Pub. 9 2020-2021 Issue 2

20 San Diego Dealer NEW CCPA REGULATIONS ALREADY WENT INTO EFFECT. ARE YOU COVERED? By Chris Cleveland, ComplyAuto E arlier this year, Attorney General Xavier Becerra announced another set of regulations that changed the laws under the California Consumer Protection Act (CCPA), which went into effect immediately. (A copy of the modified regulations can be found online at https://oag.ca.gov/news/press-releases/ attorney-general-becerra-announces-approval-additional- regulations-empower-data). The following is a high-level overview of what you will need to do: 1. Update CCPA signage. The regulations now require that the “Do Not Sell My Personal Information” disclosures be posted in the areas where the dealer collects personal information. Therefore, you will want to ensure you update your CCPA signs to include this disclosure that links the consumer to your interactive web form for submitting CCPA opt-out requests. Remember, dealers are indeed deemed to be “selling” information as that term is broadly defined under the law. 2. Ensure your CCPA forms allow for authorized agents requests. The regulations have clarified the requirements for verifying CCPA requests submitted by a consumer’s authorized agent. Many dealerships are using CCPA forms that do not comply with these requirements. The identity verification requirements for authorized agents are complex and somewhat counterintuitive, so it is important to ensure you have a process set up for complying with these regulations. 3. Add the new opt-out icon. The regulations now specify a particular design and colors for the CCPA opt-out icon (see below). It is highly recommended that dealers conform to this design and use a cookie banner that allows users to accept or decline third-party tracking cookies, which are considered a “sale” of information under the CCPA. Unfortunately, most dealerships are using cookie banners that do not support compliance with these rules. 4. Stop requiring unnecessary information for opt-out requests. There are four different types of requests a consumer can submit under the CCPA, and each has its unique identity verification requirements. The standard is the lowest for opt-out requests, and the new regulations prohibit businesses from asking for unnecessary information to process the request. Again, many dealership web forms do not comply with these requirements because they are not set up to differentiate between the different types of requests. For example, many will require the customer to enter a VIN or address to process an opt-out request. 5. Ensure all “opt-out” links take the consumer directly to an interactive CCPA web form. After clicking on the “opt-out” or “do not sell” button, many websites direct the consumer to the dealer’s privacy policy. This is now prohibited. Instead, the consumer must be taken directly to the interactive CCPA web form where they can immediately submit the opt-out request. Don’t Have a Sign Yet? If you do not have a sign that correctly provides a “notice at collection” to consumers who enter your dealership or service department, you can visit complyauto.com to view a sample. ComplyAuto LLC is a RegTech company offering cloud-based software that helps dealerships enhance their compliance capabilities while becoming more efficient and cost-effective. ComplyAuto uses data analytics and AI to provide real-time automated compliance decisions, performing tasks that would normally require manually- intensive processes and human intelligence.