The good news is there is no need to panic – yet. The law’s requirements are effective January 1, 2020, giving California businesses nearly 9 months to prepare. Further, due to the hasty nature of the legislative process, there is every reason to think business groups will mount a counteroffensive in the 2019 legislative session to round some of the law’s sharp edges.

In the meantime, now is the time to work with your attorney to figure out a compliance plan. Dealers that have strong data security, good compliance with Gramm-Leach-Bliley, and consistent adherence to internal privacy policies will find that compliance with AB 375, no matter what form it takes in the end, will be much easier. Those that do not may be in for a bumpy ride – and potentially devastating litigation.

What Does the Law Require?

The new law has four major prongs intended to protect consumer’s privacy while also allowing consumers to use services provided by companies that share and sell data. In general terms, businesses will need to tell customers what type of data they collect about the customer, what they disclose or sell, and what purpose they use the data for. Businesses may also be required to erase data and, in more limited circumstances, allow customers to “opt out” of certain usages.

Customers may also make a verified request to businesses to find out what categories and specific data the business has collected. Separately consumers may also request information regarding the source of any personal data, the types of third parties the business shared the data with, and the specific purposes for which the business used it.

Finally, businesses that have online privacy policies must include in those policies the categories of data collected, the categories of personal data sold in the last 12 months, and the categories of data disclosed in the last 12 months. The privacy policy must also include a description of how consumers may request information about their specific information, as well as how to delete stored consumer data or opt out of data sales.

Why Dealerships Should Act Now

It is still too early to tell exactly how California businesses generally, or dealerships in particular, should comply with AB 375. The language of the law leaves key issues up for interpretation, and the California Attorney General’s Office will be adopting regulations to implement the law in the future. Further, the California legislature is currently considering a number of bills that propose changes to the law.

For reprint and licensing requests for this article, CLICK HERE.