CCPA and vendors

What you need to know

Published on

Contributors

Many automotive vendors rely on accessing automotive dealers’ customer data to provide services as varied as lead generation, vehicle tracking, and customer service. Under the CCPA, dealers may be held liable if any vendor misuses customer data or experiences a data breach. Each vendor that uses your customer data therefore has the potential to steeply increase your potential liability, particularly in light of the fact that you cannot directly control the vendor’s data use or data security practices.

The good news is that the CCPA includes a narrow safe harbor provision that allows businesses such as dealers to include contract provisions that eliminate liability if a dealer misuses customers’ data. For this reason every dealer needs to work with their vendors that accesses customer data to include CCPA safe harbor elements in their operative agreement. In addition, every dealer should take this opportunity to further protect their business by also including terms related to data security and indemnification if there is a data breach.

When you work with your vendor to include these new provisions, you can do it in two ways: (1) if it is a new vendor relationship, you can build the necessary elements into your contract; or (2) if you have an existing vendor relationship, you can update your agreement with an amendment or addendum (of course, such updates need to be agreed to and signed by both parties).

The new contract or addendum must include specific provisions to eliminate liability for vendor use of data under the CCPA. The applicable contract requirements come from the combination of the definitions of “service provider,” “third party,” “sell,” and “business purpose.” To be a “service provider” (Cal. Civ. Code § 1798.140(v)), the entity must process personal information on behalf of a business for a business purpose pursuant to a written contract, and the contract must prohibit the entity from retaining, using, or disclosing it for a purpose other than the business purpose(s) specified by the business. “Business purpose” (§ 1798.140(d)) means “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.” The definition of “sell” (§ 1798.140(t)) reinforces the definition of service provider because it states that in order to be a service provider, the service provider must not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.

The written contract or addendum should:

  1. Include a certification made by the vendor receiving the customer information that the vendor understands and will comply with them.
  2. Prohibit the vendor from (1) selling the personal information; or (2) retaining, using, or disclosing the customer information: for any purpose other than for the specific purpose(s) of performing the services specified in the contract, outside of the direct business relationship between vendor and the business, or as otherwise permitted by the CCPA.
  3. Instruct the vendor not to further collect, sell, or use the information of the customer (that is disclosed to it by the business) except as necessary to perform the business purpose.

Dealers that do not have strong data protection terms in their vendor contracts should also include terms addressing data security. These terms should require that the vendor will store and transfer data using reasonable security measures, as that term is understood under the CCPA. In addition, the contract or addendum should make clear that the vendor will defend and indemnify the dealer if there is a claim or enforcement action related to the vendor’s use of customer data or in the event of a breach of customer data.

While the CCPA presents new areas of potential liability that dealers need to be wary of, this is one area where action taken now can limit liability in the future. Contact Scali Rasmussen at today to find out how we can help you to be prepared for the CCPA.