Privacy regulations and legislation are topics that continue to be of concern for many auto dealers. News of data breaches, data vulnerabilities, and compromised private information is released almost daily from businesses both small and large.

No dealership is exempt from risk. The federal government has yet to propose a national privacy bill. Several states, including Virginia, Vermont, Colorado, and New Jersey, have introduced related privacy regulations recently.

California set themselves apart with the adoption of the California Consumer Privacy Act, which gave citizens the rights to not only protect their own data, but to obligate businesses to disclose exactly which information has been collected about them.

Vermont recently implemented a law regulating data broker companies that buy and sell personal information. Brokers must now disclose what information they collect as well as allow customers to opt out of collection. Furthermore, consumers can sue data brokers if they sell any information that causes illegal discrimination.

A similar law proposed in Colorado is somewhat broader yet specifically manages personal identifying information. Individual states seem to be leading the way for data privacy regulation discussions. For dealers who purchase consumer information, this should be of concern.

International regulations have also played a significant role in the privacy discussion, specifically following enforcement of the European Union’s General Data Privacy Regulation.

These regulations have certainly contributed to the movement towards consumerism and prompted dealers in the United States to rethink data collection and management, considering how violating these regulations could adversely affect their business and brand. Many dealers are asking themselves, “Am I liable and governed by the legislation in the EU?” For many, the answer is yes.

Since the introduction of the CCPA, several U.S. senators have proposed policy options for national legislation on data security and privacy. Proposed bills have had a GDPR-like flavor that is similar in scope to the international regulation. If the U.S. were to adopt similar regulatory standards, dealerships that handle personal data would need to build systems that include data protection by design and default.

Regardless of dealership size, the magnitude of data collected, shared or mismanaged is more concerning considering the sensitivity of private information dealerships are entrusted to protect. As the conversation around regulation increases, there has been much talk about what a national privacy law might look like — and how state regulations would affect dealers doing business across the U.S.

At the forefront of privacy-related issues are very visible and widely used “big tech” providers. These big companies have demonstrated some interest in getting ahead of new regulations by drafting and proposing regulatory standards themselves — possibly because there is a monetary desire for bills written on their terms, rather than abiding by laws passed in Washington.

In conclusion, states will likely continue to pave the way for privacy regulations. Until formal national legislation is adopted, and voters see these initiatives on their ballots, states will continue to implement their own forms of data protection. Problems will continue to rise for businesses as states implement their own laws that non-regulated states must abide by. A national privacy law could make this transition easier.

Matt Dumiak is director of privacy services, customer engagement compliance at CompliancePoint, where he is focused on U.S. and international direct marketing compliance regulations. Contact him at matt.dumiak@bobit.com.