Do you think that compliance with the proposed FTC Safeguards Rule, the California Consumer Protection Act (CCPA) or New York’s SHIELD Act, puts an onerous burden on dealers? To put it mildly, you aint’ seen nothin’ yet.
Congress recently introduced The Online Privacy Act, new legislation that establishes a “privacy bill of rights” for consumers and is similar in language to Europe’s General Data Protection Regulation (GDPR).
The motivation behind the new bill is that data-collection and data-sharing industries make billions annually from selling Americans’ personal information and that privacy for online consumers is nearly non-existent.
The new law targets tech companies in particular, but applies to every business that collects, stores and sells consumers’ personal and identifiable information (PII). This includes auto dealerships.
If passed, The Online Privacy Act would be even tougher than California’s CCPA, which goes into effect in January 2020.
In a nutshell The Online Privacy Act would:
Create user rights
The bill grants every American the right to access, correct or delete their data. It also creates a right impermanence, which lets customers decide how long companies can keep their data.
Establish a Digital Privacy Agency (DPA)
Currently the Federal Trade Commission broadly regulates privacy, but only employs a few dozen people who are dedicated to enforcing violations. The Online Privacy Act establishes a new federal agency of 1,600 officials who would be empowered to issue new regulations and enforce the new privacy law. As written, the DPA would be about the same size as the Federal Communications Commission (FCC).
Define how companies may use, and not use, customer data
If this legislation is passed, auto dealerships will be required to be transparent about what they do with customers’ data. Auto dealers could not disclose, share or sell user data without receiving explicit consent from customers. The bill minimizes the amount of data companies collect, process and maintain, and bars companies from using data in discriminatory ways.
Additionally, The Online Privacy Act forbids the use of private communications like email, in order to target customers with ads.
If your dealership experiences a data breach that exposes your customers’ personal data, you would have 72 hours to alert both your customers and the DPA.
If your dealership violates any of the rules laid out in the Online Privacy Act, or any of the new regulations created by the DPA, you could be fined as much as $42,530 per incident. It would also allow state attorneys generals to bring civil actions and consumers to bring civil suits against your dealership for lack of compliance.
Whether The Online Privacy Act passes into law remains to be seen. Currently there is some debate over details like whether the bill should pre-empt states’ laws or whether individuals should be allowed to sue companies for violations.
However, the legislation has bipartisan support, and both democrats and Trump have stated they want a consumer data privacy law.