By Hao Nguyen, General Counsel, ComplyAuto
One evening over a Zoom call, I asked a friend in law enforcement what the most ridiculous assignment he received was. Rather than focusing on any one event, he said speeding tickets stood out because of how many times he got this response: “I’m sorry, officer; I didn’t know how fast I was going.” He said it was comical that these folks thought it would work because “ignorance of the law is never an excuse.” I thought it was the perfect line to introduce this article.
With the California Consumer Privacy Act (CCPA) now in its second year, the California Attorney General’s office now expects businesses to have a firm grasp on the CCPA. Not only does the CCPA grant consumers the ability to submit to businesses a request to know, to opt-out and delete personal information, businesses should now know how to:
- Verify the consumer’s request (in which the requirements vary on the type request);
- Fulfill or reject these requests (while considering if they meet verification requirements or if any exemptions apply); and
- Notify the consumer that you were processing and have completed the request;
- Notify any vendor of the request (again, requirements to verify vary on the type of request and now, whether the vendor is a “third party” or a “service provider”)
Maybe some leniency was granted by enforcement officials in the beginning when California businesses as a whole were collectively getting their “sea legs” to comply with these laws. But now, as my friend so aptly put it, ignorance of these laws will no longer be an excuse. Of all of the confusing aspects of the CCPA, what has continually stymied both businesses and vendors alike is the definition of the phrase “opt-out.” Specifically, some Customer Relationship Management (CRM) software cannot fulfill these requests correctly and avail you of significant legal liability when receiving an “opt-out” request from you or on your behalf.
To fully understand what is happening, you will need to know what an “opt-out” truly is under the CCPA and what the consumer is asking you to do when submitting an opt-out request.
By redefining what we generally understand as a sale associated with money (the authors could have probably easily defined the term “share” or “sharing” instead), dealers are most likely selling a consumer’s PI without even knowing it. For example, when a dealer works with third-party marketing or advertising agencies. Dealers give these agencies the consumer’s PI in exchange for the valuable services that they provide to the dealer, such as mailers, email campaigns and the like.
Traditional Meaning of “Opt-Out”
Before the CCPA, the phrase “opt-out” was most prevalently used in the context of marketing under the federal Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act, with the former revolving around phone calls and text messages and the latter regarding email advertisements. In both instances, an “opt-out” meant that the consumer no longer wants to be contacted for marketing or promotional purposes. Usually, a text message would have an opt-out function, or an email would have a kind of “unsubscribe” link that removes them from the email list.
Meaning of “Opt-Out” Under the CCPA
Whether the authors of the CCPA did this on purpose to confuse us is up to debate, but what we do know is … it’s confusing. To understand what an “opt-out” is under the CCPA, we need to know what “selling” means under the CCPA.
“Sale,” “selling,” or “sold” means the selling, transferring or sharing of a consumer’s personal information (PI) by the business to another business or third party for monetary or other valuable consideration. By redefining what we generally understand as a sale associated with money (the authors could have probably easily defined the term “share” or “sharing” instead), dealers are most likely selling a consumer’s PI without even knowing it. For example, when a dealer works with third-party marketing or advertising agencies. Dealers give these agencies the consumer’s PI in exchange for the valuable services that they provide to the dealer, such as mailers, email campaigns and the like.
In an opt-out request under the CCPA, the consumer is directing a business, which currently sells the consumer’s PI to stop selling their PI in the future.
What is an “Opt-Out” Request under the CCPA?
Let’s say there are two categories of vendors in an opt-out request: the “Sources” and their “Third Parties.” Sources are vendors who store all of the customer’s personal information on your behalf (think DMS and CRM), and for purposes of this analogy, let’s make these Source vendors “faucets.” When turned on, the water that flows from these faucets is the consumer’s PI. Third Parties are those vendors who tap into the source vendor’s database to receive the PI to use on behalf of the dealer. To continue our analogy, let’s make these Third-Party vendors “flowers.”
The faucets pour water on these flowers and you, the gardener, allow this to happen. The dealer is allowing the Source vendors to push consumer PI to these Third Parties.
