A push by individual states to regulate consumer information collected by businesses isn’t yet touching smaller body shops and collision centers, but efforts are gaining steam and there are great reasons for indie operators to know and prepare for local laws.
California was first with legislation often presented as “privacy protection” bills dealing with individuals’ data. The state passed the California Consumer Privacy Act in 2018, and two years later, voters approved a proposition that expanded on CCPA. All regulations were effective by January 2023.
Image courtesy of IAPP.
Other states are joining in.
Six states’ laws will have gone into effect this year and last, when Montana’s begins Oct. 1, according to nonprofit International Association of Privacy Professionals (IAPP). Nine more are slated to hit in 2025 -- six of these by January -- with three more in January 2026. Four more states have active bills.
Only about one-fourth of states haven’t tried to enact privacy legislation.
There is currently no national law, but that’s in the works as well.
Does Privacy Matter to Collision Centers?
“What’s really changing is the state-level stuff,” said Brad Miller, head of legal at Utah-based ComplyAuto, which develops software to aid companies’ compliance with state and federal regulations.
The changes are more than just new legislation itself. Because it’s happening -- or not -- one-by-one, there are differences within and among various laws. Multiplied by dozens of states, it gets complicated.
Miller said “privacy” generally refers to “non-public personal information” -- but not just the usual suspects. It involves obvious datapoints -- insurance, driver licenses, Social Security numbers -- but “anything personally identifiable” as well.
Some states let businesses correct a problem before they’re punished; some don’t.
“There are lots of layers to this, and all the laws are different,” Miller said.
A common approach seems to be good for most shops: small-business exemptions, which also differ state-to-state.
California’s law applies to businesses with more than $25 million in gross annual revenue or information on at least 100,000 residents or households.
Most independent body shops aren’t touched. MSOs and dealerships with shops likely are, and online privacy adds a whole ‘nother slew of considerations.
How Independent Body Shops Are Handling Data
Roberto Baires owns Micro Tech Resources IT in Northern California. Among his clients are 100 or so body shops. More are concerned with the long-time CARFAX issue -- past repairs not being in a vehicle history -- than with the state’s stringent customer data privacy rules.
He stressed the limited information shops hold, noting, “customer data they see is in the estimating software, insurance companies, parts procurement, credit cards -- they’re the ones managing it.”
Accurate Auto Body in Richmond, CA.
“We have to keep some information for lifetime warranty repairs,” said Tiffany Silva, who co-owns Accurate Auto Body in Richmond, CA. But for the most part, “there’s nothing for me to hold.”
“Shops hold some data, but more of it is physical,” Baires added.
“I’m ‘old-school,’” said Ken Pike, owner of Ken’s Custom Auto Body in Marysville, CA. He collects a name and phone number for estimating but doesn’t keep any customer data. “I charge their credit card and that’s it.” He’s never had a customer ask about their information.
Silva said her shop has policies in place -- where it can exist, what happens if an employee takes a photo of a vehicle -- developed with an attorney and IT. “We have data and we protect the data, but it doesn’t come up.”
Miller said if the law applies to a shop, it overlaps with much standard practice, apart from the exemptions.
The ABCs of Consumer Data and Customer Interaction
And Silva’s policy approach is a good step even for shops that don’t strictly “need” it.
With the industry’s increasing complexity, technological advances and customer privacy and data concerns, there are good reasons to be ready to act.
Acquisitions: If a shop might ever be sold, it’s best to have operations as pristine as possible. Big buyers will have their own method, of course, but keeping data collection clean and in compliance is never bad.
Breaches: Shop relationships with insurance companies, suppliers and dealers, among others, are at risk for hacking, ransomware and other cybersecurity issues. And these attacks are only expected to increase.
Customers: A formal policy developed with the right people and communicated to anyone who walks in the door ups the body shop’s game. It speaks to professionalism, customer care and a strong work ethic.
A policy defines relationships with consumers, third parties and the state. It prevents problems and prepares a shop for service today, and tomorrow.
Miller said federal legislation frequently stalls over particulars; but if not inevitable, it’s also not impossible. And without one, the news is more complex than good, since states passing a different law every time doesn’t make compliance any easier.
“The auto body industry is having to deal with this,” he said. “And new regulations are coming.”
