The Federal Trade Commission (FTC) has developed these additional FAQs to help auto dealers comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule. The following questions and answers show how the Privacy Rule applies to specific situations that auto dealers may face. Before reading this, you may want to familiarize yourself with the FTC’s small business guide, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, and the Frequently Asked Questions for the Privacy Regulation. Other business guidance is available on the FTC’s website at www.ftc.gov/privacy/privacyinitiatives/financial_rule_bus.shtm.
Please note that this information does not address possible legal obligations you may have under the FTC Safeguards Rule, the Fair Credit Reporting Act, or other federal and state laws.
The Privacy Rule applies to car dealers who:
You don’t need to give a privacy notice to someone who simply expresses an interest in buying a car from you or asks general questions about financing or leasing. However, if a person gives you personal information in connection with a potential transaction, even without completing a formal application — for example, if they give you personal information to get a quote on a financial package — you may have other obligations. For more information, see Question 3.
The answer depends on whether the person is a “consumer” or a “customer” — words that have their own meanings under the Privacy Rule. A person becomes a “consumer” when (s)he gives you personal information in the context of possibly financing or leasing a car from you. You only need to give them a privacy notice (and an opt-out notice) if you intend to disclose their personal information to nonaffiliated third parties. However, there are exceptions to this requirement which are set forth in sections 313.14 and 313.15 of the Privacy Rule. These exceptions include disclosures to process a transaction requested by the consumer, disclosures made with the consumer’s consent, and disclosures for law enforcement purposes. If someone enters into a contract with you to buy a car and you extend them credit or arrange for someone else to extend them credit, they become your “customer.” In the leasing context, once someone enters into a lease agreement with you, they become your “customer” as well. Whether leasing or arranging credit, you must give them a privacy notice no later than at the time of signing of the retail installment contract or lease agreement — even if you do not disclose their personal information to others. For more information about your general responsibilities to “consumers” and “customers,” see Section II of How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act; Section B of the Frequently Asked Questions for the Privacy Regulation; and 16 C.F.R. §§ 313.4(a) and 313.10(a).
If you lease cars on a non-operating basis where the initial term of the lease is at least 90 days, the Privacy Rule applies to you. “Non-operating” means that the lease agreement does not include maintenance or repair services, unlike, for example, car rental services. As for when you have to give a person a privacy notice, the same rules outlined in Question 3 apply to you.
In general, the Privacy Rule covers personal information you obtain in the course of financing or leasing a car for personal, family, or household use. However, it doesn’t cover: l personal information obtained in the course of a sale that you don’t help to finance (e.g., where the individual secured his own financing or paid in cash); l sales figures that don’t contain personal information; and l general retail sales data that isn’t derived from information about how individuals financed or leased their cars. To illustrate how this works: A list of all the retail customers who bought cars from you falls outside the Rule — assuming that the list doesn’t reveal how they paid for the car and isn’t derived from any information about how their purchases were financed. However, if the list specifies which customers financed or leased their cars, it would be covered by the Rule. A list of people who applied to you to finance or lease a car would also be covered.
If you want to send flyers to all of your customers, you don’t need to give them an opt-out notice as long as you don’t distinguish between those who financed or leased and those who didn’t. A list of all your customers — without reference to whether they financed their car or paid for it outright — falls outside the Privacy Rule, as long as the list wasn’t derived from information about how they obtained their car. For more information on privacy notices and opt-out notices, see Section II of How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.
In this situation, the Privacy Rule applies because you derived the list from the provision of a financial service. However, the “service provider” exception to the Privacy Rule lets you give the marketing company your finance customer list without providing an opt-out notice if you meet both the following requirements: l You gave your customers a privacy notice during your initial transaction that includes a statement that you share nonpublic personal information in order to market your own products or services; and l You enter into a contract with the marketing company that prohibits it from disclosing or using the information except to carry out the marketing you have requested. If you don’t meet both these requirements, you must give people an opt-out notice and a reasonable opportunity to opt out before disclosing their personal information to the marketing company. If you send the mailing out yourself, without disclosing any information to third parties, you don’t have to meet the requirements stated above. For more information on opt-out notices, see Section F of the Frequently Asked Questions for the Privacy Regulation and 16 C.F.R. § 313.10. For more information on the “service provider” exception, see Section G of the Frequently Asked Questions for the Privacy Regulation and 16 C.F.R. § 313.13. Remember that even if you do not have to give an opt-out notice, you may still be required to give annual privacy notices that describe your privacy policies and practices.
