By Rita Campanile and Halbert Rasmussen, Scali Rasmussen
Part I – The Buy/Sell Due Diligence Checklist
This is the first in a series of Scali Rasmussen articles about the impact of the California Consumer Privacy Act (“CCPA”) on Buy/Sell transactions. It aims to be for the benefit of both:
- Buyers acquiring dealerships in California, and
- Buyers purchasing dealerships in every other state.
Why the second group of Buyers too? Those who keep a sharp eye on privacy trends believe most state and federal governments are currently ramping up to enact legislation that will mimic the CCPA. The provisions of the CCPA can readily be used by dealerships outside of California as guidelines for keeping their data governance practices at the forefront of change.
The CCPA – January 1, 2020
With the upcoming 01/01/2020 CCPA effective date and the ongoing need for CCPA compliance readiness thereafter, what a Seller did not do (or, did do, but not well) could eventually lead to a Buyer’s significant post-closing liabilities.
A Buyer’s Buy/Sell Due Diligence Checklist (“DD Checklist”) is 1 of 2 standard tools that help a Buyer: (a) gain an in-depth understanding of the target dealership’s (“Dealer”) operations and (b) identify and assess potential post-closing exposures. The other equally important Buyer due diligence (“DD”) tool is the personal assessment of the same (and additional) topics by Buyer’s principals and its team of subject matter experts (“SME’s”) (“DD Team”).
Our focus here is on the first tool, the DD Checklist, and we will provide recommendations about the data governance areas that may require updates to the DD Checklist. Any references to “data” in this article includes personal information.
Buyers, the time is now, to re-visit your DD Checklists and update them with CCPA-related information requests so that you can fully understand what a Seller has and has not done for CCPA compliance readiness. Buyers, we also urge you to consider adding CCPA-savvy SME’s to your DD Teams. A “just kick the tires” approach with respect to CCPA compliance readiness is very risky. If a dealership you are acquiring is not substantially CCPA compliant on day 1, significant financial consequences may result, including:
- costs of defending against private rights of action for consumers, such as lawsuits for violations of the CCPA (effective 01/01/2020)
- costs of defending against enforcement actions by California’s Attorney General for any violation of the CCPA (effective on 07/01/2020)
- costs of Buyer’s completion of CCPA compliance readiness steps that Seller did not take
- costs of damage to Buyer’s and the acquired dealership’s reputation and resulting consumer loss of trust, which costs are difficult to quantify
A Few Key CCPA Concepts
The CCPA provides California consumers with a bundle of new rights concerning their personal information or personal data (“PI”), including:
- right to know what PI of the consumer Dealers have collected and how such PI is used and processed
- right to know what PI of the consumer the Dealer has sold or disclosed
- right to request that Dealers delete their PI from all of Dealer’s data systems and those of Dealer’s service providers
- right to say “no” or opt out of certain uses of, and the sale of, their PI by Dealer
- right to data security of PI of the consumer in accordance with reasonable security standards maintained by Dealer and each first and third parties involved in the Dealer’s PI data flow
- the right to equality of service and price if consumers exercise their CCPA rights
CCPA Definition of Personal Information (“PI”)
The CCPA’s definition of PI is very broad:
- information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household
- examples of PI and personal identifiers include: name, postal address, telephone/mobile numbers, unique personal identifier, IP addresses, email addresses, account names, social security number, driver’s license number, passport number, and so on
PI can not only be tied to a specific individual’s name, but it can also be tied to geolocation data, voice to text, social media follower lists, and other non-physical locations. This is one of the reasons why comprehensive PI mapping and PI inventorying is a necessary first step for CCPA compliance.
CCPA-Related Updates
Hopefully most Buyers’ existing DD Checklists already have robust “Privacy Sections.” Those that do may require fewer CCPA-related updates than those that either do not address Privacy issues at all or have significant Privacy gaps.
To better ensure that CCPA-related compliance updates to existing DD Checklists are complete, Buyers may want to include on their DD Teams those responsible for:
- Compliance
- IT
- HR
- Insurance/Risk Management
DD Checklist:
Suggested CCPA-Related Areas of Inquiry
- Has Seller assembled a CCPA compliance readiness team (“CCPA Team”) and who are its members
- Have CCPA compliance impact assessments been undertaken and converted into specific action and implementation plans for every affected Dealer department
- Where is the PI data located (both physically and otherwise) and which parties both within and outside the dealership have had, have, and will have any PI collected or purchased by Dealer (“Dealer Held PI”)
- What does the Dealer and all other collectors or users of the Dealer Held PI do with such PI
- Now and in the past, has Dealer purchased PI and from whom, and has Dealer sold PI and to whom, and what are Dealer’s CCPA-related plans for future purchases and sales of PI
- What are the Dealer’s current security practices, policies and procedures and what steps are needed in order for Dealer to safeguard PI pursuant to the CCPA
This list of sample CCPA-related areas of inquiry is not exhaustive, but it should suffice for Buyers and their DD Teams to, at a minimum, start the CCPA conversation with Seller and its CCPA Team. For Buyers’ CCPA DD investigations to be meaningful, they should be a well-orchestrated team effort by both parties to the transaction, with all of the “right people on the bus,” as Jim Collins, author of Good To Great, would say.
Stay tuned for our next article on suggested CCPA-related updates to Buy/Sell purchase agreements.
© 2019, Scali Rasmussen All Rights Reserved
Scali Rasmussen’s attorneys are thought leaders in the automotive industry, often called upon to provide their opinions on new and trending issues on auto distribution and franchise, F&I, employment and advertising issues. The firm drafted the CNCDA’s 2015 and 2017 Advertising Law Manuals, providing auto dealers with practical guidance on advertising practices.
The authors can be reached at 213-239-5622 or rcampanile@scalilaw.com (Rita Campanile)), hrasmussen@scalilaw.com (Halbert B. Rasmussen).