside the EU.

What’s the Status?

It should come as no surprise to anyone that the California legislature passed — and Gov. Jerry Brown has signed — amendments to the CCPA. Having previously been a ballot initiative, one of the main drivers to get the CCPA passed as traditional legislation was to allow the law to go through the standard legislative process as opposed to the previous ballot initiative. This would have made the law difficult and arduous to amend.

First, the legislature gave the California attorney general’s office some additional time to develop the implementing law. Lawmakers also pushed back the enforcement date by up to six months, which will be no later than July 1, 2020 — for now. While the enforcement date could be set before July 1, 2020, we will have to wait and see when the regulation is implemented by the AG. Dealers should be preparing to be compliant by Jan. 1, 2020, and be standing by for enforcement by July 1, 2020.

What’s the Penalty for Noncompliance?

The amendments add some language around the fine amounts, adjusting them up to $7,500 per intentional violation. Along these lines, the legislature also removed the requirement to notify the state AG within 30 days of filing an action against a company. This used to give the AG the power to approve or dismiss the action right out of the gate.

The amendments also provide more clear exemptions to the CCPA surrounding the previously nebulous exemptions regarding personal data and the GLB, HIPAA, and DDPA, which should help companies that are impacted by those regulations scope out some of the personal data within their environment. Keep in mind, however, that these exemptions should be reviewed carefully and applied after thorough analysis.

Last but certainly not least, the amendments updated the notice requirements around the right to be deleted. This move was intended to provide businesses some freedom regarding where the disclosure is made, stating it should be made in a reasonable place for the consumer and provided clarification around preemption of the law and the U.S. constitution.

What’s Next?

As mentioned, it is no surprise that amendments were made to this regulation. We will continue to monitor for future amendments that are likely to occur.

To make the appropriate notice disclosures and honor the right to access, deletion and sale of personal data opt-out, companies must be intimately aware of the personal data processed within their environment and how the personal data is sold and shared for business purposes. This is not a task that can be accomplished overnight, and you must begin working to determine whether and how this regulation applies to you and begin planning to ensure compliance.

Matt Dumiak is director of privacy services, customer engagement compliance at CompliancePoint, where he is focused on U.S. and international direct marketing compliance regulations.