New laws in 2022: Vehicle and dealership laws

Published on

Contributors

2021 was a relatively quiet year for legislation for the automotive industry, as CNCDA’s sponsored bill, SB 361, that would have provided certainty for dealers that want to engage in electronic contracting, failed to pass. The legislature passed a number of bills that continue to move the state towards a zero-carbon transportation sector, as well as some small changes to off-road vehicle and trailer laws. There are important regulatory changes affecting the automotive industry going into 2022, though, and this section gives an overview of what is coming ahead of the curve.

SB 287 - Trailers

What the law currently requires

Current law establishes different classes of driver’s license for driving different classes of vehicles:

  1. A class C driver’s license authorizes holders to drive passenger cars and tow travel trailers not exceeding 10,000 pounds gross vehicle weight rating (GVWR) when the towing is not for compensation. If a trailer is a fifth wheel travel trailer between 10,000 pounds and 15,000 pounds the holder of a class C driver’s license can tow it if the towing is not for compensation and the license holder passes a specialized written examination.
  2. A restricted class A driver’s license authorizes holders to driver larger vehicles and tow heavier loads, though not big rigs. Additional written and skills testing is required. A restricted class A driver’s license holder may tow a trailer coach exceeding 10,000 pounds or a travel trailer exceeding 15,000 pounds gross vehicle weight (GVW) or GVWR when the towing is not for compensation.

How this bill changes the law

This bill allows, beginning January 1, 2027, class C driver’s license holders to tow any trailer between 10,000 pounds and 15,000 pounds GVW or GVWR if the towing is not for compensation, the trailer is coupled to the towing vehicle by a specified hitch, the trailer is used exclusively for recreational purposes, the trailer is used for the transportation of property or human habitation, or both, and the driver has passed a specialized written examination relating to towing safety.

The bill also allows, beginning January 1, 2027, restricted class A driver’s license holders to tow any trailer with a GVW or GVWR of more than 10,000 pounds if the towing is not for compensation, the trailer is used for the transportation of property or human habitation, or both, and the trailer is used exclusively for recreational purposes.

ACTION ITEM

Understand these changes to the driver’s license allowances to address customer questions and understand their uses of vehicles capable of towing trailers.

SB 339 – Road Use Charge Pilot Program

What the law currently requires

In 2014, California created a Road Usage Charge (RUC) Advisory Committee to evaluate potential replacements for gas tax funding for roads and infrastructure. This Committee found that RUC is a viable option to replace some or all gas tax revenue. The Transportation Agency is currently working to implement an RUC pilot program.

How this bill changes the law

This bill extends the RUC pilot program until 2027. It requires the Transportation Agency, in consultation with the California Transportation Commission, to implement a pilot program to identify and evaluate issues related to the collection of revenue for a road charge program, as specified.

SB 500 – Autonomous Vehicles

What the law currently requires

Existing law authorizes the operation of an autonomous vehicle on public roads for testing purposes by a driver who possesses the proper class of license for the type of vehicle being operated if the manufacturer meets prescribed requirements. Existing law also promotes the use of zero-emissions vehicles.

How this bill changes the law

This bill, starting on January 1, 2030, and to the extent authorized by federal law, will prohibit the operation of certain new autonomous vehicles that are not zero-emission vehicles, as defined. The bill will also prohibit the DMV from commencing rulemaking for the adoption of regulations implementing this provision until January 1, 2027.

AB 992 – California Clean Truck, Bus, and Off-Road Vehicle and Equipment Technology Program

What the law currently requires

Existing law establishes the California Clean Truck, Bus, and Off-Road Vehicle and Equipment Technology Program, which is administered by the State Air Resources Board, in conjunction with the State Energy Resources Conservation and Development Commission, to fund development, demonstration, precommercial pilot, and early commercial deployment of zero- and near-zero-emission truck, bus, and off-road vehicle and equipment technologies.

How this bill changes the law

This bill will specify that peer-to-peer truck sharing platform demonstration is eligible for funding under the program.

AB 232 – Off-Highway Vehicle Reciprocity

What the law currently requires

Existing law requires every off-highway motor vehicle that is not registered under the Vehicle Code to display an identification plate or device issued by the Department of Motor Vehicles, with certain exceptions, including an off-highway motor vehicle with a currently valid identification or registration permit issued by another state.

How this bill changes the law

This bill will permit application of that exception only if the other state recognizes an identification plate or device issued by the department as valid for use in that state. By narrowing the exception, the bill will expand the scope of an existing crime and will therefore impose a state-mandated local program.

Important Regulatory Issues Affecting Dealerships

FTC Adopts New Safeguards Rule

The Federal Trade Commission announced on October 27, 2021 the final updates to the Safeguards Rule under the Gramm–Leach–Bliley Act (“GLB”). These updates are the result of a multi-year process and purport to strengthen security for consumer financial information following an uptick in data breaches. Overall, the updates are more prescriptive than the previous Rule, imposing specific new requirements. For auto dealers who must comply with the new rules when they are fully effective, it means that action is needed now to protect their companies from costly private lawsuits and enforcement actions for failure to comply with the updates.

Most dealers, as “financial institutions” under the GLB, have been subject to the Safeguards Rule for decades. For many years, the Rule has required that dealers assess the risk to the security and privacy of consumer financial information, implement a plan to secure that data, regularly monitor and update that plan, and designate an individual to be responsible for the plan. The major change in the update is that it imposes new specific criteria financial institutions must meet, where before the requirements were general and subject to flexible interpretation.

Under the new rule, financial institutions must address specific topics in their risk assessments and produce a written report of the assessment. It further requires that each safeguarding plan address particular issues, including access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. It also requires financial institutions to adopt measures to oversee the effectiveness of the safeguarding plan, required employee training, and any services from an external provider.

