The California Consumer Privacy Act applies to “personal information” of a consumer, broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Data covered includes, but is not limited to, traditional identifiers like name, postal address, email address, driver’s license numbers, and social security numbers. It also personal characteristics such as age, race, or national origin; commercial information such as records of purchases of goods or services; biometric data; Internet or other electronic network activity; geolocation data; professional or employment-related data; and education information. However, “publicly available information,” defined as information lawfully made available from federal, state or local government records.

Big tech companies are the clear target of the California Consumer Privacy Act, but its reach is much wider than just Silicon Valley. The threshold question, therefore, for each business looking at CCPA compliance, including auto dealerships, is whether the law applies to them. Not all businesses are covered by the CCPA; understanding whether your is will be key.

On October 10, 2019, California Attorney General Xavier Becerra released proposed regulations to implement the California Consumer Privacy Act. These regulations focus on one aspect of the CCPA, the consumer’s new rights under the law, and give businesses guidance on how to effectuate these rights and comply with the law. This now triggers the process of public comment and finalization of the rule, which will extend into 2020.

In June of 2018, on the last day to qualify ballot measures for the 2018 ballot, California adopted AB 375, the strongest privacy law in the nation. The new law is modeled somewhat on the European Union General Data Protection Regulation (GDPR), which famously purports to give customers the “right to be forgotten,” and gives consumers several new rights, aiming to bring more control and transparency to the murky trade and use of people's personal data. It also, for the first time, provides consumers with the ability to sue companies that mishandle their data without ever having to prove harm due to the misuse.

The type of biometric privacy lawsuit filed last month against a Hilton Hotel in Chicago is a harbinger of privacy litigation to come—but a very similar case is not likely to come soon to California, where the recently minted California Consumer Protection Act (CCPA) excludes employees like the plaintiff against Hilton.

In recent weeks two data breaches have made headlines across the country, once again drawing attention to the need for businesses to take steps to safeguard customer data. Dealers have a legal obligation to safeguard their customer’s information under both federal and state law, in most jurisdictions. These breaches may also increase the salience of data security issues for customers, meaning that your customers may start to ask questions about how you will protect their data and demand good answers. With the legal obligations aligning with customer expectations, now is the time more than ever to act.

The California Consumer Privacy Act (CCPA), which was enacted in June of 2018 and will go into effect on January 1, 2020, is likely to undergo additional changes as the California Legislature enters the final stretch of the legislative year. We have previously updated you on legislation supported by the California Attorney General that would expand the scope of the law and increase consumer’s opportunities for consumers to bring lawsuits for alleged violations of the law. The good news is that the worst aspects of these proposed changes were defeated in committee and will not be enacted this year. The bad news is that some of the more important proposed business-friendly protections have been narrowed.