Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Dealerships articles
Complying With Federal Privacy Regulations
May 01, 2004

The Gramm-Leach-Bliley Act (“GLBA”) requires certain businesses to make specific disclosures to “consumers” and “customers” regarding the collection and distribution of nonpublic personal information. As businesses that extend credit, auto dealerships must comply with the GLBA’s mandates. The act doesn’t apply, however, to information obtained from an individual interested in a vehicle for commercial or business use.

Overview of GLBA Requirements

The GLBA describes three types of disclosures that must be made to consumers and customers: initial, opt-out, and annual. An initial disclosure informs the recipient about what information is collected and to whom it is distributed. The opt-out disclosure allows the recipient to opt out of the distribution of his or her information to a third party. The annual disclosure provides essentially the same information as the initial disclosure.

Under the GLBA, a “consumer” is one who applies for credit to purchase or lease a car, regardless of whether credit is actually extended. Once someone submits his or her name and social security number and authorizes a credit check, he becomes a consumer. As such, he is entitled to an initial privacy notice before any of his nonpublic personal information may be disclosed to a non-affiliated third party (e.g., by selling a list of people who applied for credit to another company). Consumers must also be given the opportunity to opt out of this type of disclosure before the information is shared.

An individual becomes a “customer” when a lease or credit transaction is executed. An initial privacy notice must be provided a customer “not later than when you establish a customer relationship,” and the opportunity to opt out is also necessary. Dealers must then make annual disclosures to those clients with whom they have continuing relationships, such as ongoing financing or leasing.

Exceptions to Disclosure Rules

The GLBA makes exceptions for many of the information disclosures dealers typically make.Neither consumers nor customers must be given an opt-out notice before information is transmitted to companies that provide services to a dealership (e.g., mailing reminders or flyers). Initial privacy notices, however, are required, and the service provider must be contractually obligated to refrain from making any disclosures beyond those needed to provide the service requested.

Dealers may also disclose information without initial notice when processing a financial product or service that the consumer authorized. This includes sending a consumer’s credit application to a finance source as well as the assignment of a contract to a bank or financing company.

Numerous additional exceptions apply to the initial notice and opt-out requirements. These include several related to disclosures necessary to satisfy legal requirements. In addition, dealers may be subject to requirements under state law or other federal laws, such as the Fair Credit Reporting Act.

Vehicle Service Contracts

Vehicle service contracts (“VSCs”) raise some questions under the GLBA. The act leaves the regulation of privacy in the insurance context to state insurance authorities. In some states, VSCs are considered to be insurance, which would mean the GLBA doesn’t apply. The GLBA’s application in other states is less clear. The National Automobile Dealers Association (NADA) takes the position that providing VSCs is not a financial activity subject to federal privacy regulation.

Simplifying Compliance

NADA recommends that whenever possible dealers restructure their business practices so that all disclosures of information fall within an exception. Those dealers that are unable to do so should develop a tracking system for opt-outs. Dealers should also be aware that no exceptions apply to buy-here-pay-here operations or in-house leasing companies.