The California Consumer Privacy Act (CCPA)

What Dealers Need to Know

View Documentation

What is the CCPA?

The California Consumer Privacy Act is a state law that enhances the protection of the personal information (PI) of California residents.

It requires businesses to be transparent about their PI data practice by disclosing to consumers about how they collect, use and share consumers’ PI and responding to consumers’ data access, opt-out of sale and deletion requests.

Effective January 1, 2020.

Does the CCPA apply to you?

The CCPA applies to any business in California that collects personal data of California consumers and one of the following thresholds:

  • Annual gross revenue ≥ $25 million
  • Annually buys, receives, sells, or shares personal data of 50,000 or more California consumers, households, or devices
  • Derives 50 percent or more of its annual revenues from selling California consumers’ personal information

What does the CCPA require?

The CCPA grants consumers a series of rights and control over how their PI should be handled, and imposes extensive obligations on businesses to ensure the consumers’ exercise of their rights. The key rights consumers have under the CCPA include:

  • Right to Notice – before collection, a business must inform the consumer as to what categories of PI is being collected, and for what purpose.
  • Right to Information – a business must, upon request, inform a consumer as to what PI was collected, from what sources, for what purpose, the categories of third parties with whom PI has been shared for a business purpose or to whom PI has been sold.
  • Right to Opt Out – a consumer has the right to opt out of the sale of his/her PI.
  • Right to Deletion – a consumer has the right to request his/her PI to be deleted.
  • Right to Equal Services & Prices – a consumer must not be discriminated against for exercising his/her privacy rights.

There are exceptions to the above consumer rights that could exempt some part of your business from certain CCPA requirements. For example, a consumer’s personal data that is collected for a vehicle loan transaction may be exempted from the CCPA because it is regulated by federal laws such as the Gramm-Leach-Bliley Act. It’s important that you consult your legal team or other advisors for advice.

What do dealers need to do?

First and foremost, ensure that you understand how the CCPA will impact your business and establish a comprehensive CCPA compliance program.

Examples of what you need to do before January 1, 2020:

  • Know where your consumers’ personal information is
  • Establish policies and processes to verify, accept and respond to consumer requests
  • Update your privacy notice to fulfill your disclosure obligations
  • Update your websites to include required Do-Not-Sell-My-Personal-Information link if you sell PI
  • Assess the strength of your data security
  • Work with your vendors to ensure that they will cooperate with you in responding to consumer requests

Dealers will have 45 days to comply with consumer requests.


The CCPA will be enforced by California’s Attorney General. Fines for violating the CCPA can be as high as $2,500 per violation and $7500 per intentional violation.

Businesses can also be sued by California consumers for security breaches of PI and pay up to $750 per consumer per incident or actual damages, plus other proper relief.

How is CDK Global helping?

CDK has developed solutions for CDK applications that process and store your consumers’ personal information. For example, each of your CDK applications that handle personal information will allow you to respond to consumers’ various requests under the CCPA:

  • By searching for and generating a report on the PI of a given consumer that currently resides within such application
  • By marking a customer’s records as “Do Not Sell” in response to the consumer’s opt-out request
  • By marking a customer’s records for deletion if the consumer’s deletion request is granted (while retaining the consumer’s name and other minimum information in order to generate an auditable record of the deletion, consistent with best practice or as may be required by the Attorney General’s CCPA regulation).

List of affected CDK Applications

View our full CCPA product listing and training documentation. Please note, you will need your Service Connect login to access.

Contact your Client Account Manager (CAM) with
any questions or concerns regarding the CCPA.


We recommend dealers consult with their legal and/or
advisory team(s) for a full compliancy implementation plan.

Please contact your OEM and other non-CDK providers
and vendors for their CCPA compliance updates.

Connect with us