In an opt-out request, the consumer asks the dealer to prevent the future sharing or transfer of the consumer’s PI. Put another way, the consumer is asking you to turn off the water to prevent the water from flowing from the faucet to the flowers.
Some CRMs and Dealer Management Systems (DMS) have been fulfilling these requests correctly. “John Smith” sent an opt-out request to your dealership? Great — log in to your CRM or DMS portal, enter John Smith’s name and any other identifying information, check a “do not share” or “opt-out” box, and no longer will John Smith’s PI be shared with any third parties in subsequent data pulls/pushes or API integrations. This is a relatively easy fix, in my opinion, because plenty of vendors have done this. ComplyAuto has successfully convinced multiple large DMS and CRM systems to begin implementing changes to fulfill an opt-out request in this fashion.
The Wrong Way to Fulfill an Opt-Out Request
Some popular CRMs are directing dealerships to completely delete a customer or provide functionality in their software that deletes a customer. This is problematic — and may avail your dealership of significant legal liability under other state and federal laws.
Note that this is an opt-out request and NOT a deletion request. Remember, the consumer is asking the gardener to shut off the water. It doesn’t matter that the faucet still has water nor that the flowers have wet soil (because this is not a deletion request). Rather, the gardener needs to only concern himself with turning the water off, and the Source vendors must put in place a mechanism to prevent the future selling or sharing of the consumer’s PI.
As you know, there are many record retention laws in California that span a wide range: from the comprehensive deal jacket to the simple repair order.
Concerns that Arise When Opt-Out Requests are Fulfilled Incorrectly
The CRMs believe that deleting the information is sufficient to fulfill an opt-out request (after all, how do you share or transfer information that you don’t have?), but this “using a hammer to kill ants” approach presents far more issues than it resolves:
- Record Retention Issues
As you know, there are many record retention laws in California that span a wide range: from the comprehensive deal jacket to the simple repair order. The dealer may run afoul of record retention laws by deleting the customer’s information depending on what information was deleted. The CRM holds a host of data, including email/text communications, customer/salesperson notes, and other data relevant in the context of record retention rules, litigation holds or defending against potential fraud and litigation.
The dealer cannot simply delete this data because this is not a deletion request. Furthermore, the CCPA has specific exemptions to protect against deleting customer information in deletion requests. Conflating the opt-out and deletion requests in this manner creates a host of legal issues. - Potential CCPA Violations
In the short-term, deleting customer PI would prevent the future sharing or transfer of the customer’s PI. However, what if the person gets put back into the CRM by submitting another lead to the dealer? Because there is no signal to opt-out — and usually no way for the dealership to track this in the CRM — the dealer would violate the CCPA once they share/transfer this customer’s PI after they are put back into the CRM. Contrary to popular belief, simply interacting with the dealer is not enough to constitute the customer’s intent to opt back into the sale or sharing of customer information.
What’s even more damaging, in our opinion, is these CRMs are specifically instructing dealers that this is how you would opt a customer out under the CCPA, which is not accurate.
What Do I Do?
Contact your DMS or CRM and verify if they have a mechanism in place to adequately fulfill opt-out requests. Rather than just the functionality, ask them specifically what is being done with the customer’s PI: Is the customer merely being flagged to prevent the selling or sharing of their PI? Or are they being completely deleted from the database?
If enough dealerships bring this issue to their attention, they would be more apt to make significant changes to the way they are fulfilling these requests for their California clients.
ComplyAuto: A Purpose-built Solution for your Auto Group or Single-Point Dealership
Looking for a full suite of privacy compliance tools for your dealerships? Backed by decades of dealer and legal automotive experience, ComplyAuto offers a full solution for dealers to comply with privacy laws like the CCPA. We stand by our solution and offer each of our clients our ComplyAuto Compliance Guarantee, which states that we’ll pay for any state-enforced penalties while you’re using our software. Restrictions apply. For more information, please go to complyauto.com/compliance-guarantee/. Our goal is to take CCPA compliance out of your hands so your staff can go back to what matters, which is selling cars.
Please visit our website to learn more about our suite of tools.