You probably don’t need that pop-up

Why personalized CCPA compliance makes business sense

Published on


Today California’s groundbreaking consumer privacy law, known as the CCPA, is in full effect and the implementing regulations are nearly finalized. Now is therefore a good time to take a step back and consider whether your dealership is complying with the law in a way that makes good business sense.

Many dealers across the state have chosen to rely on their DMS or website vendors to provide their CCPA compliance. While these vendor efforts are certainly well-intended, they tend to fall short in several crucial areas of customer experience and legal compliance, for the same reasons: these approaches are not tailored to the individual dealerships they serve. Your store may be able to fly under the radar with a one-size-fits-all approach for a time, but the business case for personalizing your compliance is strong.

Improved customer experience

The most glaring example is the sudden prevalence of privacy policy pop-ups on dealership websites across the state. The CCPA does not require these pop-ups, there are other ways to provide compliant notices to customers, and your dealership website probably does not need them. Vendors elect to use the pop-ups largely because they are effective compliance for the lowest-common-denominator.

A less obvious example is on the back end. One of our clients found that CCPA requests sometimes came from unhappy customers and designed a response system that focused on the customer service aspect of the law. They have successfully combined legal compliance with customer relations and been able to improve relationships with customers.

A tailored CCPA compliance program will help you comply with the law while still providing a good experience to customers on your websites and in-stores. Instead of adopting the most conservative approach by default, tailoring it allows your manage legal risk and serve customers.

Limit legal risk

Another glaring issue with relying solely on vendors to comply with the CCPA is that no two dealerships use customer data exactly the same way. As a result, there is no form or standard notice or privacy policy that will accurately apply to every dealership. This can lead to legal risk in some surprising ways.

For example, we have already seen a number of letters from plaintiffs’ counsels involved in litigation with third-parties demanding that dealers not share information with the third-party. If the dealership had disclosed to the customer in its Notice and Privacy Policy that it collects and shares the customer’s information for this purpose, it likely has strong legal ground to continue sharing, despite the demand letter. However, we have found that a number of standard-issue privacy policies relied on by some dealers just do not address this use of data. This has left dealers between a rock and a hard place, having failed to disclose a data use to a customer on the one hand, and with a third-party, usually the manufacturer, demanding the data on the other.

A tailored compliance program will at the very least accurately describe how your dealership actually uses customer data. It will therefore limit legal risk by allowing you to continue your data sharing in most circumstances confident that this collection and use has been adequately disclosed to the customer.

Prepare for the Future

Despite the fact the CCPA only went into effect this year, there are already major changes on the horizon. Proposition 24 qualified for the November ballot for this year and, if passed, would give consumers new rights under the CCPA and increase the enforcement.

Today most dealers will be able to avoid facing a major enforcement action even if their legal compliance is not stellar because the Attorney General’s office is responsible for enforcement. The CCPA bill did not provide the AG with new funding to enforce the law and the department dedicated to this in the AG’s office is lightly staffed.

Proposition 24 will change this. If passed it will fund a new state agency dedicated to enforcing consumer privacy rights. It therefore would steeply increase the risk for any business that is not fully compliant with the law.

Moving forward, the dealerships that have a tailored compliance program today will be light years ahead of dealerships that are relying on a one-size-fits-all approach. As any dealership that has gone through the process can tell you, compliance does not happen overnight and there will be bumps in the road. The worst time to do this work is when stakes are high and mistakes could be costly. Building a tailored, compliant program now puts dealers in the driver’s seat as the law changes and the legal risk increases.