Pub. 8 2019-2020 Issue 1

SUMMER 2019 11 the purchaser to enter their personal information, including financial information, in an online or paper form. A customer cannot lease or test drive a vehicle without also disclosing sensitive information to the dealership. Dealerships then share their customers’ personal information with automakers, marketers, lenders, dealership management software vendors, and CRM vendors. Along with that, dealerships will provide personal data to the original equipment manufacturer for safety or service purposes. A significant consequence of the act is that these third parties, many of which are located outside of California, must comply to the same extent as the in-state dealership that provides the personally identifying information. Dealerships are anticipated to be targets of CCPA enforcement actions due to this high volume of data collection and exchange. A primary concern for dealerships is that the CCPA provides consumers with the right to sue if there is any breach of their personal information, even if the consumer cannot showmeasurable damage. Each incident can cost the dealership up to $750. However, the cost to the dealership could be devastating if, for instance, a significant data breach occurred and the claims were combined into a class action. What Should Your Dealership do Now? Dealerships should not wait until the CCPA’s effective date to rework some of their data collection and management practices. The law’s impact on how dealerships and third parties must handle the per- sonal information of consumers is so substantial that it will require dealerships to be proactive and stay ahead of the quickly approaching deadline. Some experts even warn that preparing for the law could take several months. 1. A Data Map is the Key Ingredient to Compliance The greatest priority for dealerships is to create a data map that contains a register of where each piece of data is obtained and all locations that it is sent to. This is not a simple task. Many dealerships do not know where each piece of customer data goes and how it is used. On top of that, the third parties that the dealership works with may pass the data to other third parties, who the dealership has no interaction with. Dealerships will not be able to comply with the requirements of the CCPA if they first do not know the origin of the data and where it is going. The dealership’s data access and sharing must be carefully managed so that when a consumer asks to know what information is being collected and what third party is obtaining that information, it can be immediately identified. 2. Make Sure Vendors Are on Board and Informed Compliance with the CCPA requires coordination between the dealership and all affiliated third parties. A smoother transition is more likely for those dealerships who closely work with their vendors on data tracking and informationmanagement. All dealerships should thoroughly review their contracts with vendors and confirm that the vendors are notified of the legislation’s requirements. Dealerships also need to touch base with their website providers to include an “opt out” button for customers to easily opt out of having their personal information sold to a third party. When an opt out request is received, the vendor is to stop all use of the customer’s personal information. A plan should be created so that when the dealership receives a request to delete or transport the consumer’s data, the vendor can also quickly identify the data and respond. Again, active management of the way that data is logged and shared will allow dealerships and vendors to handle these requests from consumers. 3. The Best Offense Is a Strong Defense The CCPA will require dealerships to implement an extensive cyberse- curity program that protects hardware and software on mobile devices, laptops, workstations, and servers. Amultilayered defense should secure all points of entry into network devices and data inventory. Security processes and tools that automatically detect, log, and mitigate attacks are themost effective in case an incident occurs. Dealerships and vendors can implement port scans, filters, and firewalls to prevent, detect, and correct any vulnerabilities. Along with that, dealerships must be aware of how at-risk email and web browsers are. These platforms provide opportunities for hackers to interact with your employees and manipulate them into releasing information. Employees also often access email remotely from their smart phone and wireless networks, which are sensitive grounds for attack. Employees today regularly plug in and connect to their job away from the office workstation. Security measures must be configured so that data is continuously protected when the employee accesses email or client information from a mobile device. Dealerships will want to train employees in security awareness and notify them whenever there is a potential threat. Many employees are not familiar with data management or cybersecurity, so an effective compliance strategy will involve explaining the new or updated systems to employees. How Can Dealerships Prepare for Any Changes to the Law Before January, 2020? The CCPA’s effective date of January 1, 2020 means that amendments to the law may be enacted in the upcoming months. On top of that, although enforcement of the law will begin on January 1, 2020, the California Attorney General has until July 1, 2020, to interpret it and draft a set of rules. These rules and any amendment to the CCPA will provide additional guidance on how to comply with the legislation. Dealerships and vendors will want to stay on top of these changes by signing up to receive updates when any new regulation or amendment is released. Dealerships should begin consulting with their own lawyers, general counsel, and compliance officers to create an ongoing and effective compliance management strategy. However, many businesses are waiting to update their privacy policies until any further amendments and the Attorney General’s regulations are released. While dealerships and vendors can begin updating their data collection and management practices now, their compliance team may recommend waiting for additional guidance from the Attorney General before finalizing privacy policy changes. Despite the possibility of amendments to the CCPA, dealerships and auto companies should take proactive steps now to make sure that they are prepared for the major overhaul to California’s privacy framework. Compliance is bound to require major tweaks and comprehensive security updates for many businesses, especially when considering the penalties and fines involved. Dealers can look to resources, such as the California New Car Dealers Association, for further education on how to comply with the CCPA and for information about any changes to the law.