Is Your Dealership in Compliance with the New Consumer Privacy Act? – Melanie Cliff, Partner at Scali Rasmussen

Melanie Cliff, Partner at Law Firm Scali Rasmussen in Los Angeles, CA, and an expert in automotive law, joins CBT News to tell dealerships everything they need to know about the California Consumer Privacy Act

Going into effect on January 1, 2020, The California Consumer Privacy Act gives consumers the right to request access and deletion of their information, and they have the right to say do not sell my information. Therefore, dealers need to be aware of how their internal processes might interfere with this law and what they can do to change that. Melanie says that dealerships should really be focused on having risk assessments done, creating road maps that show them where their data is coming from and where it is going, as well as who they are sharing it with. Additionally, they should reassess what internal processes they have in place to deal with consumer requests, and access and delete consumer information.

To hear more from Melanie about the California Consumer Privacy Act check out the full interview above.

VIDEO TRANSCRIPT: 

Jim Fitzpatrick:
Hi everyone, I’m Jim Fitzpatrick. Thanks so much for joining us on another edition of CBT news. Today we’re joined by Melanie Cliff, who is the partner at the law firm of Scally Rasmussen in Los Angeles, California. Thank you for joining us today. Melanie.

Melanie Cliff:
Thank you for having me, Jim.

Jim Fitzpatrick:
Sure. You had an article, it was an article in automotive news that you were in about the California Data Law that’s taking place or I should say the law that’s monitoring all of the data. Talk to us about that, if you will.

Melanie Cliff:
well the CCPA, takes effect January 1st of 2020, and it’s a theory, it’s modeled after the European laws that have come into effect. There’s a lot to cover probably too much for right now.

Jim Fitzpatrick:
Sure. Kind of give us the high points, if you will.

Melanie Cliff:
Absolutely. The key takeaways would be consumers now have a private right of action. They have a right to request access along with deletion, they have a right to say do you not sell my information. And there’s a lot of things that dealers need to be aware of in terms of their internal processes. So those are some things that are really important, and we have maybe four or five months before the first of the year. So it’s somewhat of a time crunch right now.

Jim Fitzpatrick:
Okay. So California dealers need to sit up and pay attention, right? Because they can get into big trouble if they don’t adhere to this. Right?

Melanie Cliff:
Well yes, the wait and see approach is probably not the best thing to take advantage of right now.

Jim Fitzpatrick:
Right. So what did dealers need to focus on in order to be compliant?

Melanie Cliff:
Well they definitely need to have some risk assessments done. They have to roadmap where their data is coming from and where it’s going, who they’re sharing with, what internal processes they have in place to deal with consumer requests to access their information, to delete their information. And, also in terms of cybersecurity, that’s kind of another issue altogether, but they have to make sure those safeguards are in place. And that’s just in compliance with existing laws as well as new laws such as the CCPA.

Jim Fitzpatrick:
Okay. From your perspective, where do you feel dealers are falling short in these areas?

Melanie Cliff:
Well, dealers don’t necessarily need reminders. They’re already aware of these high priority items, but there are certain safeguards such as cybersecurity insurance. I received a statistic this morning that talks about how 60% of dealerships don’t have cybersecurity insurance in place yet.

Jim Fitzpatrick:
Wow.

Melanie Cliff:
Yes, that’s a large number.

Jim Fitzpatrick:
That’s a huge liability.

Melanie Cliff:
Right, especially in light of the cyber attacks that dealers are subject to, whether it’s ransomware, extortion attempts, hacking, antivirus or software viruses. There’s just a whole slew of criminal activity that they could be subject to which could shut down their dealerships while they’re trying to figure out how to pay these criminals.

Melanie Cliff:
So you just really need to make sure that’s in place. You also need to make sure on the technology front you have encryption, you have firewalls, you have all these things to help the dealership combat this cyber activity. So that all these safeguards should be in place and if they’re not, you have to evaluate with your IT department what to do about that, and how to approach those issues.

Melanie Cliff:
Another big item under the CCPA would be to evaluate your vendor relationships, see where that information is going and how those vendors then take care of that information.

Melanie Cliff:
So these are things that are very, very time consuming. And so I alluded to it before, but this time crunch is, we’re looking at four to five months before the law goes into effect. So that’s something that’s very, very, very time sensitive.

Jim Fitzpatrick:
Let me ask you, of the 60% that are not covered for this, do you think they know that or is it going to be a shock to dealers to hear that, wow, I thought the whole time my business insurance covered me in this area.