Yes. When a dealer enters into a retail installment contract with a person to finance the purchase of a car, the dealer is the creditor on the contract and is contractually bound by its terms. Because the dealer has extended credit, it has established its own customer relationship with the person when they sign the contract. Therefore, under the Privacy Rule, you must give a privacy notice no later than when the borrower signs the contract, even if you intend to assign the contract to a third party lender. See 16 C.F.R. § 313.4(a)(1) for more information. Once the contract is assigned to a third party lender, you no longer have a customer relationship with the individual borrower and you are no longer responsible for providing annual privacy notices to this person. However, you are still bound by the terms of the initial privacy policy you gave the person, and you must continue to honor any opt-out requests you have received.
When you assign the retail installment contract, including the servicing rights, to a third party lender, that lender now has a customer relationship with the individual borrower. Since the customer relationship was not established at the customer’s election, the third party lender must deliver its privacy notice to the customer within a reasonable time after it buys the contract. Alternatively, if the third party lender is known when the customer signs the retail installment contract, that lender may arrange to have the dealer give the lender’s privacy notice to the customer when the dealer gives its own notice. In addition, the third party lender must give the customer an annual notice for as long as the customer relationship continues. See 16 C.F.R. § 313.5(a) for more information.
Where you do not assign the contract, the people remain your customers and you need to give them an initial privacy notice, an opt-out notice (if applicable), and an annual notice for as long as the customer relationship lasts. See 16 C.F.R. §§ 313.4(a), 313.5(a)(1), and 313.10(a)(1) for more information.
No. A person whose application for credit has been denied is considered a “consumer” — not a “customer” — and therefore you do not have to give them a privacy notice as long as you do not share their personal information. See Question 3 and 16 C.F.R. §§ 313.3(e)(2) for more information about privacy notices and “consumers.”
In general, you must give an opt-out notice before you share information with nonaffiliated third parties. A manufacturer is not considered your “affiliate” unless it controls your management or your policies, or you are under common control with the manufacturer. However, there are situations when you may share personal information with nonaffiliated third parties without providing consumers an opportunity to opt out of the disclosure. These limited circumstances are listed in sections 313.14 and 313.15 of the Privacy Rule. In this situation, you are reporting on behalf of your dealership to the nonaffiliated manufacturer under an exception that permits disclosure to comply with federal, state, or local laws. You would not need to give an opt-out notice to the buyer. However, because the manufacturer received the information from you under one of the exceptions to the opt-out requirement, it may not use the information for unrelated purposes like marketing. See 16 C.F.R. § 313.11(a). You may also disclose general retail sales data to the manufacturer about all your customers — even if you are not required to do so by law — as long as the data does not reveal information about how the customers financed their purchases. See Question 5 above.
Yes. When you send an individual’s application for financing to a third party lender, the lender can give you information about why the loan was denied so you can give the information to the applicant. The Equal Credit Opportunity Act (ECOA) permits a creditor (here, the third party lender) to disclose the reasons for taking an adverse action through a third party (here, the car dealer) when the third party submits an application to a creditor on behalf of the consumer. The car dealer must comply with the notice requirements of section 202.9 of Regulation B under ECOA, including providing the consumer a statement of the action taken and the reasons for the denial. In this situation, the third party lender is disclosing information to you to comply with federal law, as permitted by the Privacy Rule. Because you receive personal information from the third party lender under an exception to the Privacy Rule, your ability to use and disclose the information is limited. The limits are discussed in Section G of the Frequently Asked Questions for the Privacy Regulation.
No. The disclosure of personal information to a third party lender is allowed under the exception to the Privacy Rule concerning secondary market sales, including sales of servicing rights or similar transactions related to a consumer’s transaction.
General retail sales information about everyone who buy cars from a car dealer can be provided on the RDR because this information falls outside the scope of the Privacy Rule. Information like name, address, vehicle make and model, and vehicle identification number may be disclosed because these categories are not related to whether or how the car was financed. However, any personal information you obtain in the course of financing or leasing is covered by the Privacy Rule. This includes the fact that a car has been financed or leased or any other information derived from the financing or leasing. For example, if the RDR not only has customers’ names, addresses, and vehicle information, but also notes which customers financed or leased their cars, the Privacy Rule would apply. Therefore, unless the disclosure of this information falls within one of the exceptions under sections 313.14 or 313.15, you cannot give the information to the nonaffiliated manufacturer unless you first give the customer an opt-out notice and a reasonable opportunity to opt out. Where the personal information is disclosed under an exception, the manufacturer may use the information only for that purpose and can’t use the information to market to those customers.
No. In this case, you are processing a transaction at the individual’s request, and can disclose personal information to nonaffiliated third parties like the manufacturer to process the rebate. However, you may disclose to the manufacturer only information necessary to process the rebate. Further, the manufacturer may use this information only to process the rebate and may not use it for other purposes, such as marketing
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair practices in the marketplace and to provide information to businesses to help them comply with the law. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.