What is the CCPA?
The California Consumer Privacy Act is a state law that enhances the protection of the personal information (PI) of California residents.
It requires businesses to be transparent about their PI data practice by disclosing to consumers about how they collect, use and share consumers’ PI, and responding to consumers’ data access, opt-out of sale and deletion requests.
Effective January 1, 2020.
Privacy laws and bills in California and other states are in development. The CCPA will be replaced by the California Privacy Rights Act (CPRA) on January 1, 2023; Virginia and Colorado each has a privacy law going into effect in 2023.
The information contained on this page regarding the CCPA and other privacy laws is for informational purposes only. It is not intended to be legal advice. Please consult your legal counsel if you have questions about the CCPA or other laws.
Does the CCPA apply to you?
The CCPA applies to any business that collects personal data of California consumers and meets one of the following thresholds:
- Annual gross revenue ≥ $25 million
- Annually buys, receives, sells or shares personal data of 50,000 or more California consumers, households or devices
- Derives 50 percent or more of its annual revenues from selling California consumers’ personal information
What does the CCPA require?
The CCPA grants consumers a series of rights and control over how their PI should be handled, and imposes extensive obligations on businesses to ensure the consumers’ exercise of their rights. The key rights consumers have under the CCPA include:
- RIGHT TO NOTICE
Before collection, a business must inform the consumer as to what categories of PI are being collected, and for what purpose. - RIGHT TO INFORMATION
A business must, upon request, inform a consumer as to what PI was collected, from what sources, for what purpose, the categories of third parties with whom PI has been shared for a business purpose or to whom PI has been sold. - RIGHT TO OPT OUT
A consumer has the right to opt out of the sale of their PI. - RIGHT TO DELETION
A consumer has the right to request their PI be deleted. - RIGHT TO EQUAL SERVICES & PRICES
A consumer must not be discriminated against for exercising their privacy rights.
There are exceptions to the above consumer rights that could exempt some part of your business from certain CCPA requirements. For example, a consumer’s personal data that is collected for a vehicle loan transaction may be exempted from the CCPA because it is regulated by federal laws such as the Gramm-Leach-Bliley Act. It’s important that you consult your legal team or other advisors for advice.
What do dealers need to do?
First and foremost, ensure that you understand how the CCPA will impact your business and establish a comprehensive CCPA compliance program.
Examples of what you need to do:
- Know where you're storing your consumers' information
- Establish policies and processes to verify, accept and respond to consumer requests
- Update your privacy notice to fulfill your disclosure obligations
- Update your websites to include required Do-Not-Sell-My-Personal-Information link
- Assess the strength of your data security
- Work with your vendors to ensure that they will cooperate with you in responding to consumer requests
Liabilities
The CCPA will be enforced by California’s Attorney General. Fines for violating the CCPA can be as high as $2,500 per violation and $7,500 per intentional violation.
Businesses can also be sued by California consumers for security breaches of PI and pay up to $750 per consumer per incident or actual damages, plus other proper relief.
How is CDK Global helping?
CDK has developed solutions for CDK applications that process and store your consumers’ personal information. For example, each of your CDK applications that handle personal information will allow you to respond to consumers’ various requests under the CCPA:
- By searching for and generating a report on the personal information of a given consumer that has been collected, processed and stored in such applications
- By marking a customer’s records as DoNotSell in response to his or her opt-out request
- By marking a customer’s records for deletion based on the consumer’s deletion request (while retaining the consumer’s name and minimum contact information in order to create an auditable record of the deletion, consistent with best practice or as may be required by the Attorney General’s CCPA regulation).
List of affected CDK applications
View our full CCPA product listing and training documentation. Please note, you will need your Service Connect login to access.
Solutions for Partners
Managing CCPA Flagged Data: Dealers and Partners — New Abilities
DEALER CONTROL
Starting the first quarter of 2022, dealers will be able to block consumer records that have been flagged with CCPA DoNotSell or Delete from being transmitted to the CDK partner:
- Utilizing the DDX dashboard, dealers will be able to select which partners will receive records flagged DoNotSell or Delete.
- Data will continue to flow to partners until a dealer actively makes the change in DDX.
- To prevent flagged customer records from being sent, the dealer must go to DDX and decide which partners should no longer receive the flagged records.
PARTNER RESPONSIBILITY
In addition to the dealer DDX enhancement, CDK has also launched new integration Partner Integration Points (PIP) which allow the DoNotSell and Delete flags to pass from the DMS to the partner. In order for partners to accept this data, they need to update integration points to the DMS to ensure they receive the flags. Partners are responsible for honoring the flags on behalf of the dealer.
By providing both CDK dealers and CDK dealer partners with the ability to manage CCPA flagged data, CDK is ensuring that dealer customers who have exercised their rights under CCPA will be protected.
- What does it do? The Help Customer Privacy Extract PIP enables a partner application to extract customer privacy setting data on demand. Data elements provided by this PIP describe a customer’s privacy setting in the DMS, including the customer’s CCPA and other regulatory requests.
- How does it work? The CCPA and other regulatory data fields extracted through the PIP identify which customers have requested deletion of their personal information. These settings must be applied to all customer data, including data extracted with other data types or PIPs.
- What partners need to do: Partners need to contact their CDK Account Director to receive the technical information about the PIP enhancements. Partners should implement the new PIPs to ensure they receive the flags to identify the consumers who have exercised their rights under CCPA. Partners are responsible for honoring the flagged data on behalf of the dealer.
Contact your Client Account Manager (CAM) with any questions or concerns regarding the CCPA. Please contact your OEM and other non-CDK providers and vendors for CCPA compliance updates.