Coverage has been breathless regarding AB 375, titled the California Consumer Privacy Act of 2018. Its history is dramatic; it went through the legislative process in only a few days in order to head off an onerous ballot initiative. The topic is similarly intense; over the last few years, data privacy and security events have dominated the news from business to politics.
How will the new law affect dealerships? Affected dealerships will need to adapt their current advertising, privacy and security compliance programs, compliance policies and procedures and manage their vendor relationships to comply with the law. If your dealership or dealership group has largely ignored past calls for compliance in these areas or has failed to adopt a comprehensive corporate compliance program, the 18 months until the provisions of the law apply could mean real work to ensure their dealerships will not become the target of a crippling class action lawsuit. While the law only applies to companies that have a gross revenue of at least $25 Million, that likely applies to most dealerships in California.
The law is modeled to some degree on the European Union General Data Protection Regulation (GDPR), which famously purports to give customers the “right to be forgotten.” California law will allow customers to request that businesses erase data stored about the customer. It will also allow customers to find out what type of data is stored about them, and, for businesses that “sell” customer data, as defined, to “opt out” of having their data sold. The Act’s overbroad definitions, which include receiving something of benefit in the definition of “sell,” as well as the vague scope of some of its exceptions, is likely to be the subject of fierce regulation lobbying in the next 18 months. As of now, the scope of these exceptions is unclear, leaving the possibility that even showroom videotape surveillance and GPS device location data—depending on how it is stored and what it identifies—may be included within the Act’s scope, triggering further requirements.
Sticking with America’s litigious tradition, the law also creates a private right of action that allows customers to sue over unauthorized access to personal information. Customers need not show actual damage from the access and instead can just seek statutory penalties. Most importantly, arbitration provisions in agreements with customers may not be used to force the customer into arbitration. California businesses are required to inform customers of data breaches; with this law in place if a single customer who is notified about a breach decides to sue, dealers could face tens or even hundreds of thousands of dollars in statutory penalties. If attempts to amend the law to delete this provision fail, we predict this will trigger a new wave consumer class actions filed against dealerships.
The good news is there is no need to panic—yet. The law’s requirements are effective January 1, 2020, giving California businesses nearly 18 months to prepare. Further, due to the hasty nature of the legislative process, there is every reason to think business groups will mount a counteroffensive in the 2019 legislative session to round some of the law’s sharp edges. In the meantime, now is the time to work with your attorney to figure out a compliance plan. Companies, such as RACER (Retail Automotive Compliance and Ethics Resource), provide a full corporate compliance and ethics program that creates, implements and monitors customized compliance programs for California auto dealers. Privacy, safeguards and Red Flags are just a few of the areas covered by that program. For more information on obtaining a corporate compliance and ethics program, visit http://www.racercalifornia.com/. For more information on the law’s requirements and what you can do to prepare your dealership, watch for next week’s article in this quarter’s Ahead of the Curve.