Categories
Consumer Finance Dealership Compliance

Gramm-Leach-Bliley: “Privacy Rule”

The Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices. In turn, customers have the right to limit some sharing of their information.

The federal government declared war on identity theft with the Gramm-Leach-Bliley Act (GLB Act).  The GLB Act’s primary weapons are the “Privacy Rule” and the “Safeguards Rule” which address how your dealership shares and protects information about your customers.  The Privacy Rule will be the focus of this article. For information on the Safeguards Rule please see “Gramm-Leach-Bliley: Safeguards Rule”.

DOES THE GLB ACT APPLY TO AUTO DEALERS?

The GLB Act applies to all financial institutions.  Dealers are “financial institutions” so long as they are significantly engaged in financial activities like entering into finance or lease transactions with consumers.  Thus, unless your dealership plays no part in arranging financing, the GLB Act applies to you.

PENALTIES FOR NON-COMPLIANCE

There is presently no individual right of action for violating the Privacy or Safeguards Rule.  So no individual customer has a right to sue you for non-compliance.  However, the FTC can investigate your compliance and the state attorney general may bring an action against your store for violation of the state’s “Unfair and Deceptive” trade practices law.  Imagine how a “failure to protect customer information” lawsuit would impact the public’s opinion of your store.  Customers are already hesitant to divulge their personal information to auto dealers.  How much worse would it be if customers knew you failed to adhere to the federal laws protecting their information?

WHAT DOES THE “PRIVACY RULE” REQUIRE?

The Privacy Rule requires financial institutions to give their customers privacy notices that explain the financial institution’s information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Also, financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.

WHAT INFORMATION IS PROTECTED?

The GLB Act protects “Nonpublic Personal Information” (NPI) which essentially means any personal information you obtain about a person in connection with arranging financing for, or leasing, a vehicle.  The rules apply both to customers and non-customers so equal care must be given to information from failed or unwound transactions.  There are exceptions to the rules especially pertaining to non-consumer (business) transactions but for practical purposes its easier to develop general guidelines to protect all information rather than specific information, so I’ll not go into the details here.

INITIAL PRIVACY NOTICE

Dealerships must provide a written Initial Privacy Notice to all customers no later than at the time of signing of the retail installment contract or lease agreement — even if you do not disclose their personal information to others.  The Privacy Notice must be clear and conspicuous.  A carefully written Privacy Notice is critical to determining how you may use NPI.

ANNUAL PRIVACY NOTICES – BUY HERE PAY HERE

Dealer’s who carry their own contracts must provide annual Privacy Notices to customers.  The obligation to send an annual Privacy Notice terminates upon the transfer of the customer relationship.  Thus, if you carry the contract yourself for a few months and then transfer it to another lender, you’re off the hook because the customer relationship transfers to the new lender.

WHAT INFORMATION MUST BE INCLUDED IN MY PRIVACY NOTICES?

  1. Categories of NPI collected
  2. Categories of persons to whom NPI is or may be disclosed
  3. Categories of third-parties to whom you disclose NPI
  4. Categories of NPI about former customers that you disclose and the categories of third-parties you disclose NPI to
  5. Separate statement of the categories of information you disclose and the categories of third-parties with whom you’ve contracted.
  6. Explanation of the consumer’s right to opt-out of certain disclosures of NPI to unaffiliated third-parties and the method by which the consumer may do so.
  7. Fair Credit Reporting Act disclosure (opt-out of disclosures of certain information among affiliates).
  8. Statement regarding your information safeguards policies and practices.

SHARING NON-PUBLIC PERSONAL INFORMATION WITH AN UNAFFILIATED THIRD-PARTY PROVIDING SERVICES ON YOUR BEHALF

The “Service Provider Exception” to the Privacy Rule permits the sharing of  NPI with unaffiliated third-parties who provide services on your behalf only if:

  1. You disclosed this this use (sharing with unaffiliated third-party service providers) in your Privacy Notice, and
  2. You have a contractual agreement with the unaffiliated service provider preventing them from sharing or using the information for any other purpose.

If you don’t meet the previous requirements, you may share NPI only if:

  1. You have provided the customer with an opportunity to opt-out of the disclosure in your Privacy Notice, and
  2. The customer has not asked you not to share the information.

JOINT MARKETING

The “Joint Marketing Exception” to the Privacy Rule allows the sharing of  NPI with unaffiliated third-parties for joint marketing purposes only if:

  1. You disclosed this use (sharing NPI with unaffiliated third-parties for joint marketing purposes) in your Privacy Notice, and
  2. You have a contractual agreement prohibiting the unaffiliated service provider from sharing or using the information for any other purpose.

Otherwise, you may share NPI only if:

  1. You have provided the customer with an opportunity to opt-out of the disclosure in your Privacy Notice, and
  2. The customer has not asked you not to share the information.

 


Leave a Reply

Your email address will not be published. Required fields are marked *