As we previously reported, on June 28, California adopted AB 375, the strongest privacy law in the nation. The new law is modeled somewhat on the European Union General Data Protection Regulation (GDPR), which famously purports to give customers the “right to be forgotten,” and gives consumers several new rights, aiming to bring more control and transparency to the murky trade and use of people's personal data. It also, for the first time, provides consumers with the ability to sue companies that mishandle their data without ever having to prove harm due to the misuse.
When the bill goes into effect on January 1, 2020, customers will be able to find out what type of data is stored about them, request that businesses erase data stored about them, and, for businesses that “sell” customer data, as defined, to “opt out” of having their data sold. The Act’s overbroad definitions, which include receiving something of benefit in the definition of “sell,” as well as the vague scope of some of its exceptions, is likely to be the subject of fierce regulation lobbying in the next 18 months. As of now, the scope of these exceptions is unclear, leaving the possibility that even showroom videotape surveillance and GPS device location data—depending on how it is stored and what it identifies—may be included within the Act’s scope, triggering further requirements.
Sticking with California’s litigious tradition, the law also creates a private right of action that allows customers to sue over unauthorized access to personal information. Customers need not show actual damage from the access (which is consistent with a recent Ninth Circuit decision called In re Zappos.com, Inc., which you can review in more detail in our Ahead of the Curve article Class Action Roundup) and instead can just seek statutory penalties. Most importantly, customer arbitration agreements may not be used to force the customer to arbitrate. California businesses are required to inform customers of data breaches; with this law in place, if a single customer who is notified about a breach decides to sue, dealers could face tens or even hundreds of thousands of dollars in statutory penalties. If attempts to amend the law to delete this provision fail, we predict this will trigger a new wave consumer class actions filed against dealerships.
While the law does not become effective until January 1, 2020, and the California New Car Dealers Association has been at the table during the negotiation of AB 375, and will continue to work to smooth the edges of the law for California dealers, you should not delay preparing for this law, as it will likely remain largely in effect.
It is highly advisable to work with your attorney to figure out a compliance plan. Companies, such as RACER (Retail Automotive Compliance and Ethics Resource), provide a full corporate compliance and ethics program that creates, implements and monitors customized compliance programs for California auto dealers. Privacy, safeguards and Red Flags are just a few of the areas covered by that program. Dealers who have strong data security and privacy policies will find that compliance with AB 375, no matter what form it takes in the end, will be much easier. Those who do not may be in for a bumpy ride—and potentially devastating litigation.
What types of businesses does the law apply to?
The threshold question for each business, including dealerships, is whether the law applies. Not all entities are covered by the law. It applies to for-profit businesses that do business in California and meet anyof the following criteria: 1) have annual gross revenue of $25 million or more; 2) collects, sells or shares for commercial purposes the personal information of at least 50,000 consumers, households or devices; or 3) derives at least 50% of its annual revenues from selling consumers’ personal information.
Dealers should note that the annual gross revenue threshold includes both sales of goods and of services. Even if your dealership does not sell more than $25 million in cars and parts in a year, it may exceed the threshold once repair and other vehicle services are factored in.
Further, the law also applies to co-branded entities of businesses that meet the above criteria if they share common control, even if the affiliate does not do business in California. That means that if the same holding company owns dealerships in two states that share a trademark, the revenue of both dealerships will be counted towards the $25 million threshold.
What kind of data is covered?
The law applies to “personal information” of a consumer, broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Data covered includes, but is not limited to, traditional identifiers like name, postal address, email address, driver’s license numbers, and social security numbers. It also personal characteristics such as age, race, or national origin; commercial information such as records of purchases of goods or services; biometric data; Internet or other electronic network activity; geolocation data; professional or employment-related data; and education information. However, “publicly available information,” defined as information lawfully made available from federal, state or local government records.
For purposes of the law, “consumer” is defined as a natural person who is a resident of California.Therefore the law will not apply to businesses or other entities that are not natural persons. More importantly, the law will not apply to people who do not reside in California, even if they purchase products and services in California or from California businesses.
An important point is that the covered personal information must be associable with a customer. “Aggregate consumer information,” defined as information about a group or category of customer from which individual consumer identities have been removed, is not personal information.
