Pub. 1 2019-2020 Issue 2

11 business receives such a request, it must also direct any service provid- ers to delete the consumer’s personal information from their records as well. There are exceptions to the general rule that consumers can request deletion of their data. Those excep- tions pertinent to dealers include the following: • To complete the transaction for which the personal information was collected, provide a good or service requested by the consumer (or reasonably anticipated within the context of a business’s ongo- ing business relationship with the consumer), or to otherwise perform a contract between the business and the consumer; • To detect security incidents and/or to protect against malicious, decep- tive, fraudulent, or illegal activity; • To enable solely internal uses that are reasonably aligned with the ex- pectations of the consumer based on the consumer’s relationship with the business; and • To comply with a legal obligation. Potential Dealership Liability Under the CCPA The CCPA also allows consumers to sue businesses that suffer data breaches. In addition, statutory penalties attach if businesses do not comply with consumer requests (the amount of the penalties depends upon the “willfulness” of the busi- ness’s failure to comply). Consumer privacy advocates re- cently persuaded Senator Hannah- Beth Jackson to introduce legisla- tion, backed by California Attorney General Xavier Becerra, to expand upon a consumer’s private right of action, which aims to make the CCPA a dangerous expansion similar to the Private Attorneys General Act (PAGA). Interaction with the Gramm- Leach-Bliley Act (GLBA) The CCPA generally does not apply to financial information collected pursuant to the GLBA. This means that the CCPA does not necessarily provide consumers with the right to access or delete their data if it was collected for a purpose regulated by the GLBA (such as obtaining financ- ing for a vehicle). However, the CCPA defines “personal information” much more broadly than the GLBA and it covers all California residents (not just dealership customers). The broad scope of the CCPA means that a significant amount of consumer data collected by dealerships likely falls outside of the GLBA exemption. Dealership Action Items Consumer requests for informa- tion cover data collected, disclosed, and/or sold during the preceding 12 months. Given the magnitude of the new CCPA requirements, dealers need to prepare and invest in compli- ance efforts now. 1) Contact manufacturers and vendors. Dealers routinely transmit cus- tomer data to their DMS providers, manufacturers, and other vendors. Therefore, it is important for dealers to contact these entities to ensure they develop a CCPA compliance strategy that empowers California dealers to respond to customer requests (and comply with other CCPA obligations). To assist deal- ers in this process, CNCDA has developed a model letter that can be used to communicate concerns about the CCPA to OEMs and DMS providers. If you would like a copy of this letter, please contact CNCDA at 916-441-2599. 2) Consider modifying what per- sonal information the dealership collects and how it is collected. The definition of “personal informa- tion” under the CCPA is incredibly broad, and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly,” with a particular con- sumer or household. This includes data collected in dealerships and on- line (which includes everything from IP addresses to customer preferences). Accordingly, dealers should take the time to comprehensively review what types of data the dealership collects about consumers – because anything collected may need to be disclosed, and could need to be deleted. 3) Draft a CCPA customer notice form. To prepare for the responsibility to inform customers of their rights under the CCPA, dealers should consult with counsel to begin developing a CCPA consumer notice form and should make some initial decisions about how and when that notice is given to consumers. 4) Review dealership technology and data security. Because retailers in general have been a huge target for hackers, it is imperative that dealers review their dealership’s data security practices to ensure consumer information is protected. Since the CCPA brings a risk of class actions (without any requirement to prove harm), every dealer needs to take steps to miti- gate risk in this area. 5) Develop a process for handling consumer requests for information. Once requested, dealerships have 45 days to disclose a consumer’s per- sonal information. This requirement puts California dealers in a difficult position because dealers often rely on their DMS providers, manufactur- ers, and other vendors to manage their customer data. Therefore, it is