More states follow California’s lead to enact data privacy laws

Data privacy legislation continues to gain momentum across the U.S., with two more states passing laws that give consumers more control over how businesses use their personal information.

Virginia and Colorado both enacted laws this year that take effect in 2023, joining California, whose first-in-the-nation comprehensive statute is poised to become more stringent in 2023, experts say, when provisions from a ballot initiative approved last November go into effect.

The Virginia law may not apply to the state’s franchised auto dealerships because of a provision that exempts entities that are subject to the federal Gramm-Leach-Bliley Act, said Anne Gambardella, general counsel and executive vice president of the Virginia Automobile Dealers Association. Dealerships are regulated by the act, which requires financial institutions to protect consumers’ private information, because they provide customer financing.

The Colorado Automobile Dealers Association is working to understand what the new law will mean for auto retailers in the state, including the extent to which dealerships have to comply or are exempt, what information is covered and what actions will be required, said Matthew Groves, the association’s vice president of legal, regulatory and compliance.

The association will provide training before the law takes effect, though dealerships should start a data assessment now, including of what information they share with third-party vendors, Groves said.

Compliance experts and attorneys who specialize in data privacy told Automotive News that forthcoming details about how the laws will be interpreted and enforced in the states likely will provide more clarity around their potential impact.

Efforts to enact state-level privacy laws have picked up steam. The International Association of Privacy Professionals, a membership association that tracks state legislation, has noted an increasing number of states with bills under consideration in recent years. Aside from California, Virginia and Colorado, which have passed laws, at least 20 states had legislation on the table this year, according to the association’s tracker.

“The fact that there are nuances across these state laws is what is driving industry to call for and increasingly demand a federal privacy law because no one these days is operating within the corners of a single state,” said Caitlin Fennessy, the association’s chief knowledge officer.

Some compliance experts say the upward trend in state actions means dealerships should consider adopting extra measures to protect consumers’ data, even if they’re not legally bound in their state to do so, to stay ahead of future legislation and to show a commitment to corporate social responsibility.

Consumers may come to expect companies to give them more control over how their data is shared, stored and used, said Chris Cleveland, compliance director for Galpin Motors in California and CEO and co-founder of ComplyAuto, which uses software to help dealerships navigate privacy laws.

ComplyAuto was started in October 2020 and has partnerships with the California New Car Dealers Association and FordDirect, a joint venture between Ford Motor Co. and its franchised dealerships.

“You should be worried about these laws because of the significant liability that comes along with them, particularly as it relates to security and potential data breaches,” Cleveland said. “At the same time, you should be recognizing that, ‘Hey, this can actually help me develop privacy as a brand promise and get my consumers to trust me more, differentiate me perhaps from other businesses.’ ”

That may be a best practice for companies to follow, said Monica Baumann, an attorney and shareholder at Scali Rasmussen in Sacramento, Calif. Some companies that operate in multiple states are adopting practices that align with California’s law as a baseline, she said, and more consumers are seeing opt-out capabilities and banners about cookie-tracking on company websites.

“Your customers may start to develop an expectation that if they make a request that you stop selling their information to a marketing company, that they expect you to comply with it,” Baumann said.

The California Consumer Privacy Act, which took effect in January 2020, gives consumers the right to request that a business share the personal data it collects about them and the reasons for collecting it, along with the right to opt out of having their information sold and the right to request that a business delete their data.

California voters in November 2020 approved a ballot initiative that adds new provisions. The new law, known as the California Privacy Rights Act, will add the right to correct data, among others, experts said. It also creates a state privacy agency that will be tasked with enforcing the law, rather than the attorney general’s office as under the California Consumer Privacy Act.

“Now that you’ve got a whole agency devoted to privacy, their reach is probably going to be much broader,” said Brian Maas, president of the California New Car Dealers Association. “That’s why it’s going to be imperative for dealers to get their privacy house in order now.”