In June of 2018, on the last day to qualify ballot measures for the 2018 ballot, California adopted AB 375, the strongest privacy law in the nation. The new law is modeled somewhat on the European Union General Data Protection Regulation (GDPR), which famously purports to give customers the “right to be forgotten,” and gives consumers several new rights, aiming to bring more control and transparency to the murky trade and use of people’s personal data. It also, for the first time, provides consumers with the ability to sue companies that mishandle their data without ever having to prove harm due to the misuse.

The large tech companies like Google and Facebook are the obvious targets of AB 375, but its requirements will apply just as equally to the majority of car dealerships, as they hold a treasure trove of customer data. When the bill goes into effect on January 1, 2020, customers will be able to find out what type of data is stored about them, request that businesses erase data stored about them, and, for businesses that “sell” customer data, as defined, to “opt out” of having their data sold. The Act’s overbroad definitions, which include receiving something of benefit in the definition of “sell,” as well as the vague scope of some of its exceptions, is likely to be the subject of fierce lobbying in the next 18 months. As of now, the scope of these exceptions is unclear, leaving the possibility that even showroom videotape surveillance and GPS device location data—depending on how it is stored and what it identifies—may be included within the Act’s scope, triggering further requirements.

In keeping with America’s litigious tradition, the law also creates a private right of action that allows customers to sue over unauthorized access to personal information. Customers need not show actual damage from the access and instead can just seek statutory penalties. In addition, companies may not use arbitration clauses in agreements with customers to force the customer into arbitration. And finally, California businesses are required to inform customers of data breaches; with this law in place if a single customer who is notified about a breach decides to sue, dealers could face tens or even hundreds of thousands of dollars in statutory penalties. If attempts to amend the law to delete this provision fail, we predict this will trigger a new wave of consumer class actions against businesses that handle consumer data, including dealerships.

The good news is there is no need to panic – yet. The law’s requirements are effective January 1, 2020, giving California businesses nearly 9 months to prepare. Further, due to the hasty nature of the legislative process, there is every reason to think business groups will mount a counteroffensive in the 2019 legislative session to round some of the law’s sharp edges.

In the meantime, now is the time to work with your attorney to figure out a compliance plan. Dealers that have strong data security, good compliance with Gramm-Leach-Bliley, and consistent adherence to internal privacy policies will find that compliance with AB 375, no matter what form it takes in the end, will be much easier. Those that do not may be in for a bumpy ride – and potentially devastating litigation.

What Does the Law Require?

The new law has four major prongs intended to protect consumer’s privacy while also allowing consumers to use services provided by companies that share and sell data. In general terms, businesses will need to tell customers what type of data they collect about the customer, what they disclose or sell, and what purpose they use the data for. Businesses may also be required to erase data and, in more limited circumstances, allow customers to “opt out” of certain usages.

Customers may also make a verified request to businesses to find out what categories and specific data the business has collected. Separately consumers may also request information regarding the source of any personal data, the types of third parties the business shared the data with, and the specific purposes for which the business used it.

Finally, businesses that have online privacy policies must include in those policies the categories of data collected, the categories of personal data sold in the last 12 months, and the categories of data disclosed in the last 12 months. The privacy policy must also include a description of how consumers may request information about their specific information, as well as how to delete stored consumer data or opt out of data sales.

Why Dealerships Should Act Now

It is still too early to tell exactly how California businesses generally, or dealerships in particular, should comply with AB 375. The language of the law leaves key issues up for interpretation, and the California Attorney General’s Office will be adopting regulations to implement the law in the future. Further, the California legislature is currently considering a number of bills that propose changes to the law.

Dealerships should none the less start preparing to comply with the law now. First, while business interests will likely be able to smooth some of the rough edges of the law and improve certainty through legislation, there is no reason to believe that the legislature will significantly neuter most of the privacy rights the law grants. These provisions are similar to those adopted in Europe and are overwhelmingly popular with voters.

Second, federal and state laws already impose privacy and data security duties on dealerships to protect consumer data. Starting in 2020, the stakes for compliancy with these laws already in force and affect will just get higher. Designing and implementing a privacy policy and process takes time and effort at any dealership. Now is the time to ensure that your dealership complies with laws like Gramm-Leach- Bliley and the Red Flags rules, as well as has a specific and actionable policy and processes in place to protect consumer data and control how third-parties use it.

Finally, while the privacy rights contained in the law will get the bulk of the news coverage, it is the private right of action that is most likely to affect your bottom line and there are just no quick fixes to secure the valuable data your dealership has. By some estimates, the consumer data stored at a typical dealership can have more financial value than all of the vehicles for sale at the dealership. Dealerships are therefore ripe targets for hackers and other nefarious parties, and the consumer facing nature of the business makes them vulnerable.

And it is not just off-site hackers that should concern dealers. Unauthorized access to data can occur when an employee leaves a deal file on a desk, or an employee opens a bad file attached to an email, or a disgruntled employee walks off the job with a thumb drive of consumer data. Each of these situations could give rise to a class action lawsuit that could cost a dealership five, six, or seven figures.

Dealerships should work with their experienced automotive attorney to update their privacy policies and security protocols. Nearly every dealership in California has a privacy policy, and while several laws require periodic review and updates, too many policies look exactly the same as when they were pulled from a model policy, both out of date and untailored to the particular dealership. The dealership’s website must have a link to the privacy policy. An outdated, generic policy will be a red flag for any intrepid potential plaintiff. With overlapping legal requirements and a target on their backs, now is the time for dealerships to prepare.

Christian Scali is Founder and Managing Partner of The Scali Law Firm and Monica Baumann is a Senior Associate with the firm. Recognized as California’s top boutique automotive law firm, The Scali Law Firm’s clients range from small, family-owned businesses to publicly held global companies and high net worth individuals. Its team of attorneys has decades experience in a number of practice areas, with a high degree of specialization in serving the auto dealer industry. To learn more, visit scalilaw.com.

Return to Index

For reprint and licensing requests for this article, CLICK HERE.