Understanding the CCPA, part 5

What does the law require?

Published on

The California Consumer Privacy Act has four major prongs intended to protect consumer’s privacy while also allowing consumers to use services provided by companies that share and sell data. In general terms, businesses will need to tell customers what type of data they collect, what they disclose or sell, and what purpose they use the data for. Businesses may also be required to erase data and, in more limited circumstances, allow customers to “opt out” of certain usages.

Transparency of Data Collection and Processing: Businesses that collect personal data of California residents must disclose to consumers, before or at the time of collection, both what categories of data they will collect and what purposes the business will use the data for. Businesses may not collect additional categories of data or use it for additional uses without first providing the customer with notice. In practical terms, this will be the requirement that most affects the day-to-day operation of the dealership.

Customers may also make a verified request to businesses to find out what categories and specific data the business has collected.[1] Separately consumers may also request information regarding the source of any personal data, the types of third parties the business shared the data with, and the specific purposes for which the business used it.[2]

Finally, businesses that have online privacy policies must include in those policies the categories of data collected, the categories of personal data sold in the last 12 months, and the categories of data disclosed in the last 12 months. The privacy policy must also include a description of how consumers may request information about their specific information, as well as how to delete stored consumer data or opt out of data sales.[3]

Right to be Forgotten: Unless an exception applies, a business must delete the collected personal data of a California resident on request. Businesses must also direct service providers who have the resident’s data to delete the data.

This requirement has important exceptions, mostly for data that is necessary for business operations. For example, businesses are not required to honor deletion requests if the data is necessary to: 1) complete the transaction for which the data was collected; 2) detect or protect against security incidents or illegal activity, or prosecute individuals responsible for illegal activity; 3) identify and repair errors that impair intended functionality; or 4) comply with laws and legal obligations. For dealers this will narrow the scope of this consumer right, as dealers must maintain and share a good amount of consumer data for legal compliance purposes. Be sure it work with an attorney who knows both the new law and dealer’s state and federal compliance obligations to develop a policy in this area.

Notice and Opt-Out: Consumers have the right to request that businesses that sell personal data of the California resident stop selling such data to a third-party. This section is referred to as the right to opt-out. Businesses must provide notice directly to any customer prior to selling data. They must also give notice to consumers regarding how they may make that request in their privacy policy. This right only applies to information that falls under the “sales” category. Dealerships must therefore be aware of what types of data fall into this category.

“Freemium” Limits: A business cannot refuse to provide goods or services to individuals that exercise their privacy rights. However, the business can charge different prices or provide a different level of service to individuals based on their privacy selections, but only to the extent that the difference is “reasonably related to” the value provided by the individual’s data. If the business offers financial incentives for consumers to provide personal data, the business must notify individuals of the financial incentives, the consumer must expressly opt-in to the program, and the consumer must be able to opt-out at any time.

Important Auto Dealer Exceptions: While these requirements are intimidating, auto dealers should know that there are important exceptions to these rules. First, the CCPA explicitly carves out data collected, used, stored, disclosed or even sold in compliance with the requirements of the Gramm-Leach-Bliley Act.[4] While dealers should review their GLB compliance as they prepare to comply with the CCPA, the regular flow of data under the law may continue. Second, data that is reported to a consumer credit agency under the Fair Credit Report Act is not covered by the CCPA.[5] Dealers may therefore continue to accurately report and receive information from credit agencies. Finally, AB 1146, which is widely expected to be signed into law, will carve out information that is collected for the purpose of effectuating a vehicle recall or warranty repair. As a result, dealers will likely be able to store and disclose vehicle information to manufacturers for the purpose of effectuating vehicle repairs for warranty and recall purposes.


[1] 1798.100.

[2] 1798.110(a).

[3] 1798.130(e).

[4] 1798.145(e)

[5] 1798.145(d)