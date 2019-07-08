Calif. data law could send dealers scrambling

Starting next year, California dealerships that improperly manage customers' personal information could be in regulatory jeopardy as the state gives consumers more liberty to access or delete the data dealerships collect on them.

Facing the daunting task of tracking every piece of data and where it might go, some dealers and their vendor partners are already racing to prepare for the new law.

The California Consumer Privacy Act, effective Jan. 1, will give consumers in the state the right to take more ownership of their data. Among other requirements, the bill orders businesses to honor consumers' demands to access personal information collected about them; know whether their personal information is sold or disclosed and to whom; and opt out of the sale or sharing of personal information. Consumers can also demand that a business and its affiliates, such as vendors, delete their personal information. The California law could set a precedent that eventually affects dealerships in other states.

The California attorney general will enforce the law but has until July 1, 2020, to interpret it and write a set of rules. Before the interpretation, though, consumers are eligible to sue dealerships that violate the act.

Photo
Mason: “There’s no magic pill.”

The law affects all businesses in California meeting certain criteria (see Page 29), including many auto companies. Dealerships are data gold mines and share customer data with third-party vendors, automakers and lenders. But many don't have a consistent method of tracking where each piece of customer data goes and how it's used. Preparing for the new law could take several months, experts warn.

The act will be like "a bucket of ice water that's going to be dumped on a bunch of people's heads to get them to understand that [information technology] for dealerships needs to evolve," said Jeff Mason, vice president of marketing at dealership vendor Helion Technologies.

The act carries even more weight because of its California roots. The law reaches far beyond the auto industry, but California ranks highest in dealership count and light-vehicle sales among the 50 states.

And with California's position as a trendsetter in automotive technology and legislation, the law could establish a template for other states. Legislators in at least seven other states have proposed similar consumer data privacy bills. Those are Connecticut, Hawaii, Maryland, Massachusetts, Minnesota, Pennsylvania and Rhode Island, according to dealership vendor RouteOne.

Photo
Cliff: California seen as leader

"California is traditionally seen as a leader in legislation," said Melanie Cliff, partner at law firm Scali Rasmussen in Los Angeles. "The consumer is concerned with privacy rights. The advancement and the speed of innovation is something that's very challenging and scary for the general public."

With at least a dozen proposed amendments to the act pending in the California Legislature, how the new law eventually rolls out is in flux. But most experts say the crux of the act is unlikely to change. They encourage dealers to prepare based on the information at hand.

Data mapping

Data mapping — or taking inventory of the data in company systems — is the most crucial part of preparing for the bill, said Brad Miller, senior counsel for digital affairs at the National Automobile Dealers Association.

Privacy prep

Steps California auto dealers should take to prepare for the state's consumer privacy act

  • Map the personal customer data in the dealership.
  • Put vendors on notice and ensure they are preparing for the law.
  • Update privacy policy, contracts and disclosures.
  • Assess cybersecurity to identify systems potentially vulnerable to a breach.
  • Develop detailed remediation and implementation plans to safeguard or replace those systems.
  • Launch an ongoing, effective compliance management strategy.

Source: Helion, DHG, Scali Rasmussen, Hudson Cook

"The succinct duty that dealers really need to get a grip on in the next few months is they have to map this information. They've got to know where it's going," Miller said. "You can't comply with the obligation unless you know where it's going in the first place."

If customers ask a dealership to delete their information, all other parties that have access must also delete it.

Vendors are willing to work with dealers, said Meghan Musselman, partner at Hudson Cook, but "they can only provide solutions with respect to the information that they have, and dealers are using multiple systems or multiple service providers. They're going to have to figure out how to coordinate all of that information and turn it into a singular response to the consumer."

There's no quick solution to developing a data strategy, said Helion's Mason. The project could take several months. Even dealers starting now are coming in late and will likely find that complying with the act is more complicated than they expected, he said.

"There's no magic pill," Mason said. "Some dealers might be under the impression that they can buy a piece of data-mapping software and somehow plug it in and press a button. That's not the case."

Dealers should tap their resources, such as the California New Car Dealers Association and their own lawyers, general counsels and compliance officers. They should also appoint an internal gatekeeper to track the store's data access and sharing, said Cliff.

"That gatekeeper would basically control and have knowledge as to what vendor is getting what information and what customer is now seeking information," she said.

Vendor action

The California New Car Dealers Association has sent letters to large dealership management system providers and trade associations, urging them to prepare for the act. It also has been educating its dealer members. As the law evolves, the association will determine "which vendors are doing their best to comply and alerting our dealers to that fact," said Brian Maas, president of the association.

Thresholds

Businesses meeting these criteria must comply with the California Consumer Privacy Act.

  • Earns annual gross revenue of more than $25 million
  • Buys, sells and/or shares personal information of 50,000 consumers, households or devices for commercial purposes annually
  • Derives 50% or more of annual revenue from selling consumers' personal information

Source: California Consumer Privacy Act

For example, a vendor might have the world's best customer relationship management tool, "but if they're not compliant, it doesn't matter," Maas said.

The association encourages dealers to use Helion and accounting firm DHG as resources to prepare for the law.

Miller suggests that dealers work with their vendors to ensure contracts are updated with the required provisions. Dealers must also coordinate with their website providers to include an opt-out button and must provide a toll-free number for consumers, according to the act.

RouteOne, a finance and insurance and electronic contracting company, is building a tool that will disclose to every dealership customer the information the dealership collects and the purpose for collecting it, said Dan Doman, the company's chief legal and privacy officer.

Dealertrack, which provides F&I and DMS software for dealerships, said that once dealers determine the data subject to the law's oversight, then its systems can display or delete the data if a consumer demands information or deletion. Dealertrack's DMS also keeps a list of vendors with access to a dealership's data. Dealers can turn vendor integration on or off at their discretion, according to the company.

Dealer confusion

Peter Hoffman, dealer principal at Sierra Autocars in Monrovia, Calif., said there is confusion around the law, especially in terms of working with automakers and vendors on data tracking and deletion.

Vendors and automakers could pass on customer data to other vendors that the dealership doesn't directly work with, Hoffman said. "That daisy chain of vendors … we aren't in control of and we haven't really been able to figure out who they all are."

As dealers await the outcome of the proposed amendments and an interpretation by the attorney general, they can prepare only for what they know will change.

"This is such a moving target that I think compliance is going to be difficult, and there may be a lag in the attention that people devote to this," Maas said. "People who are first movers and figure this stuff out early will have an advantage."

Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Digital Edition
THIS WEEK'S EDITION
See our archive
Fixed Ops Journal
Thumbnail
Read the issue
See our archive