Melanie Cliff:
Well, Jim, that’s a very good question. It will be a shock because many dealers think that it’s part of their Commercial General Liability Policy or maybe that they’ve already purchased. My understanding is that these are separate policies or separate endorsements with different limits. It’s also inexpensive compared to the other insurance that they’re paying for. So it’s a very good idea to get those quotes from your brokers now as opposed to in December.

Jim Fitzpatrick:
Yeah, that’s right.

Melanie Cliff:
And have something in place now because with all of the sensitive information in your DMS, your CRM, and even what sales and finance collects on a daily basis, it’s just so much personal and confidential information. You just don’t want to be at risk for a hack or a data breach.

Jim Fitzpatrick:
Sure. We see so many laws especially that relate to compliance and in gas and fuel regulation and such coming out of California that started to take shape throughout the other 49 states. Is it pretty safe to assume that other states will follow suit on a law like this?

Melanie Cliff:
Absolutely. In fact, my understanding is that at least 15 of the states already have legislation that’s being proposed. And even at the federal level, that’s something that’s being considered right now. With California, California has historically been a trendsetter. It’s been ahead of the curve, whether it’s emissions or consumer protection and now it’s privacy. So California sets precedent and the remainder of the nation tends to follow. So that’s absolutely correct.

Jim Fitzpatrick:
Yeah. How do you think this legislation will improve the trust among consumers?

Melanie Cliff:
There’s definite controls being put into place now. Consumers have more control over the data that they’re able to request there. There’s a better knowledge base. They’re able to understand what information is being shared and now they are also able to say, hey, look, don’t share my data and actually I want you to delete it. So when they encounter a dealership that has their policies and procedures in place, it enhances their reputation, creates a more trust relationship, where they are positive that their information is not being sold or shared or, outside of their control. So they have more controls. And it helps with the brand reputation as well as the dealership’s reputation in the community.

Jim Fitzpatrick:
What are some of the penalties in the event of dealer fails to comply and is ultimately either charged or sued for this?

Melanie Cliff:
Well that would depend on the circumstances, but I understand what’s being proposed is as a private right of action, there’s $1,000 to $3,000 or the actual damages, whichever is greater in terms of what would be a statutory right damage amount. And it’s also subject to the Attorney General’s enforcement action as well.

Jim Fitzpatrick:
Okay. As you know, so many individuals within a dealership really has access to that information. Once a consumer comes in and fills out a credit application, the salesperson, the F and I team that takes place in there, maybe the back office personnel, there’s typically a number of people that actually see and have access to this information. How does the dealer get their hands around the control of that?

Melanie Cliff:
Well that’s an excellent question and that’s where the CCPA really forces the dealerships to look at their internal processes, really create a risk assessment that’s accurate, that’s subject to regular assessment. And once they determine that, they’re able to create a roadmap of how to put the right controls in place, whether it’s encryption, whether it’s training. There’s a wealth of resources available to them, but it’s a matter of compiling that information and putting your policies together.

Jim Fitzpatrick:
So I guess the takeaway here is make sure you get with your insurance agencies, if you’re listening dealers and make sure if you fall into that 60% of dealers out there, that’s an incredibly large number that you’re not covered for these types of things. Get covered and whatever the cost might be. And then of course the other is the training internally of your people to make sure that this information is guarded very, very intently.

Jim Fitzpatrick:
And then making sure that nobody can just access this information no matter who they are. Then of course, to put in the necessary firewalls as you said. This is an area that I think a lot of dealers, I don’t want to say take lightly. I think they, they take it seriously, but certainly with this new act going into effect January 1 in California and it’s spreading across the country probably over the course of the next 24 months. It’s something that dealers really need to pay attention to, right?

Melanie Cliff:
Yes, yes. It’s not something to be taken lightly. It needs to start at the top and it needs to filter it down. That’s I think really the most important part of this. It’s not something to leave to your IT people. You need to get your outside counsel involved. You have to have everybody in the dealership involved with this process.

Jim Fitzpatrick:
Yeah, that’s for sure. Well, Melanie Cliff, I want to thank you so much for joining us on CBT News. It’s been very enlightening and I’m sure there’s a few dealers out there that are on their cell phones right now calling their insurance agent saying, hey, am I covered for this stuff? So love to have you back in the future and talk more about this topic because it’s a hot one and I’m sure it’s gonna get even hotter as time goes on here.

Melanie Cliff:
Thank you very much too.

Speaker 1:
CBT Automotive Network. The number one most watched network in retail automotive. This has been a JBF Business Media production.