Growing consumer demand for increased privacy has spurred lawmakers in several states to pass tougher laws similar in tone to the European General Data Protection Regulation (GDPR).
If your state is among them, these laws have a significant impact on how dealerships may collect, store and share personal customer data.
Recent legislation includes:
- California Consumer Privacy Act (CCPA). This takes effect Jan 1, 2020.
- Washington Privacy Act. As of March 2019, this law has passed in the State Senate and moved to the State House. If passed, it will take effect in December 2020.
- Updated data-breach notification laws, also known as 2.0 Laws. As of March, states that have imposed greater data security standards include Alabama, Louisiana, Colorado, Nebraska, Massachusetts and Ohio.
If your state is not among those listed, just wait. Similar state laws will soon follow. It’s up to business owners to keep abreast and be proactive about staying compliant. The requirements to stay in compliance vary quite a bit, depending on the state and the law.
The CCPA applies not only to dealerships in California, but also to outside third parties. This means automakers, dealership management software (DMS) vendors, CRM providers, marketers and any other entity with which dealers share their customers’ personal information must also comply.
In a nutshell, the CCPA requires businesses to take “reasonable measures” to protect consumer data such as names, addresses, social security numbers, bank account numbers, credit card numbers and credit scores.
The act uses the word “consumer” rather than the more narrowly defined “customer.” That means the same protections must be afforded to every person in a dealership database regardless of whether they were ever a customer.
The California Attorney General has defined reasonable measures as compliance with 20 controls established by the Center for Internet Security. For most dealers, this will require upgrades to software, hardware and data security equipment.
As examples, here are short summaries of five of the 20 controls that California dealerships and their third-party vendors will be required to implement:
- Actively manage all hardware devices on the network so that only authorized devices are given access.
- Actively manage all software on the network so that only authorized software is installed and unmanaged software installation is prevented.
- Secure configuration for hardware and software on mobile devices, laptops, workstations and servers.
- Maintain, monitor and analyze audit logs.
- Train employees in security awareness.
The Washington Privacy Act is similar to the CCPA, with language that closely resembles the European GDPR.
Both acts give more rights to consumers related to how a business may collect and use their information. Once the laws take effect, upon a request from a consumer, dealers will be required to:
- Correct inaccurate consumer data.
- Delete personal consumer data unless it’s necessary to do business, as well as delete all of their data from the databases of third parties possessing shared information.
- Restrict processing or sharing of information if the consumer objects to its use for reasons not related to the purpose for which it was collected, such as direct marketing.
- Allow customers to easily opt out of having their personal information sold to a third party.
You’ll also be required to proactively provide full disclosure to consumers about what their data is used for, who it is shared with and for what purpose, at the time said data is collected.
Businesses will also be required to post a “Do Not Sell My Personal Information” link on the home page of their websites.
Violation of these acts will result in a $2,500 fine per violation, $7,500 per intentional violation. These laws open dealerships to potential litigation from consumers in the event it is discovered the dealers did not “implement and maintain reasonable security procedures and practices.”
The updated data-breach notification laws (2.0 Laws) aren’t quite as comprehensive as the Washington and California Privacy Acts, and vary from state to state.
However, the requirements will force dealerships to be more proactive about securing customer data. For example, Alabama’s law lists the following requirements:
- Designate an employee (e.g. security officer) to coordinate anti-breach protection.
- Conduct a risk assessment to identify internal and external risks of a breach.
- Implement appropriate information safeguards to address identified breach risks.
- Use third-party service providers to maintain appropriate safeguards.
- Monitor and audit security measures, adjusting and accounting for changes in circumstances.
- Keep management (including boards of directors, if any) informed about the overall status of security measures.
In coming years, compliance with new consumer privacy and data security laws will likely become a dealership top priority. This will require dealer principals and senior management to become informed, know the legal requirements and explore cost-effective ways to stay compliant.
Erik Nachbahr is president and founder of Helion Technologies, a dealership information-technology provider.