Sign In  | My Account

 

THE FEDERAL PRIVACY LAWS: IS YOUR DEALERSHIP IN COMPLIANCE?

By: Keith E. Whann

As July 1, 2001 approached, motor vehicle dealerships were scurrying to determine what they needed to do to comply with the new Federal Privacy Laws. Although mandatory compliance with both the Gramm-Leach-Bliley Act (“Act”) and the Federal Trade Commission’s Final Rule on Privacy of Consumer Financial Information (“FTC’s Final Rule”) was July 1, 2001, it is apparent that many motor vehicle dealerships are not yet in full compliance and, in many cases, are unclear as to the affect of the Act on their dealerships.

The stated purpose of the Act and the FTC’s Final Rule is to ensure that “financial institutions” respect the privacy of their customers and protect the security and confidentiality of “nonpublic personal information” collected when an individual obtains a “financial product or service.” Full compliance with the Act and the FTC’s Final Rule means that the dealership has established a system for providing an initial notice to all new customers that accurately reflects the individual dealership’s privacy policies and practices, has mailed the initial notices to all of its existing customers (those with whom it has a continuing relationship) and has afforded them the opportunity to opt out of any disclosures which are not otherwise permitted by law. In addition to complying with the notice and opt out requirements, a dealership and each of its affiliated entities must be capable of tracking whether an individual has opted out of a disclosure and following the opt out instructions. It must also have policies and procedures in place to ensure that nonpublic personal information is safeguarded and kept in a confidential manner.

While assisting dealerships in establishing their privacy policies and procedures and drafting their initial privacy notices, we have received a number of common inquiries. The following are answers to some of the most frequently asked questions:

Q: Who is a “financial institution” under the Act and the FTC’s Rule?

A: Any person or entity that collects “nonpublic personal information” and provides a “financial product or service” which is to be used primarily for personal, family, or household purposes.

Q: What type of information is “nonpublic personal information”?

A: Any information that is not made publicly available by the customer. An unlisted telephone number and address may be “nonpublic personal information”.

Q: Can you give me examples of a “financial product or service”?

A: The definition of a “financial product or service” is quite broad. You provide a financial product or service when you: accept a credit application from an individual, even if financing is never extended by either the motor vehicle dealership or a third party; enter into an agreement or understanding with an individual whereby you agree to assist the individual to obtain a loan or credit; execute a contract to or extend financing to an individual for the purchase or lease of a motor vehicle and/or related goods or services; and insure, guarantee, or indemnify against loss, damage, illness, disability, or death or act as principal, agent, or broker for the sale of insurance designed for any of these purposes.

Q: When do I have to provide a copy of our dealership’s privacy notice to a customer?

A: Generally speaking, a dealership should provide an initial notice of its privacy policies and practices at the time of establishing a customer relationship and prior to disclosing nonpublic personal information about the customer to a third party (i.e. when the dealership accepts the customer’s credit application or assists with other financial products or services, such as obtaining or verifying payoff information, and when it sells an insurance product).

Q: If I provide our customers with the lender’s privacy notice, is my dealership in compliance?

A: No, providing the lender’s privacy notice is not sufficient for a dealership to comply with the Federal Privacy Laws. Each motor vehicle dealership is required to give a copy of its own privacy notice to the dealership’s customers.

Q: I have received a number of lenders’ privacy notices and have been instructed that I have to provide them to our customers, is that true?

A: Only if you have agreed to do so in your lender agreement. The Federal Privacy Laws do not require motor vehicle dealerships to provide copies of the lenders’ notices to the dealerships’ customers. The lenders are obligated to provide their own notices. That having been said, a number of lenders have already amended or are in the process of amending their dealer agreements to make it the dealership’s obligation to provide their notices.

Q: Do I have to provide an opt out form?

A: Whether or not you have to provide an opt out form depends upon whether you disclose information to third parties other than as permitted under an exception in the Act and the FTC’s Final Rule.

Q: What types of nonpublic personal information may I provide to manufacturers about my customers without incurring the obligation to use an opt out form?

A: You can disclose the nonpublic personal information you collect to third parties so long as the disclosure is permitted under an exception in the Act and the FTC’s Final Rule. In many cases manufacturers have required motor vehicle dealerships to provide information that is not necessary in order for the manufacturer to provide incentives and/or services to the dealerships’ customers. For example, if you are giving the manufacturers specific information about the terms of the customers’ financing/lease transaction with another institution (i.e. the amount of the down payment, the interest rate, the amount of the monthly payment, and the name of the lender), you are probably required to provide your customers with the opportunity to opt out of such disclosures before you may pass that information on to your manufacturer.

Q: Is the customer required to sign the privacy notice?

A: No, obtaining the customer’s signature on the privacy notice is optional. Keep in mind, however, that it may be easier to demonstrate that you have reasonable policies and procedures in place if you have signed copies of the privacy notices in your deal jackets.

Q: Can I just post my privacy notice at the dealership or put it on my website and direct customers to read it there?

A: No. You must provide each customer with a written copy of your privacy notice. Posting the notice on a website or via electronic mail is not reasonable if the consumer does not obtain a financial product or service from you electronically and/or does not conduct the transaction almost entirely at the website.

Q: Can I still take credit applications over the phone?

A: Yes, if you take credit applications over the telephone, you may continue to do so. The dealership’s privacy notice may be provided to the customer in person at the dealership if the customer comes in to purchase a vehicle or by mail within a “reasonable“ period of time.

Q: If I accept credit applications via my website, can I then post my privacy notice on my website?

A: Yes, provided that the customer consents to receiving the privacy notice electronically.

Q: Do I have to give an Annual Notice?

A: The G-L-B Act and the FTC’s Final Rule require financial institutions to provide copies of their privacy policies and practices at least annually to customers during the continuation of a customer relationship. For example, if a dealership makes a loan, retains it in its portfolio and services the loan it clearly would have a continuing customer relationship with the borrower. The continuing relationship or “customer relationship” ends when the customer pays the loan in full, the loan is charged off, or the consumer loan is sold and/or the servicing rights to that loan are transferred to another financial institution. If you never extend a loan to the customer, but provided financial services such as assisting an individual to obtain financing for a purchase or lease, then the customer relationship ends when you are no longer required to provide any statements or notices to the customer concerning that relationship.

Q: What happens if I do not comply with the Privacy Laws?

A: Motor vehicle dealerships that fail to comply with the Gramm-Leach-Bliley Act and the FTC’s Rule may be subject to FTC enforcement actions under the FTC Act, such as the issuance of cease and desist orders and the imposition of substantial civil penalties. A violation of the FTC Act will also, as of the first case decision, constitute a violation of most state unfair and deceptive acts and practices statutes under which a successful consumer is often entitled to either recover damages or rescind the transaction and, in many cases, minimum and/or treble damages and attorney's fees. Motor vehicle dealerships may also find themselves defending class action lawsuits.

Q: Where can I get more information on how to comply or is it too late?

A: While the July 1, 2001 date has passed, dealerships still need to develop privacy policies and procedures to comply with the Act and the FTC’s Rule. Obviously, the sooner you comply the better.

| Home | Sales | Marketing & Advertising | Inventory | Service | Industry News | Finance | Aftermarket Products |
| Titling & Accounting | Buy Here-Pay Here | Classified Ads | Training & Education | Business Operations |
| Consumer Corner | Compliance Department | About This Web Site |

IndependentDealer.com respects the privacy of visitors to our site.
Additional information about our privacy policies can be obtained by reviewing our Privacy Statement.
©2000-2007 Auction E-Commerce, L.L.C
Visitor Agreement