New California bill cracks down on data access, privacy and security

April 17, 2019
Consumer privacy rights just got a lot more serious in California, with at least several other states looking to follow suit — so shop owners need to step up for the protection of their customers, their employees and their businesses as a whole.

NASHVILLE — Consumer privacy rights just got a lot more serious in California, with at least several other states looking to follow suit — so shop owners need to step up for the protection of their customers, their employees and their businesses as a whole.

Frank Terlep, left, and Dan Risley

Following in the footsteps of privacy laws seen in Europe and Canada, the California Consumer Privacy Act (CCPA) — or House Bill 375 — was approved in June 2018, and is set to go into effect on Jan. 1, 2020, said Frank Terlep, presenting at the Collision Industry Conference (CIC) in Nashville, Tenn., on April 17. The law mandates that consumers have three main rights: the right to know what is being collected; the right to tell a business not to sell their information; and the right to hold a business accountable to keep the consumer’s information safe.

The law expands the rights of consumers and requires businesses within the scope of personal information to be significantly more transparent on how they collect, use and disclose personal information.

Affected businesses will need to enhance their data management practices, expand their individual rights processes and update their privacy practices by the January 2020 deadline. This applies to “consumers,” — and includes both customers of a shop and also the employees of those businesses, Terlep said.

All businesses worldwide must comply if they receive personal information from California residents either directly or indirectly and either have an annual revenue that exceeds $25 million or annually receives the personal information of 50,000 or more individuals.

The bill outlines 12 areas of accountability:

  • Individual rights: access
  • Individual rights: data portability
  • Individual rights: deletion
  • Disclosures
  • Opt-out (sale of personal information)
  • Opt-in (minors)
  • Non-discrimination
  • Incentive programs
  • Updating data inventories
  • Updating privacy policies
  • Transparency
  • Training

Terlep delved into the specifics to consider for several of the areas of accountability.

Individuals may request disclosure of the specific data elements of personal information collected about them, categories of personal information collected, categories of sources, purposes for collecting or selling, and categories of recipients with whom the personal information has been shared, he said.

Data portability
If the specific elements of personal information are provided to the requestor electronically, they must be provided a readily transferable electronic format.

Data deletion
Individuals may request to have their personal information deleted.

Disclosures about sharing/sales:
Individuals may request an accounting of the disclosures, including sale, of personal information made to third parties; this significantly expands upon the existing California “Shine the Light” law.

Non-discrimination and financial incentives
Businesses may not discriminate against consumers for opting out of the sale of their personal information. Businesses may not deny products or services or offer differential pricing or rates, unless directly related to the value of the data to the consumer. Businesses may offer and enter into fair and transparent financial incentive programs for the collection, sale and disclosure of personal information with informed consent of consumers.

The online privacy policy or other web-based notice must disclose the categories of data collected, sources from which data is collected, purposes for which the data is used, categories of third parties with whom data is shared, information about individual rights and how to exercise them, as well as the data collected, sold or disclosed within the prior 12 months.

Where applicable, a clear and conspicuous link titled “Do Not Sell My Personal Information” must be included on the business’s homepage and must link to a form where requests can be submitted. It must also include a notice of any financial incentives offered.

According to the bill, penalties range from $100-$750 per incident, Terlep said.

Changes may come
While set to go into effect in January, the bill still remains in a state of flux. California Attorney General Xavier Becerra and Senator Hannah Beth Jackson introduced legislation to strengthen and clarify the CCPA. The new additions would no longer require the Office of the Attorney General to provide businesses and private parties individual CCPA-compliance advice.

It would also remove language that would have previously allowed companies to cure CCPA violations prior to the AG bringing an enforcement action; and provide consumers a private right of action to seek remedies for any violations of their CCPA rights, not just limited to data breaches.

Other states
Not to be outdone by California, 11 other states — including Maryland, New Jersey and Washington — have recently introduced similar legislation.

Among other things, the bills include their own versions of opt-out rights and require new disclosure requirements that are slightly different than the CCPA.

Business considerations
Businesses — including repair shops, insurers, information providers and many other third-party providers in the automotive industry, among others — in California have many items they should consider adding to their compliance project plans for the remainder of the year, Terlep said.

These include:

  • Review and revise your website privacy policy to meet new data disclosure, consent and opt-out requirements;
  • Review, revise and deliver training for a new employee privacy notice that complies with the new laws;
  • Draft and roll out new processes and train key internal teams that would intake and respond to privacy inquiries and complaints;
  • Review and test incident response plans that prepare the organization to respond effectively;
  • Be aware and have documented all entities with whom you trade electronic data with;
  • Review and potentially revise any previously agreed EULAs/Terms and conditions that do not comply with new requirements; and
  • Review and roll out master service agreements with restrictions for data use by service providers that are required under the new state laws.

During the July CIC meeting in Indianapolis, there are plans for a meeting on personally identifiable information (PII), what it is and what to do about it, Terlep said.

Voice Your Opinion!

To join the conversation, and become an exclusive member of Vehicle Service Pros, create an account today!