By Erin Tenner, Richard Williams and Nathan Lee of Gray•Duffy, LLP

The California Consumer Privacy Act (CCPA) is set to go into effect Jan. 1, 2020. California auto dealers should begin the process to become CCPA complaint immediately, as this process is likely to take months to implement.

CCPA Grants Rights to Consumers

The CCPA (per Civil Code Section 1798.110), grants individuals certain rights with respect to their personal data. Specifically, dealers must be prepared to provide the following information to any consumer who requests it beginning Jan. 1, 2020, promptly upon request and up to twice in any given year:

1. The categories of personal information it has collected about them;
2. The categories of sources from which the personal information is collected;
3. The business or commercial purpose for collecting or selling personal information;
4. The categories of third parties with whom the business shares personal information;
5. The specific pieces of personal information it has collected about the consumer.

If information is not going to be provided or deleted, or doing so is delayed, the consumer must be notified of the reason for the delay or the decision not to delete the information, and of any right of the consumer has to appeal the decision to the dealership.

Exceptions to the CCPA

Even though dealers are required to comply with the CCPA, there are certain exceptions that apply under the CCPA [see CA Civil Code Section 1798.105(d)]. Among them are the following — a dealer will not be required to delete customer information if it is necessary in order to:

1. “Debug to identify and repair errors that impair existing intended functionality.” This exception can arguably be used to justify holding on to customer information that may be needed for purposes of warranty recall.
2. “[E]nable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”
3. “Comply with a legal obligation.”
4. “Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”

In addition, the CCPA does not apply to 1) the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report, 2) personal information collected, processed, sold, or disclosed pursuant to other privacy laws.

For example, the CCPA arguably does not apply to retained deal jackets or service records, or the sharing of personal information with a consumer reporting agency to be reported in or used to generate a consumer credit report.

What do Auto Dealerships Need to do Now?

1. Update privacy policies to make sure they provide the following information:
   – If you collect personal information on your website, include a disclosure on your website of the consumer right to request that their personal information be deleted.
   – Update your paper privacy policies to disclose the consumer’s right to delete personal information except as may be required to comply with record retention laws and safety recall requirements.
   – Make sure your privacy policies are provided to the consumer at or prior to the point of collection of private information and inform the consumer of the categories of personal information to be collected and the purposes for which the categories of information will be used.
2. Develop a procedure for making sure private information is deleted as required if requested by a customer. Appoint at least one person to be responsible for making sure privacy policies are updated and that personal information is deleted and those with whom information was shared are notified in writing. Make sure all employees who interact with customers know who to refer customers to who want their private information deleted.
3. Make sure the person in charge of customer personal information knows how to verify the identity of a consumer requesting personal information collected on them so it is not inadvertently provided to anyone except the person entitled to the information.
4. Make sure you are able to track and have an updated address for notice to anyone with whom you have shared personal information so they can be notified in writing of a consumer request to delete their personal information.
5. If you sell consumer information, get familiar with the additional requirements for businesses that sell consumer information including a link to a “Do Not Sell My Personal Information” internet web page.
6. Develop a process for determining whether some or all of a person’s personal information will or will not be deleted.
7. Develop an appeal process if you intend to implement one for consumers whose information will not be completely deleted.
8. If you receive a notice of violation, give it to your attorney immediately. As with PAGA actions, there is a 30-day right to cure statutory and class wide claims (but not individual damage claims). If you cure the offense (assuming it can be cured) and notify the consumer you have done so and that no further violations will occur, the consumer cannot sue.

The California attorney general will issue enforcement regulations and will not enforce the CCPA until they are issued, or until July 1, 2020, whichever occurs first, but private attorneys may still sue.