New Privacy Law Speeds Down the Highway: Implications of the California Consumer Privacy Act for Automotive Dealers

This new law will apply to any business with at least $25 million in annual revenue, any business that handles information from more than 50,000 individuals, or any business that derives more than 50 percent of its annual revenue from selling consumer personal information. Critically, most of the privacy rights discussed herein will not apply to those businesses that collect personal information for a single one-time transaction, so long as the business refrains from selling or otherwise using such information to re-identify consumers.

Several changes to the law are anticipated between now and January 1, 2020, as industry groups are currently lobbying to further dilute the bill. However barring any major changes, these are the Top 4 operational impacts that are likely to affect the automotive industry once the new law arrives.

#1 Businesses must give their consumers the ability to “opt-out” of sharing personal data

Automotive clients that meet the threshold for compliance will be required to disclose to consumers if their business has a practice of selling consumer data to third parties. If so, businesses will be required to display a clear and conspicuous “Do Not Sell My Personal Information” link on their website’s homepage, which will provide consumers the ability to opt-out of the sale of their data. If the business prefers, it can also maintain a separate and additional homepage dedicated to California consumers that includes the required links and text, so long as the business takes reasonable steps to ensure California consumers are directed to this California-specific homepage, rather than the homepage made available to the public generally.

Once a consumer selects to opt-out, businesses will be barred from asking consumers to change their preference for at least 12 months. Importantly, the current text of the law uses the term “consumer” instead of “customer,” meaning that CaCPA will likely apply to any California resident, regardless of whether that individual has ever purchased a car from a dealer.

#2 Businesses must be able to provide consumers with access to the information about them

Consumers have long desired greater transparency in businesses’ privacy practices. Under CaCPA, California residents will now have the right to request specific information about how their personal data is processed, for what purposes it is processed, and with whom it is shared.

To satisfy this requirement, automotive dealers will need to construct the ability to verify a consumers’ identity, and respond to an access request as promptly as possible. Although dealers will have some discretion with how they implement these requirements, the law does contain several guideposts:

• Responses must be free of charge;
• Responses must be delivered within 45 days of receiving a verifiable request;
• The response must apply to the 12-month period preceding the access request;
• The response must be provided in writing, in a “readily usable format” that allows the consumer to transmit the information from one entity to another “without hindrance;” and
• The response must be delivered through the consumer’s account, by mail, or electronically, all at the consumer’s option.

#3 Businesses must honor consumer requests to delete their data 

CaCPA grants consumers the right to request a business to delete their personal information. Under the current version of the law, businesses are required to satisfy these requests within 45 days of receiving such a request. Importantly, the law also requires businesses to direct any of its service providers to do the same if they possess that consumer’s personal information as well.

Under CaCPA, businesses are not required to delete information “if it is necessary” to:

• Complete the transaction for which the individual’s data was collected;
• Provide a good or service the consumer has requested;
• Perform a contract between the business and the consumer;
• Detect security incidents;
• Protect against “malicious, deceptive, fraudulent, or illegal” activities;
• Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities; and
• Ensure the business’ exercise of “another right provided for by law.”

#4 Privacy notices will need to be updated

Given that CaCPA places such a premium on transparency, it’s unsurprising that the law will also require businesses to update their privacy notices in order to inform California residents of their new rights under the law. Therefore, it is imperative that automotive dealerships who either collect or sell personal information of California residents update their privacy notices before the January 1, 2020 deadline. As the deadline approaches, businesses are advised to meet with their internal stakeholders to update their privacy notices as needed. The authors of this client alert are available to guide businesses in revising these notices.

Future Amendments

California Governor Brown rushed to sign CaCPA on June 28 of this year in order to avoid a stricter ballot initiative from being sent to individual voters at the polls this month. Since the bill will not go into effect until January 1, 2020, we can expect several “clean-up” bills to be passed over the next 15 months.

Indeed, as recently as August 31, 2018 both chambers of the California legislature passed an amendment to CaCPA limiting the private right of action established under the law to actual data breaches. The amendment, among other changes, further clarified that any obligations imposed on businesses by CaCPA should not be construed to infringe on a businesses’ own speech rights or the free speech rights of another consumer. 

In the interim, we can also expect the California Attorney General to continue working with commercial groups and consumer advocates to develop industry-based guidance in the year ahead. However, these groups will need to rapidly organize their efforts, as any changes to the law will need to have been incorporated prior to the January 1, 2020 enforcement deadline.