Nearly a year and a half after being signed into law, the watershed California Consumer Privacy Act (CCPA) went into effect Jan. 1, changing the landscape of privacy law in the United States. Dealers, auto lenders and their customers need to understand the seismic legal changes underway and the law’s potential impact.
Businesses subject to CCPA
The CCPA protects the privacy rights of California consumers and affects businesses that operate both within and outside the state. Auto companies that operate dealerships, service customers who reside in California or otherwise “do business” in California and meet certain thresholds, are likely subject to the CCPA. These include: having $25 million or more in gross annual revenues; buying, selling or receiving personal data on more than 50,000 consumers, households or devices; or deriving 50% or more of annual revenues from selling personal data.
Important auto industry exemptions
- Despite being considered a “business” regulated by the CCPA, there are several exemptions relevant to dealers and auto lenders that may excuse compliance with the new law, such as:
Warranty repairs and recalls: vehicle information, including ownership, shared between a dealer and manufacturer regarding warranty or recalls;
- Vehicle record information: personal information derived from motor vehicle records that is collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act;
- Financial information: personally identifiable financial information (i.e. information provided or obtained in connection with providing consumers’ financial products or services) that is collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act; and
- Credit reports: activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer’s credit worthiness.
Auto companies must also be prepared to receive, verify and respond to consumer requests about information collection and use, deletion and sale opt-outs.
What’s to come?
The changes enacted by the CCPA were the first of their kind at the state level, but more changes are to come. A new ballot initiative, dubbed “CCPA 2.0,” intended to provide additional rights and establish an agency dedicated to consumer privacy rights, is in the works for the California 2020 election. Other states will attempt to follow suit, with legislation already underway in Virginia and Washington. Task forces and advisory councils related to data privacy have been established in Connecticut, Hawaii, Louisiana, North Dakota, and Texas. Auto companies will need to carefully monitor these developments and the impact new laws will have on their data privacy management programs.
Susan Chylik is a member in McGlinchey’s consumer financial services compliance team and can be contacted at [email protected] or 216-378-9913. Colin Quillinan is an associate in McGlinchey’s consumer financial services compliance team and can be contacted at [email protected] or 518-874-3423. McGlinchey is the compliance partner of Auto Finance Excellence, a sister service of Auto Finance News.