Following the recent Equifax data breach wherein millions of consumers’ private information may have been compromised, it is increasingly clear that consumer-interfacing businesses need to, and in some cases are required to, take steps to protect their consumers’ private information. Although not traditionally considered “financial institutions,” auto dealers that engage in financial activities—those that extend credit to someone to purchase a car, arrange financing or leasing, or give financial advice—must comply with the consumer privacy requirements of the Gramm-Leach-Bliley Act (GLBA) and related rules under the Federal Trade Commission (FTC), as well as certain state data privacy laws. Enacted in 1999 and enforced by the FTC, the GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard private personal data. Specifically, the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), requires auto dealers that qualify as financial institutions to notify consumers and customers about the information they collect, who they share it with, and how they protect it.

When does the Privacy Rule apply and what information is covered under it?

The Privacy Rule only applies when a dealer collects private personal information in relation to the financing or leasing of a vehicle, if it intends to disclose that personal information to nonaffiliated third parties (ex. third-party lenders). The rule does not require that the person have filled out a formal application, and does not apply if that person pays with cash or uses their own lender. Thus, the most likely situation in which an auto dealer will need to give a privacy notice to a “consumer” is if it runs that person’s credit, submits their private information to third-party lenders, or assigns a retail installment contract to a third-party. A consumer, who is not yet a customer, can be given a “short form” notice that must explain that a full notice is available upon request, how to get it, and how to opt-out. A consumer will become a customer once they enter into a contract with the dealer to purchase or lease a vehicle, and will be entitled to a full privacy notice among other requirements. The full privacy notice must be a “clear and conspicuous” written notice describing the dealer’s privacy policies and practices, including how the dealer collects, discloses, and protects consumers’ private personal information.

The specific information that the Privacy Rule protects is a consumer’s “nonpublic personal information” (NPI), which includes any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.” Typical examples of NPI include, but are not limited to, name, address, Social Security number, and income. Information that is legally “publicly available” is not considered to be NPI, such as a telephone number in a public phonebook.

Should auto dealers be concerned?

Although the Privacy Rule has been around for almost two decades, the FTC has for the most part focused its regulatory oversight on other financial service providers. However, in 2012 the FTC brought its first action alleging violations of the GLBA against a Georgia auto dealer, providing guidance on what the FTC considers best practices under the Privacy Rule. In that action, the FTC alleged that the dealer “had failed to implement reasonable security measures to protect consumers’ personal information, and, as a result, information for 95,000 consumers was made available on a [peer-to-peer] network. The information included names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers.” The FTC also alleged that the dealership “failed to prevent, detect and investigate unauthorized access to personal information on its networks, failed to adequately train employees and failed to employ reasonable measures to respond to unauthorized access to personal information.” It also failed to provide annual privacy notices to its customers and a mechanism by which customers could opt out of information sharing in violation of the Privacy Rule. Ultimately, the dealership settled with the FTC and was required to “establish and maintain a comprehensive information security program, and undergo data security audits by independent auditors every other year for 20 years.”

As this case illustrates, and with the proliferation of online consumer data and increasingly public large scale breaches, the auto industry is a ripe area for regulators to turn their attention towards next. This is particularly true as regulators begin to focus on what companies can do to prevent or safeguard consumer information in the event of a data breach, such as what occurred at Equifax.

Note: This article does not discuss an auto dealer’s obligations under the FTC’s Safeguards Rule, the Fair Credit Reporting Act, or other federal and state laws.