At the beginning of this year, an expansive law went into effect in California to protect the privacy of its residents — and it will have impact far beyond the Golden State.

It could usher in sweeping changes by giving consumers the right to opt out of the sale — or even retention — of their personal data.

This new law is called the California Consumer Privacy Act or CCPA, and auto dealers in California will need to comply. In fact, any for-profit business that targets California consumers must comply if it:

  • Processes the personal data of at least 50,000 California consumers. (Keep in mind, IP addresses are considered personal data, so this would apply to any website with at least 50,000 visits from California consumers.)
  • Makes at least half of its revenue from sharing California consumer data for profit.
  • Has an annual revenue of $25 million or more.

Because most auto dealers make more than $25 million in annual revenue, they are within the scope of CCPA.

The California Attorney General’s Office won’t start enforcing the requirements of CCPA until July 1, so there’s still time to get ready. CCPA provides a six-month preparation period, as there is a significant amount of work needed to set up and implement new policies and processes to comply.

One of the biggest land mines in the new law is a provision that allows private right of action. That is, consumers will be able to sue businesses for alleged noncompliance. We can expect plaintiffs’ lawyers to come up with creative legal theories that combine CCPA requirements with California consumer protection laws starting in the second half of this year.

I urge all auto dealers who have stores in California to act now. I suggest dealers review their CRM and DMS data to understand what personal information, as defined by CCPA, is contained in those data sets, determine the proper way to gain consent from the consumers and share that data with their business vendors.

It is clear under the CCPA that dealers will be held responsible for sharing of personal data with their vendors without appropriate authorization.

One leading dealership group’s position is instructive of how I think about this area. “Although CCPA is forcing us to acknowledge our processes for protecting customer information, it’s also a great opportunity to remind people that we don’t sell their data and to accommodate their communication preferences,” said Tom Dobry, chief marketing officer of Lithia Motors.

A precursor to CCPA is Europe’s General Data Protection Regulation. Enforcement examples from 2019 under GDPR include fines of more than $100 million each levied against Marriott Hotels and British Airways.

With Cambridge Analytica and other recent privacy mishaps in the U.S., we can expect CCPA to be the beginning of increased regulations and enforcement of the automotive retailing space. I expect other states and jurisdictions to adopt laws and regulations to protect the privacy of their residents in 2020 and beyond.

CCPA is a ticking time bomb for dealers to adopt new ways of protecting the personal data of the consumers they target in the future.