Dealerships must safeguard customer data

The California Consumer Privacy Act, the most aggressive consumer-privacy law in the country, goes into effect Jan. 1. While many dealerships have been preparing for implementation for months, changes to the law and new proposed regulations should inform their final compliance efforts. Even if your dealership is outside California, you should review your practices to ensure your customers' privacy is protected.

Understand the types of data your dealership collects: California Gov. Gavin Newsom signed several bills that modify the definitions of "personal information." Dealerships must analyze what information they collect, store and share that is still covered by the law so that they can understand their compliance risk.

Update the dealership privacy policy: The California Online Privacy Protection Act already requires every entity operating a commercial website to post its privacy policy on its site for consumers. California's proposed new regulations provide details about what this policy should contain, including descriptions of the consumer's rights as to information collected, disclosed or sold; the method to request deletion of personal data; and the right to opt out of data sales and a copy of the opt-out notice.

Prepare notices to consumers: The California law requires businesses covered by the privacy act to notify consumers at the time of collection what information they collect, what it is used for and with whom it is shared. Businesses must also provide notices to consumers of their right to opt out of the sale of personal information. Dealerships should look to the attorney general's regulations in drafting their notices.

Provide employee privacy notices: In the first year of the law, employees are not consumers for the purpose of the privacy act. In practical terms this means that for 2020, personal information gathered from job applicants, employees and individual contractors that is collected and used solely for the purpose of the person's role in the business is not covered. Dealers should take a proactive approach and provide notices to all job applicants, employees and contractors that personal information collected and used as part of their role in the business will be used only for that purpose.

Implement security measures: Under the California act, businesses may be liable to customers after an incident of unauthorized access to their data, even if the customers are not injured. The customers need only prove that the business did not take "reasonable" efforts to protect the data. One disappointment is that the attorney general did not propose more specific guidelines as to what constitutes a "reasonable" effort. However, every dealership should adopt certain security measures, such as improving password security by requiring passwords that are at least 12 characters and contain numbers, special characters and both upper- and lowercase letters, and ban the use of real words and names; limit access to personal information to only those who need to; and pay attention to physical security, such as ensuring that deal files are never left unattended on desks and are stored in secure cabinets.