Similarly, information that has been “deidentified,” defined as information that cannot reasonably identify, relate to, describe, or be associated with a particular customer, is also not covered by the law, so long as the business meets four important conditions. These are that the business: 1) has implemented technical safeguards to prohibit reidentification; 2) has implemented policies prohibiting reidentification; 3) has implemented processes to prevent reidentification; and 4) makes no attempt to reidentify the information.
The majority of dealership customer data likely falls within the very broad definition of personal information and therefore will fall under the protection of the law. However, dealers should understand the exceptions for aggregate consumer information and deidentified information. This kind of data can be a powerful tool, particularly when used to develop marketing campaigns. It may also become more central to manufacturer data demands in the future.
What kind of data uses are restricted?
The privacy rules apply to three different types of data usages: collection of data, disclosure of data, and sale of data. It is important for dealers to know not only what type of data they are collecting, but what use they intend to put it too, as their duties under the law depend on the data usage.
Data collection is the broadest category and has the fewest rules. Collection includes:
“[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”
Practically, this covers essentially all of the data dealerships have regarding customers, whether received directly from the customer, from making notes about the customer, or collecting from a third source. Therefore, even if customer data never leaves your dealership (which is highly unlikely) you must be concerned regarding the requirements that apply to data collection.
The next broadest data usage category is disclosure. While the term is not defined, based on its usage in the statute it appears to apply to information that is disclosed to a third-party other than the business in question. Further, as used it applies to data disclosed for a “business purpose,” defined as an operational purpose. Data disclosure is distinguished from “selling” data, so the category may best be thought of as data usage that benefits or supports the dealership’s business operations, as opposed to the business of another.
Data sales is the smallest category, but also the most restricted. It is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Dealerships should pay special attention to the fact that the definition includes disclosure for valuable consideration, as this may be interpreted to include data disclosed to manufacturers or lenders as part of the business relationship, if not done for the dealership’s business purpose.
What does the law require?
The new law has four major prongs intended to protect consumer’s privacy while also allowing consumers to use services provided by companies that share and sell data. In general terms, businesses will need to tell customers what type of data they collect, what they disclose or sell, and what purpose they use the data for. Businesses may also be required to erase data and, in more limited circumstances, allow customers to “opt out” of certain usages.
Transparency of data collection and processing:
Businesses that collect personal data of California residents must disclose to consumers before or at the time of collection the categories of data that will be collected and what purposes the data will be used for. Businesses may not collect additional categories of data or use it for additional uses without first providing the customer with notice. In practical terms, this will be the requirement that most impacts the day to day operation of the dealership.
Customers may also make a verified request to businesses to find out what categories and specific data the business has collected.Separately consumers may also request information regarding the source of any personal data, the types of third parties the data has been shared with, and the specific purposes for which it has been used.
Right to be forgotten:
Unless an exception applies, a business must delete the collected personal data of a California resident on request. Businesses must also direct service providers to whom data has been disclosed to delete data.
This requirement has important exceptions, mostly for data that is necessary for business operations. For example, businesses are not required to honor deletion requests if the data is necessary to: 1) complete the transaction for which the data was collected; 2) detect or protect against security incidents or illegal activity, or prosecute individuals responsible for illegal activity; 3) identify and repair errors that impair intended functionality; or 4) comply with laws and legal obligations.
Notice and opt-out:
A business cannot refuse to provide goods or services to individuals that exercise their privacy rights. However, the business can charge different prices or provide a different level of service to individuals based on their privacy selections, but only to the extent that the difference is “reasonably related to” the value provided by the individual’s data. If the business offers financial incentives for consumers to provide personal data, the business must notify individuals of the financial incentives, the consumer must expressly opt-in to the program, and the consumer must be able to opt-out at any time.
AB 375 does not create a private right of action to enforce the privacy rights discussed above. Instead, the California Attorney General has sole authority to bring enforcement actions for violations. Businesses that are found to have violated the law will first receive a notice and 30 days to cure the violation. If the business does not cure within 30 days, it may face statutory damages up to $2,500 per violation. Intentional violators may face up to an additional $7,500 in statutory damages per violation, for up to $10,000 per violation.
The 30 day cure window is an important protection for businesses as it will give them an opportunity to fix mishaps and oversites in their privacy compliance program. However, if your dealership completely fails to implement a policy and process for complying with the requirements of AB 375, your dealership likely will not be able to design and implement a compliance program within 30 days and may be held to have intentionally failed to comply with the law.