Another major change is to accountability. For example, while the current Rule allows a financial institution to designate one or more employees to be responsible for the safeguarding program, the updates requires the designation of a single “Qualified Individual,” as defined. The update also requires periodic reports to boards of directors or governing bodies. In short, the update raises the stakes for owners and managers, as it requires direct involvement from senior leadership in safeguarding consumer data.

Finally, the update adopts some relief for smaller financial institutions. The update exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors.

The bottom line for dealers is that the updated rule requires action, both upfront and on an ongoing basis. In the event of a data breach or incident, failure to comply with the specific requirements of the update will provide a clear basis for a federal enforcement action and may support costly civil lawsuits, especially in California. The updates will be effective a year from their publication in the Federal Register, which should happen in 2021.

CPRA Will Change California Privacy Landscape

The California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, created an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information. The CCPA went into effect Jan. 1. 2020. The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It significantly amends and expands the CCPA, and is sometimes referred to as “CCPA 2.0.”

Going in to 2022, businesses in California must understand that the CCPA is in full force and effect, but that important changes will be needed to comply with the CPRA starting in 2023. This article covers the basics of the CCPA and changes the CPRA will make to privacy law.

When will enforcement of the CPRA begin?

Enforcement of the CPRA will not begin until July 1, 2023, and enforcement will apply only to violations occurring on or after that date. It should be noted, however, that the CCPA’s provisions remain in effect and enforceable until that date.

The CCPA vests the California Attorney General with enforcement authority. Although the CPRA grants the California Privacy Protection Agency “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA, the Attorney General still retains enforcement powers. Cal. Civ. Code § 1798.199.90 provides that the California Privacy Protection Agency “may not limit the authority of the Attorney General to enforce this title.”

Importantly, the Attorney General has taken actions to enforce the CCPA in 2021, and is likely to continue to do so in 2022. For example, the AG’s website now includes a form that allows California residents to submit complaints regarding businesses’ implementation of the CCPA, indicating that the AG will continue to the enforce the law even while changes are coming.

What is the California Privacy Protection Agency?

The California Privacy Protection Agency is a new agency, created by the CPRA, which is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA.

When does the California Privacy Protection Agency assume rulemaking authority?

The CPRA transfers rulemaking authority from the California Attorney General to the California Privacy Protection Agency effective July 1, 2021, with final CPRA regulations due by July 1, 2022.

What rights do consumers have under the CCPA and CPRA?

The CCPA creates six specific rights for California consumers:

  1. the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;
  2. the right to delete personal information collected from the consumer;
  3. the right to opt-out of the sale of personal information (if applicable);
  4. the right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable);
  5. the right to non-discriminatory treatment for exercising any rights; and
  6. the right to initiate a private cause of action for data breaches.
  7. The CPRA creates two additional rights:
  8. the right to correct inaccurate personal information; and
  9. the right to limit use and disclosure of sensitive personal information.

What is a consumer’s ‘personal information’?

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

What is a consumer’s ‘sensitive personal information’?

SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number;
  • a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • a consumer’s precise geolocation;
  • a consumer‘s racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
  • a consumer’s genetic data.

What constitutes a ‘sale’ of personal information?

The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

What does ‘sharing’ personal information mean?

The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

Who must comply with the CCPA and CPRA?

The CCPA imposes obligations on businesses, service providers, and third parties. The CPRA adds a fourth category: contractors.

How is a ‘business’ defined?

The CPRA defines a “business” as:

  • a for-profit legal entity:
  • that collects consumers’ personal information on its own or by others on its behalf
  • that alone or jointly with others determines the purposes and means of the processing
  • that “does business” in California
  • and satisfies at least one of the following thresholds:
    1. has annual gross revenues in excess of $25 million
    2. annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices
    3. derives 50% or more of its annual revenues from selling consumers’ personal information

What are the principal obligations of a business?

A business must:

  • provide notice of consumer rights
  • honor consumer rights
  • fulfill disclosure and retention obligations
  • facilitate consumer requests
  • implement security safeguards

How is ‘service provider’ defined?

A “service provider” is an entity that receives personal information from or on behalf of a business and processes that personal information on behalf of a business pursuant to a written contract that prohibits any retention, use, or disclosure of the personal information other than as specified in the contract.

What are the principal obligations of a service provider?

A service provider must:

  • use personal information only to perform services on behalf of a business as specified in a contract
  • comply with the terms of that contract
  • implement security safeguards

How is ‘contractor’ defined?

Newly defined in the CPRA, a contractor is akin to a service provider, in that it is bound by the terms of written contract that sets forth certain restrictions and prohibitions on the use of personal information. Unlike a service provider, however, the contractor includes a “certification” that it understands all of those restrictions and prohibitions and that it will comply with them.

What are the principal obligations of a contractor?

A contractor must:

  • use personal information only to perform services on behalf of a business as specified in a contract
  • comply with the terms of the contract
  • implement security safeguards
  • not combine personal information received from a given business with any personal information received from others
  • notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the contractors.

How is ‘third party’ defined?

The CCPA defines a third party as a legal entity who does not meet the characteristics of a service provider and who receives personal information from the business.

What are the principal obligations of a third party?

A third party must:

  • use personal information consistent with promises made at receipt
  • provide consumers notice of any new or changed practices
  • provide consumers with explicit notice of an additional sales of personal information and provide consumers with the opportunity to opt out.

What are the consequences for non-compliance?

The CCPA provides for the following options for imposing liability in the event of non-compliance:

  • Civil Penalties – In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
  • Damages – In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure. 
  • Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems proper.
  • Businesses may also be subject to an injunction in actions brought by the Attorney General.