1 30 Table of Contents 32 36

Pub. 3 2021-2022 Issue 2

31 Meaning of “Opt-Out” Under the CCPA Whether the authors of the CCPA did this on purpose to confuse us is up to debate, but what we do know is … it’s confusing. To understand what an “opt-out” is under the CCPA, we need to know what “selling” means under the CCPA. “Sale,” “selling,” or “sold” means the selling, transferring or sharing of a consumer’s personal information (PI) by the business to another business or third party for monetary or other valuable consideration. By redefining what we generally understand as a sale associated with money (the authors could have probably easily defined the term “share” or “sharing” instead), dealers are most likely selling a consumer’s PI without even knowing it. For example, when a dealer works with third-party marketing or advertising agencies. Dealers give these agencies the consumer’s PI in exchange for the valuable services that they provide to the dealer, such as mailers, email campaigns and the like. In an opt-out request under the CCPA, the consumer is directing a business, which currently sells the consumer’s PI to stop selling their PI in the future. What is an “Opt-Out” Request under the CCPA? Let’s say there are two categories of vendors in an opt-out request: the “Sources” and their “Third Parties.” Sources are vendors who store all of the customer’s personal information on your behalf (think DMS and CRM), and for purposes of this analogy, let’s make these Source vendors “faucets.” When turned on, the water that flows from these faucets is the consumer’s PI. Third Parties are those vendors who tap into the source vendor’s database to receive the PI to use on behalf of the dealer. To continue our analogy, let’s make these Third-Party vendors “flowers.” The faucets pour water on these flowers and you, the gardener, allow this to happen. The dealer is allowing the Source vendors to push consumer PI to these Third Parties. In an opt-out request, the consumer asks the dealer to prevent the future sharing or transfer of the consumer’s PI. Put another way, the consumer is asking you to turn off the water to prevent the water from flowing from the faucet to the flowers. Some CRMs and Dealer Management Systems (DMS) have been fulfilling these requests correctly. “John Smith” sent an opt-out request to your dealership? Great — log in to your CRM or DMS portal, enter John Smith’s name and any other identifying information, check a “do not share” or “opt-out” box, and no longer will John Smith’s PI be shared with any third parties in subsequent data pulls/ pushes or API integrations. This is a relatively easy fix, in my opinion, because plenty of vendors have done this. ComplyAuto has successfully convinced multiple large DMS and CRM systems to begin implementing changes to fulfill an opt-out request in this fashion. By redefining what we generally understand as a sale associated with money (the authors could have probably easilydefined the term “share” or “sharing” instead), dealers are most likely selling a consumer’s PI without even knowing it. For example, when a dealer works with third-party marketing or advertising agencies. Dealers give these agencies the consumer’s PI in exchange for the valuable services that they provide to the dealer, such as mailers, email campaigns and the like.

RkJQdWJsaXNoZXIy ODQxMjUw