Pub. 3 2021-2022 Issue 2

32 The Wrong Way to Fulfill an Opt-Out Request Some popular CRMs are directing dealerships to completely delete a customer or provide functionality in their software that deletes a customer. This is problematic — and may avail your dealership of significant legal liability under other state and federal laws. Note that this is an opt-out request and NOT a deletion request. Remember, the consumer is asking the gardener to shut off the water. It doesn’t matter that the faucet still has water nor that the flowers have wet soil (because this is not a deletion request). Rather, the gardener needs to only concern himself with turning the water off, and the Source vendors must put in place a mechanism to prevent the future selling or sharing of the consumer’s PI. Concerns that Arise When Opt-Out Requests are Fulfilled Incorrectly The CRMs believe that deleting the information is sufficient to fulfill an opt-out request (after all, how do you share or transfer information that you don’t have?), but this “using a hammer to kill ants” approach presents far more issues than it resolves: 1. Record Retention Issues As you know, there are many record retention laws in California that span a wide range: from the comprehensive deal jacket to the simple repair order. The dealer may run afoul of record retention laws by deleting the customer’s information depending on what information was deleted. The CRM holds a host of data, including email/text communications, customer/ salesperson notes, and other data relevant in the context of record retention rules, litigation holds or defending against potential fraud and litigation. The dealer cannot simply delete this data because this is not a deletion request. Furthermore, the CCPA has specific exemptions to protect against deleting customer information in deletion requests. Conflating the opt-out and deletion requests in this manner creates a host of legal issues. 2. Potential CCPA Violations In the short-term, deleting customer PI would prevent the future sharing or transfer of the customer’s PI. However, what if the person gets put back into the CRM by submitting another lead to the dealer? Because there is no signal to opt-out — and usually no way for the dealership to track this in the CRM— the dealer would violate the CCPA once they share/transfer this customer’s PI after they are put back into the CRM. Contrary to popular belief, simply interacting with the dealer is not enough to constitute the customer’s intent to opt back into the sale or sharing of customer information. What’s even more damaging, in our opinion, is these CRMs are specifically instructing dealers that this is how you would opt a customer out under the CCPA, which is not accurate. What Do I Do? Contact your DMS or CRM and verify if they have a mechanism in place to adequately fulfill opt-out requests. Rather than just the functionality, ask them specifically what is being done with the customer’s PI: Is the customer merely being flagged to prevent the selling or sharing of their PI? Or are they being completely deleted from the database? If enough dealerships bring this issue to their attention, they would be more apt to make significant changes to the way they are fulfilling these requests for their California clients. ComplyAuto: A Purpose-built Solution for your Auto Group or Single-Point Dealership Looking for a full suite of privacy compliance tools for your dealerships? Backed by decades of dealer and legal automotive experience, ComplyAuto offers a full solution for dealers to comply with privacy laws like the CCPA. We stand by our solution and offer each of our clients our ComplyAuto Compliance Guarantee, which states that we’ll pay for any state-enforced penalties while you’re using our software. Restrictions apply. For more information, please go to complyauto.com/compliance- guarantee/. Our goal is to take CCPA compliance out of your hands so your staff can go back to what matters, which is selling cars. 3 Please visit our website to learn more about our suite of tools. As you know , there are many record retention laws inCalifornia that span a wide range: from the comprehensive deal jacket to the simple repair order.