Private right of action
The law does create a private right of action for consumers for unauthorized access to nonencrypted and nonredacted personal information. It is not a strict liability law; plaintiffs will need to prove that the business failed to implement security measures that are reasonable and appropriate to the kind of personal information in question. However, consumers themselves will not need to prove that they were actually harmed by the unauthorized access. The law will also allow consumers to bring class action law suits.
This section of AB 375 has very little actual relation to the privacy protections discussed above. For example, personal information for the purposes of the private right of action is defined pursuant to California Civil Code § 1798.81.5(d)(1)(A), not the broad definition used in AB 375. This definition is much narrower to mean an individual’s first name or first initial and last name in combination with one of the following:
- Social Security number.
- Driver’s license number or California ID number.
- Account number, credit or debit card number, in combination with the requisite security code.
- Medical information.
- Health insurance information.
If a business is found to have failed to implement reasonable and appropriate security measures and an unauthorized access to the data occurs, plaintiffs may seek between $100–$700 per violation per consumer or actual damages, whichever is higher. California already has a breach disclosure law that requires businesses to notify consumers when there is unauthorized access to their personal information. This law effectively means that if there is a breach, those notices to consumers could be answered with law suits in short order.
This private right of action should be of intense concern for dealers. The typical deal file and customer record is likely to include Social Security numbers and identification numbers. What is more, the law declares that any arbitration clause is against public policy if the business attempts to use it to prevent a customer from bringing a class action. The RISC agreement will therefore be ineffective to prevent catastrophically expensive class actions if a dealership is hacked or there is some other unauthorized access and it is found liable.
Why dealerships should act now
As of the date this article is published, it is too early to tell exactly how California businesses generally, or dealerships in particular, should comply with AB 375. The language of the law leaves key issues up for interpretation, and specific requirements will be created in the future by adoption of regulations by the California Attorney General’s Office. Further, the law is likely to see some significant changes as businesses like Facebook and Google, two of the clear targets of the law, go to war to strip the provisions that threaten their core business model.
Dealerships should nonetheless start preparing to comply with the law now. First, while business interests will likely be able to smooth some of the rough edges of the law and improve certainty, there is no reason to believe that the legislature will significantly neuter most of the privacy rights the law grants. These provisions are similar to those adopted in Europe and are overwhelmingly popular with voters.
Finally, while the privacy rights contained in the law will get the bulk of the news coverage, it is the private right of action that is most likely to impact your bottom line and there are just no quick fixes to secure the valuable data your dealership has. By some estimates, the consumer data stored at a typical dealership can have more financial value than the total combined value of vehicles for sale at the dealership. Dealerships are therefore ripe targets for hackers and other nefarious parties, and the consumer facing nature of the business makes them vulnerable. Further, it is not just off-site hackers that should concern dealers. Unauthorized access to data can occur when a deal file is left on a desk, or an employee opens a bad file, or a disgruntled employee walks off the job with a thumb drive of consumer data. Each of these situations could five rise to a class action lawsuit that could cost a dealership a five, six, or seven figure lawsuit.
What should dealers do in 2018?
The first thing dealerships should do is determine whether the law is likely to apply in 2020. As discussed in detail above, most dealerships likely have $25 million in gross receipts in a year. If your dealership does not currently qualify, you should work with your experienced automotive attorney to monitor whether it will in the future and be prepared.
The second step dealerships should take right now is to identify what kind of information they store about their customers. Businesses covered by the law will need to be able to disclose to customers what kinds of data they collect, but it is also crucial to know if you keep particularly sensitive information like Social Security numbers and Driver’s License numbers and in what format you keep them. Security protocols will naturally be different for paper files than from pdf scans than from digitized data. In addition, unauthorized disclosure or access to some kinds of data could lead to a class action lawsuit. Know what you have and start planning now.
The third step is to start to assess with whom the dealership shares data, to whom it discloses data, and whether it sells any consumer data, under the meaning of the law. Again, this is information the law will require businesses to disclose to customers but understanding this is also an exercise in tightening compliance with existing privacy laws and in decreasing risk of unauthorized access or disclosure. In particular, work with your experienced automotive attorney to start reviewing vendor contracts to protect the dealerships interests and put indemnity agreements in place when possible.