The California Consumer Protection Act (CCPA) statutes were altered earlier this year by yet another set of regulations, which were promptly put into action by Attorney General Xavier Becerra.
Dealerships can mostly continue to gather and use personal data as they have in the past, but they must be more upfront about it and be ready to address consumer inquiries about their rights. The majority of the modifications take effect on January 1, 2023, but this date may not be entirely accurate. A 12-month "look back" clause in the CPRA means that it applies to personal data that was gathered as early as January 1, 2022. Dealerships and agencies must start preparing for compliance well before the 2023 effective date. Due to these changes, it’s required that you are in compliance with these as soon as possible. We’ve compiled a list of actionable items that will help you get on track with being within the boundaries of the CCPA.
The California legislative session ended on August 31, 2022, without extending the CCPA's exemption for employee and B2B data. The date that this exemption will end is January 1, 2023. Businesses should prepare their CCPA compliance strategy to include employee and B2B data.
The "Do Not Sell My Personal Information" notifications must now be posted in the locations where the dealer gathers personal information in accordance with the regulations. This disclosure links the consumer to your interactive web form where they may submit CCPA opt-out requests, therefore you'll want to make sure your CCPA signs are updated to incorporate it. Keep in mind that, according to the law, dealers are indeed deemed to be "selling" information.
The guidelines for confirming CCPA requests made by a consumer's authorized representative have been made clearer by the regulations. Numerous dealerships are utilizing CCPA forms that do not adhere to these specifications. It's critical to make sure you have a strategy in place for adhering to these standards because the identity verification criteria for authorized agents are intricate and seemingly illogical.
The CCPA opt-out icon is now required to have a specific layout and palette, according to the standards. The use of a cookie banner that enables users to accept or reject third-party tracking cookies, which are regarded as a "sale" of the information under the CCPA, is strongly advised by dealers who must adhere to this design. Unfortunately, the majority of dealerships employ cookie banners that do not encourage adherence to these guidelines.
Under the CCPA, consumers may make one of four different sorts of requests, each of which has its own identity verification criteria. The new rules forbid companies from requesting information that is not required to fulfill the request, hence the minimum threshold for opt-out requests. Again, a lot of dealership websites do not meet these requirements since they are not designed to distinguish between various requests. For instance, many will want a VIN or address from the client to fulfill an opt-out request.
Many websites merely point customers to the dealer's privacy policy when they click the "opt-out" or "do not sell" button. This is currently forbidden. Instead, the customer must be led straight to the interactive CCPA web form so they can submit the opt-out request right away.
The first and typically most time-consuming stage in becoming CCPA compliant is data mapping. Businesses must be very clear about the personal information they are gathering, whom they are getting it from, and whom they are sharing it with during this process. When divided into two parts—personal information that comes in and personal information that goes out—this substantial effort is simpler to comprehend.