On February 1, 2023, the California Privacy Protection Agency (CPPA) released a final draft of the regulations for enforcing the California Privacy Rights Act (CPRA). These regulations provide stricter restrictions on the collection of personal information. Of note is that collection practices must be “consistent with the reasonable expectations of the consumers.” According to 11 C.C.R. § 7002(b), expected to become final this year, “reasonable expectations” hinge on factors such as the relationship between the business and its consumers, the source of personal information, and the methods employed by the business collecting the data, and the involvement of other entities and third parties. If CPPA takes an expansive enforcement position on Section 7002, several types of automotive businesses could be impacted by this “consumer expectation” test.

First, roadside services could feel the pinch. These services, offered by telematics services, OEMs, and auto clubs, transmit driver and vehicle data from an initial service request, down a chain of service providers, to an endpoint that has the in-person interaction with the consumer. For example, if a consumer experiences a breakdown, the consumer contacts a service point of contact (SPOC). The SPOC, in turn, transmits personal information such as the consumer’s name, location, and other details to a provider like a towing company. That company may in turn transmit this information to independent subcontractors like tow truck drivers who interface with the consumer. If enforced aggressively, Section 7002 could impose significant burdens on SPOCs, whether to disclose upfront the categories of players in the on-the-road service ecosystem—or to disclose even the names of providers themselves. In the best case, this would make disclosures more awkward and intrusive. In the worst case, the SPOC could be required to divine the identities of every player in the process – even before it starts.

Second, one-stop car shopping sites could have a harder time. These sites create referrals to dealers. Some are sponsored by OEMs that due to state franchise laws cannot sell cars directly. Others are multi-line independent operators who allow shopping across nameplates. Although it is straightforward for these sites to provide disclosures to consumers of the generalities of how businesses get their personal information, the behind-the-scenes magic is driven through a network of service providers that may not be fully determined until the consumer hits “submit.” If CPPA interprets Section 7002 as requiring disclosures of specific referred dealers, it could inject additional steps into the referral process.

Finally, the life of larger auto dealerships and groups—those reaching CCPA/CPRA’s $25 million revenue threshold—could become more complicated. At a practical level, car dealerships are major clearinghouses of information related to cars and their owners. Their core business revolves around selling vehicles and servicing them. This generates considerable data exchanges with OEMS, creating one form of consumer expectation. But dealers also derive considerable revenue from the sale of third-party products. For example, they collect highly sensitive personal and financial information when arranging auto loans. They also handle personal information in the context of selling insurance and service plans. The sheer number of personal information transfers involved—whether on the dealer’s own behalf or acting as a sales agent of others—means that any increase in the breadth of disclosures means a greatly increased burden overall.

Key Takeaways:

  • Automotive businesses that handle complex flows of personal information should carefully monitor CPPA’s enforcement of Section 7002.
  • Depending on how CPPA enforces this regulation, businesses may need to significantly augment disclosures and more closely control downstream uses.
  • Where personal information is being routed in real-time, or just in time, businesses should consider alternate website designs and user interfaces that accommodate more specific identifications of service providers and third-party recipients.