Pub. 5 Issue 1

31 Issue 1 2019 T he California Consumer Privacy Act (CCPA) was passed in 2018 in response to growing concerns that the personal information of consumers is increas- ingly at risk of falling into the hands of cybercrimi- nals. Highly publicized data breaches at companies such as Target, Equifax, Facebook, and CapitalOne have helped to fuel demand by consumers that something be done to protect their data. The California State Legislature responded to this de- mand with the CCPA, which takes effect January 1st, 2020. Specifically, the CCPA gives California residents the right to: • Know what personal information is being collected about them • Know who that information is being sold to or shared with • Opt-out of having their information sold to or shared with third parties • Request deletion of their personal information under certain circumstances Perhaps most important, the CCPA creates a private right of action for California residents if their personal informa- tion is subject to a security incident as a result of a business’s failure to implement reasonable security measures. This last provision is concerning. Between state and pri- vate actions, a business with poor data security policies and practices could be on the hook for thousands, if not millions of dollars in fines and lawsuits. How the CCPA affects dealerships The CCPA applies to for-profit businesses in California that meet any of the following criteria: • Earns annual gross revenue of more than $25 million • Buys, sells and/or shares personal information of 50,000 California residents for commercial purposes annually • Derives 50% or more of annual revenue from selling the personal information of California residents Many dealerships meet the first criteria and are therefore subject to the CCPA. Auto dealerships collect data about customers every day. Potential car buyers enter their personal information in web forms and disclose financial information during the credit approval process. Most online and paper forms that custom- ers fill out to test drive, buy or lease a car contain sensitive information. Preparing for the CCPA Achieving CCPA compliance is a complicated and time- consuming process that will take from six months to a year. If your dealership hasn’t already started this process, there’s little chance you will achieve full compliance by January. Two major provisions in the CCPA that affect California dealerships include: 1. Dealerships must take “reasonable measures” to pro- tect consumer data A Strategic Approach to Complying with the CCPA BY ERIK NACHBAHR