In June of 2018, on the last day to qualify ballot measures for the 2018 ballot, California adopted AB 375, the strongest privacy law in the nation. The new law is modeled somewhat on the European Union General Data Protection Regulation (GDPR), which famously purports to give customers the “right to be forgotten,” and gives consumers several new rights, aiming to bring more control and transparency to the murky trade and use of people’s personal data. It also, for the first time, provides consumers with the ability to sue companies that mishandle their data without ever having to prove harm due to the misuse.

The large tech companies like Google and Facebook are the obvious targets of AB 375, but its requirements will apply just as equally to the majority of car dealerships, as they hold a treasure trove of customer data. When the bill goes into effect on January 1, 2020, customers will be able to find out what type of data is stored about them, request that businesses erase data stored about them, and, for businesses that “sell” customer data, as defined, to “opt out” of having their data sold. The Act’s overbroad definitions, which include receiving something of benefit in the definition of “sell,” as well as the vague scope of some of its exceptions, is likely to be the subject of fierce lobbying in the next 18 months. As of now, the scope of these exceptions is unclear, leaving the possibility that even showroom videotape surveillance and GPS device location data—depending on how it is stored and what it identifies—may be included within the Act’s scope, triggering further requirements.

In keeping with America’s litigious tradition, the law also creates a private right of action that allows customers to sue over unauthorized access to personal information. Customers need not show actual damage from the access and instead can just seek statutory penalties. In addition, companies may not use arbitration clauses in agreements with customers to force the customer into arbitration. And finally, California businesses are required to inform customers of data breaches; with this law in place if a single customer who is notified about a breach decides to sue, dealers could face tens or even hundreds of thousands of dollars in statutory penalties. If attempts to amend the law to delete this provision fail, we predict this will trigger a new wave of consumer class actions against businesses that handle consumer data, including dealerships.


For reprint and licensing requests for this article, CLICK HERE.