On 1 January 2020, the California Consumer Privacy Act become law.  This is the most stringent consumer-privacy law in the US.  While many dealerships have been preparing for this new law, new proposed regulations should guide their final compliance efforts.  Even if an auto dealership is outside California, companies should review your practices to ensure your customers' privacy is protected.[1]

A dealership needs to be aware of the types of data your employees collect.  California Gov. Newsom signed several bills that modify the definitions of "personal information." Dealerships must analyze what information they collect, store and share to make sure they are within legal guidelines and remain below their compliance risk.

The California Online Privacy Protection Act already requires every entity operating a commercial website to post its privacy policy on its site for consumers. California's proposed new regulations provide details about what this policy should contain, including descriptions of the consumer's rights as to information collected, disclosed or sold; the method to request deletion of personal data; and the right to opt out of data sales and a copy of the opt-out notice.

The California law requires businesses covered by the privacy act to notify consumers at the time of collection what information they collect, what it is used for and with whom it is shared.  Businesses must also provide notices to consumers of their right to opt out of the sale of personal information.  Dealerships should look to the attorney general's regulations in drafting their notices.

In the first year of the California law, employees are not consumers for the purpose of the privacy act.  In practical terms this means that for 2020, personal information gathered from job applicants, employees and individual contractors that is collected and used solely for the purpose of the person's role in the business is not covered.  Dealers should take a proactive approach and provide notices to all job applicants, employees and contractors that personal information collected and used as part of their role in the business will be used only for that purpose.

Under the California act, businesses may be liable to customers after an incident of unauthorized access to their data, even if the customers are not injured.  The customers need only prove that the business did not take "reasonable" efforts to protect the data.  One disappointment is that the attorney general did not propose more specific guidelines as to what constitutes a "reasonable" effort.  However, every dealership should adopt certain security measures, such as improving password security by requiring passwords that are at least 12 characters and contain numbers, special characters and both upper and lowercase letters, and ban the use of real words and names; limit access to personal information to only those who need to; and pay attention to physical security, such as ensuring that deal files are never left unattended on desks and are stored in secure cabinets.

Red Sky Alliance can help protect your network through our RedXray diagnostic tool.  Call for a demo and set up a proactive approach to protecting your data.

Red Sky Alliance is located in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at  (888)-(RED)-(XRAY) or (888)-733-9729, or email feedback@wapacklabs.com   

Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en

[1] https://www.autonews.com/commentary/dealerships-must-safeguard-customer-data

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance