Topic 5

Topic 5

Privacy and Customer Information Sharing

Find out the limitations on how and when you can collect and share information about customers and potential customers without exposing your dealership to legal action and fines.

#StayCompliant

LEARN HOW TO PROTECT YOUR CUSTOMERS’ PRIVACY AND YOUR DEALERSHIP

Compliance Tips Recommended Practices

Did you know?

Identity theft and data breaches affect millions of consumers each year. Don’t let them happen at your dealership.

Compliance Tip

A privacy notice is considered a contract with your customers, so make sure your dealership’s business practices follow what is stated in your privacy notice.

What's new for 2021

Effective January 1, 2020, California passed a sweeping new data privacy law, the California Consumer Privacy Act (CCPA), that imposes significant responsibilities on businesses that collect California consumers’ personal information. In addition to compliance with the CCPA, businesses will need to start considering the California Privacy Rights Act (CPRA), which amends the CCPA and goes into effect on January 1, 2023.

Recommended Practice

If your dealership tracks consumers' online behavior, follow the guidelines within the FTC’s “Self-Regulatory Principles for Online Behavioral Advertising."

Federal law and regulations limit how dealers can collect, use, and share non-public personal information as well as credit information about a person. A number of laws and regulations require that dealers give disclosures concerning information collection and sharing practices to potential customers before they become customers (which occurs when they receive a financial product or service from the dealer), and to consumers (persons who provide information to seek but don’t obtain a credit product) prior to the time the dealer intends to collect, use, or share their information.

For example, the California Consumer Privacy Act (“CCPA”) imposes significant responsibilities on businesses that collect California consumers’ personal information. In addition, in November 2020, California passed the California Privacy Rights Act (CPRA), which amends the CCPA and goes into effect on January 1, 2023, with a 12-month lookback for the personal information in scope.

Further, all 50 states and the District of Columbia now have data breach laws with which dealers must be familiar.

The FTC has brought hundreds of privacy-related enforcement proceedings over the past 15 years. Recently, the FTC has brought enforcement cases where companies have engaged in the collection and sharing of consumer data without consumers’ consent, as well as cases against businesses that fail to adequately establish and maintain sufficient information security programs and controls to prevent breaches. This Topic discusses federal and state laws and regulations relating to customer information collection, use, and sharing, and the privacy of consumer data. As used here, the word “customer” will mean both consumers and customers unless otherwise stated.

Important State Laws and Regulations

The California Consumer Privacy Act (CCPA)

(The term “Consumer” as used within this section means a natural person who is a California resident and is different from the use of the term in context of obtaining or seeking credit.) The CCPA is effective as of January 1, 2020 and imposes new obligations on covered businesses. A company will be a covered business under CCPA if it:

Operates as a for-profit entity;
Collects California Consumers’ personal information;
Alone, or jointly with others, determines the purposes and means of processing Consumers’ personal information; and
Does business in California.

The company must also meet one of the following three threshold criteria:

Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); or
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more Consumers, households, or devices; or
Derives 50% or more of its annual revenues from selling Consumers’ personal information.

The CCPA contains numerous new privacy and data security obligations on covered businesses. These include providing additional rights to California Consumers over the collection and use of their personal information. The CCPA defines personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Examples include, a name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, Internet activity, geolocation data and other similar identifiers. Publicly available information is not personal information under CCPA. A business will need to be able to provide California Consumers notice of the following rights and the ability to fulfill requests to exercise these rights:

Right to know what personal information is collected about them;
Right to know how their personal information is being used;
Right to access a copy of their personal information;
Right to request that a business delete the personal information that was collected from them (subject to certain exceptions); and
Right to say no to having their personal information sold to third-parties (known as the “Do Not Sell” right.)

A covered business will need to be able to respond to a Consumer request within 45 days and provide the categories of PI collected, the categories of sources from which PI is collected, the business or commercial purpose for collecting PI, the categories of third parties with whom the business shares PI, and the specific pieces of PI the business collected about the Consumer in the 12 months preceding the request. A key CCPA compliance challenge concerns the law’s broad definition of the term “sell” and the numerous obligations that apply to sales of PI. The definition of a sale under CCPA encompasses “releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Note that disclosures to vendors that qualify as a “service provider” as defined by the CCPA are exempt from being a “sale.” Under the CCPA covered businesses are required to provide enhanced notices to Consumers of their rights through an updated website privacy notice that includes the requisite CCPA disclosures (or a separate California notice). This notice is required to be in place on January 1, 2020 and must cover on-line and offline (in-person) personal information collection and use. In addition, a business must distribute an internal employee privacy notice that includes the requisite CCPA disclosures to all California employees by January 1, 2020. Businesses may also need to provide in-store notices about PI collection practices. This is because the CCPA requires covered businesses to provide a pre-collection notice to Consumers at or before the point and time their PI is collected. This pre-collection notice must inform Consumers of the categories of PI to be collected and the purposes for which the categories of PI will be used. Further, a business can’t collect more PI than necessary, and must limit the use of PI to the stated purposes, absent further advance notice being provided. This requirement applies to online and offline personal information collection and sharing. Dealers may need to provide a just in time notice for Consumers who visit their facilities if CCPA PI is being collected. A CCPA covered business must disclose the following information regarding their PI practices in their online privacy policy (or a separate online notice) and update that information at least once every 12 months. Online privacy policies and any California-specific privacy notices must include:

The categories of PI collected about a Consumer;
The categories of sources from which PI is collected;
The categories of third parties with whom the business shares PI;
The business purpose or commercial purpose for collecting and for selling PI;
The categories of Consumer PI sold (or if not sold, the notice must disclose that fact); and
The categories of Consumer PI it has disclosed for a business purpose (or if not disclosed for a business purpose, the notice must disclose that fact).

In addition, California-specific privacy notices must include:

A description of the Consumer’s right to not be discriminated against for exercising their rights under the CCPA;
A description of the Consumer’s right to request that their PI collected by the business from the Consumer be deleted (subject to exceptions);
The right of Consumers to opt out of having their PI sold (and a link to the businesses’ “Do Not Sell My Personal Information” web-based opt-out tool);
Notice of any financial incentives and a clear description of the material terms of any such program; and
Two or more designated methods for submitting Consumer rights requests.

Covered businesses are also required to update their website homepage to provide a link to their CCPA notice and a “do not sell” button (if applicable). Businesses should ensure that any account registration process directs California Consumers to the California privacy notice or otherwise informs them of their rights. There are exceptions to the “Do Not Sell” right relevant for dealers to take into consideration. The “Do Not Sell” right does not apply to: “Vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.” “Vehicle information” is the vehicle information number, make, model, year, and odometer reading. “Ownership information” is the name or names of the registered owner or owners and the contact information for the owner or owners. In addition, the CCPA does not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (except for in the case of a data breach). Overall, businesses will need to accurately reflect their PI practices in any posted privacy notice, determine how to address consumer rights requests, and develop a process for fulfilling a request within the required timeframe.

California Privacy Rights Act (CPRA)

Overview:

The CPRA (Prop. 24), which was passed into law in November 2020, amends and expands the CCPA by adding consumer rights and additional obligations around Sensitive Personal Information (PI), Children’s PI, and the sharing of PI. The CPRA will officially replace the CCPA on January 1, 2023. At a high level, the newly enacted CPRA moves California privacy law closer to the EU’s GDPR by providing similar rights. However, the CPRA goes further than the GDPR in certain aspects, including through a broad definition of “share” that may capture many common business practices.

Like the CCPA, it applies to “consumers”— basically anyone in California — and “personal information” (PI). Applies to all “Businesses” that process over 100,000 California consumers’ PI. While the CPRA goes into effect on January 1, 2023, there is a 12-month lookback as to the PI in scope. However, notably, the two-year extension of both the Employee and B2B exemption went into immediate effect, thereby extending these exemptions through January 1, 2023.

Enforcement:

Enforcement authority is vested both in a stand-alone, well-funded data protection authority agency to be called the California Privacy Protection Agency (CPPA) as well as with the AG, thus increasing the likelihood of an enforcement action and the repercussions for non-compliance. CPRA also removes the obligation of the government to give notice and a 30-day opportunity to cure non-compliance; provided, however, that the CPPA will have the discretion to permit a one-time cure. There will also be increased penalties for non-compliance regarding children’s PI.

Key Requirements:

The CPRA adds rights in addition to the above CCPA rights, which include the following:

New “Do Not Share” right (share is broadly defined as “making available” certain PI)
- This requires businesses to enable the opt-out of sharing of PI (in addition to selling)
- It requires a link on the businesses’s homepage titled “Do Not Sell or Share My PI”
Right to opt-out of processing of “Sensitive Personal Information” (broadly defined)
- This requires a link on the businesses’s homepage titled “Limit the Use of My Sensitive PI” that businesses will need to effectuate
Right to object to automated processing of PI (such as for profiling and/or targeted ads); and
Right to correction
Right to know all PI collected in certain circumstances (not just in the past 12 months)
Right for employees and personnel to exercise privacy rights upon expiration of the HR exemption on Jan. 1, 2023

In addition to the above rights, the CPRA has additional notice and disclosure obligations, including the following:

Disclosure of categories of Sensitive PI collected, the purposes for collection/use, and whether it is sold or shared
Disclosure of PI retention periods for each category of PI in the notice at collection
Disclosure of commitment to maintain and use certain information in de-identified form

Similar to the CCPA, the CPRA will require company-wide compliance efforts and a detailed understanding of data handling practices. As such, businesses may consider taking a bifurcated approach: (1) continue with CCPA compliance and tracking; and (2) create an internal team to identify the gaps with CPRA.

Important Federal Laws and Regulations

The Fair Credit Reporting Act (FCRA)

The FCRA requires a dealer to have a “permissible purpose” to access a customer’s credit report or credit score. The FCRA also contains restrictions on sharing and using customer credit and consumer report information with both affiliated and non-affiliated companies. It requires notices to be given to customers about certain information sharing with affiliates (FCRA Privacy Notices) and in certain cases, requires giving consumers the right to opt-out of any sharing. FCRA Privacy Notices are typically combined with privacy notices required by the Gramm-Leach-Bliley Act (GLB) into one comprehensive privacy notice for the dealership (FCRA-GLB Privacy Notice). See “FCRA-GLB Privacy Notice Forms” below. The FCRA categorizes consumer credit information into two types:

“Transaction and experience” information: the dealer’s own experience with the customer such as a customer’s payment history on any credit account (for example, a service department “house” account or a customer’s payment history for a buy-here-pay-here dealer account), name, address, and phone number would be a species of transaction and experience information; and
“Other” information: essentially anything obtained from a credit report, a credit score, or credit information about the consumer obtained from a third party (credit information).

Under the FCRA, dealers can share vehicle purchase- or lease-transaction and/or experience information with affiliates, such as sister dealerships, insurance affiliates, or a parent company, without offering an opt-out. Subject to any contractual limitations in a contract with the consumer reporting agency that provided the “credit information,” dealers may share “credit information” with affiliates only if they offer consumers the opportunity to opt out of sharing that “credit information.” Further, the affiliates’ use of the shared information is subject to the requirements of the Affiliate Marketing Rule discussed below. The Affiliate Marketing Rule applies to all marketing based on affiliate sharing of customer information, both transaction and experience information and credit information. So, while a consumer cannot prevent sharing of transaction and experience information with a dealer’s affiliates, he or she can opt out of affiliates using that information to market to them.

Dealers may share transaction and experience information with non-affiliates (unrelated companies such as sellers of non-automobile products, realtors, charities, or local merchant associations) only if the customer is given an FCRA-GLB Privacy Notice describing the right to opt out of non-affiliate sharing of transaction and experience information, the consumer is given a reasonable opportunity to opt out, and the customer fails to opt out.

Whenever the FCRA or GLB gives the customer the right to opt out of data sharing, the FTC has said the dealer must wait 30 days from giving the customer a privacy notice before beginning to share information. This is so the customer has time to decide whether or not to opt out up front. The 30-day rule does not apply if the customer has no right of opt out, such as when a third party is acting only as a service provider to the dealer for the customer’s transaction or a joint marketer as discussed below. However, the third parties receiving such information under either the service provider or joint marketing exceptions are prohibited from using or disclosing the information for any purpose other than the one for which it was received. A dealer’s disclosures to service providers and joint marketers must be stated in the FCRA-GLB Privacy Notice.

The Gramm-Leach-Bliley Act (GLB) and the FTC Privacy Rule (Privacy Rule)

GLB and the Privacy Rule provide consumers with protections on how creditors are permitted to collect, use, and share their nonpublic personal information (NPI). NPI is essentially any identifying information a dealer obtains from or about a customer in connection with a possible credit transaction. GLB and the Privacy Rule also require giving customers privacy notices (GLB Privacy Notices) describing how a creditor collects, uses, and shares NPI, and giving customers rights to opt out of certain types of sharing. The Privacy Rule implements the privacy provisions of GLB. An exception to the right to opt out of third-party sharing applies and permits sharing with service providers and for joint marketing agreements with other financial companies under which the dealer and another financial institution jointly market a different credit product such as a credit card. It is important to note that automotive dealers may often fall within the definition of a financial institution under GLB to the extent they help consumers purchase vehicles through financing and leasing transactions.

Some states have specific requirements as well. A few examples include, in Vermont, where consumers must affirmatively opt into both affiliate and non-affiliate sharing, and in California, where consumers must opt into joint marketing agreements before their information can be shared. Note that the CCPA does not apply to information otherwise covered by GLB or FCRA. This list is not exhaustive, and prior to sharing, dealers will want to consult with their local counsel.

Intersection of GLB and CCPA

As mentioned, a large portion of the personal information collected and processed by financial institutions will be out of scope for CCPA as it falls under GLB. The CCPA exempts information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) and implementing regulations. It is important to note that GLBA-regulated entities are not wholly exempt from CCPA. However, the personal information collected that falls within the scope of the GLBA (or NPI) is exempt from the CCPA. For example, personal information from an individual who is not obtaining financial products or services from a financial institution, or PI that will not be used primarily for personal, family, or household purposes (such as personal information collected for targeted marketing) is certainly within the scope of the CCPA.

FTC Affiliate Marketing Rule

The Affiliate Marketing Rule is an FTC regulation published pursuant to the 2003 Fair and Accurate Credit Transactions Act (FACT Act). The Affiliate Marketing Rule (AMR) prohibits a person from using consumer eligibility information received from a corporate affiliate for marketing purposes unless:

The consumer is given a clear, conspicuous, concise written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
The consumer is first given a reasonable opportunity and a reasonable and simple method to “opt-out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
The consumer has not opted out.

For purposes of the AMR, “eligibility information” means any information that if, communicated, would constitute a “consumer report” as defined under the FCRA.

So, if your dealership has affiliated dealerships, insurance companies, other companies, or even a parent dealership group, the dealer must give its customers the right to opt out of the affiliates’ use of any shared “eligibility” information (NPI combined with transaction and experience or credit information) to market to them. The AMR notice can either be included in the dealer’s FCRA-GLB Privacy Notice or be given separately. If you use a separate Affiliate Marketing notice (such as the model “safe harbor” notice published by the FTC with the Affiliate Marketing Rule), you only need to give the Affiliate Marketing notice once every five years, not every year, as you must do for FCRA-GLB Privacy Notices for as long as the consumer remains a customer and so long as your practices do not change. However, for consistency, it is a best practice to include the Affiliate Marketing notice in your FCRA-GLB Privacy Notice.

A sample FCRA-GLB Privacy form is provided below for your review.

The Affiliate Marketing Rule contains greater potential liability than does the Gramm-Leach-Bliley Act (GLB) with respect to customer privacy rights. While the FTC and state regulators can bring enforcement actions for failing to provide GLB Privacy Notices, customers cannot sue directly under GLB. However, the Affiliate Marketing Rule notice gives a customer the right to bring a lawsuit under the FCRA for any violation of the Affiliate Marketing Rule, including the right to bring a class action. Remedies include the possible recovery of up to $1,000 per violation plus attorney’s fees and unlimited punitive damages for each willful violation, with presumably every individual solicitation by an affiliate being a separate violation. You, the dealer, are at risk if you fail to give the Affiliate Marketing Rule Privacy Notice or if your affiliate markets to a consumer who has opted out of affiliate marketing under this Rule.

You should consult with your attorney to ensure that your AMR notice complies with applicable law.

FCRA-GLB Privacy Notice Forms

The Privacy Rule enables a dealer to give one privacy notice to cover the GLB and FCRA requirements and opt-out provisions, as well as the Affiliate Marketing Rule notice requirements. It is a recommended practice to give this FCRA-GLB privacy notice to customers when first taking their personal information for credit (such as when they fill out a credit application or respond to an online solicitation). If a dealer maintains a credit relationship with a customer (e.g., a buy-here-pay-here dealer), the dealer must give another privacy notice to the customer annually during the term of the credit relationship. It is also a recommended practice to post the privacy notice on the dealership’s website as well as to deliver a copy to consumers who come into your stores. The FCRA-GLB Privacy Notice should describe how the dealer collects, uses, and shares customer NPI, including information about former customers. The FCRA requires that the privacy notice must also give the customer the right to opt out of sharing credit information with affiliates and GLB requires the right of opt out for transaction and experience information with non-affiliated third parties. A dealer can share customer information with service providers or financial institutions that are joint marketers (entities with which you share information solely to jointly market the financial product like a credit card, and for no other purpose); this is permitted by the FCRA and GLB provided the dealer discloses this sharing to the customer in its FCRA-GLB Privacy Notice. The FTC and banking regulators have published model “safe harbor” FCRA-GLB Privacy Notices written in plain English using column formats. There are six alternative forms a dealer can use, depending on whether it shares information, whether it includes the Affiliate Marketing Rule notice, and how it allows customers to opt out. Four of the six forms can be printed on the front and back side of a single sheet of 8.5 x 11-inch paper; the remaining two forms require 8.5 x 14-inch paper or two sheets of 8.5 x 11-inch paper. Using one of these six forms will provide a “safe harbor” from liability for an inadequate privacy notice. The FTC has established a page on its website to construct such a privacy notice (see references at the end of this Topic). A sample of Form 1 of the “safe harbor” notice is contained at the end of this Topic. If you have an ongoing relationship with a customer (i.e., a buy-here-pay-here) and you are sharing information, you should give an annual GLBA notice, unless you are sharing under one of the exceptions. Certain state laws also require additional disclosures to be in privacy notices (for example, California, Nevada, and Vermont) and dealers should be aware of such state requirements. Dealers with consumers in those states should add additional disclosure language in their privacy notices. In California, privacy notices are required to include certain disclosures in addition to the new requirements under CCPA discussed above. The California’s Online Privacy Protection Act (“CalOPPA”) requires a person or entity that collects personal information from California residents for commercial purposes, to post a privacy policy and to comply with that policy. The law also requires that the privacy policy disclose the categories of personal information collected and the third parties that may receive the personal information. It further obligates websites or online services (“publishers”) collecting personal information to disclose how it responds to browser “Do Not Track” (“DNT”) signals or other consumer choice mechanisms for personal information collected over time and across third-party websites or online services. However, the law does not mandate that publishers honor or provide a specific DNT signal response. In addition, the law requires publishers to disclose whether third parties may associate tracking devices with the publisher’s service that collect information about a visitor’s online activities over time and across different services (e.g., other websites). Beyond tracking and targeting disclosures, if a dealer wants to share a California customer’s (note that the term customer here is defined as an individual buying or seeking household goods or services) personal information (broadly defined) with a third party (including, in most cases, affiliates) for the third party’s own direct marketing purposes, then California’s Shine the Light law will also apply. California’s Shine the Light law requires businesses to provide customers with information regarding how and with whom their personal information is shared for third party direct marketing purposes or provide customers with the ability to opt-in or opt-out of such sharing. Of course, the dealer’s information collection, sharing, and use practices must always be consistent with what is disclosed in its privacy notices. The FTC has brought enforcement proceedings for deceptive trade practices against numerous companies including an auto dealer that did not follow the practices described in their privacy notices. As noted above, for all privacy notices, whenever a customer has a right to opt out, you can’t begin sharing their information until at least 30 days after the date you give them the privacy notice. The FTC has ruled the customer must have at least 30 days to consider whether or not they want to opt out and this 30-day waiting period applies to all opt-outs. The FCRA-GLB Privacy Notice should give the customer a toll-free phone number, website address, or mailing address to exercise their opt-out rights. Only if the customer fails to opt out during those 30 days may information sharing for the disclosed purposes subject to the opt out thereafter begin. If a customer opts out after the initial 30-day period, promptly remove them at that time from common databases or information that is stored and recall their information from persons you have shared it with, if possible. Reserve the right to do so in your information-sharing agreements. Additionally, courts and the FTC have ruled that privacy notices are literally contracts between a company and its customers, so a dealership’s business practices must follow what is stated in its privacy notice. The FTC has brought deceptive trade practice enforcement proceedings against companies that violated statements contained in their own privacy notices such as “we will never share any of your personal information.” These proceedings show the importance of writing privacy notices using language in the present tense and not the future tense. Reserve the right to amend your privacy notice by giving the customer a revision or informing the customer that a revised privacy notice has been posted to your website. Always date your privacy notices. The FCRA, as amended by the FACT Act and implementing regulations, contains additional privacy provisions. For example, if a dealer accepts credit or debit cards, any electronically printed card receipt that is given to the customer must truncate all but the last five digits of the card number and cannot show the card expiration date. If not, class action liability can result. Damages for doing so are $100 – $1,000 per receipt for willful violations (generally a knowing or reckless violation) with no cap on damages in a class action. MasterCard and Visa can also assess fines starting at $5,000 for the first violation and going up from there. Make sure your card processing machines are set up to not print any more than the last five numbers and do not print the card’s expiration date as this has been a source of many class actions. A dealer is also required to give identity theft victims copies of transaction documents used in connection with any identity theft incident involving the use of their identity at the dealership if the customer provides sufficient proof of their legitimate identity. Social Security numbers should also be truncated to only the last four digits on printed documents to comply with many state laws. Other than providing consumers the opportunity to “opt out” of certain kinds of data sharing, privacy notices are not negotiable and should not be negotiated with any customer, even if the customer refuses to sign the privacy notice (a customer’s signature on a privacy notice is not required). The privacy notice is a statement of the dealer’s privacy practices applicable to all its customers and changing it for any customer will create an impossible situation to monitor and comply. You should use one of the federal “safe harbor” FCRA-GLB Privacy Notice forms, and the customer’s signature, while a good practice to get, is not legally required.

Driver’s Privacy Protection Act (DPPA)

The DPPA is a federal law restricting the release and use of personal information from state motor vehicle records. “Personal information” means information identifying an individual such as a photograph, Social Security number, or driver’s license number. In general, dealers can use personal information from motor vehicle records only for limited purposes such as to verify the accuracy of information the customer provides to the dealership after obtaining the consumer’s written consent to the dealer to obtain that information. The DPPA makes it illegal to obtain drivers’ information for unlawful purposes or to make false representations to obtain such information. The DPPA establishes criminal fines for noncompliance, and a civil cause of action for drivers against those who unlawfully obtain their information.

Tracking Customers on the Internet: No federal law or regulation directly prohibits the use of “cookies” to track consumer behavior on a dealer’s website or to track the customer’s linking or proceeding to other websites after leaving the dealer’s site.

However, the FTC has issued its final Privacy Report in March 2012, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, indicating that Web tracking should be subject to a “Do Not Track” mechanism. The FTC has stated its support of an initiative of the Better Business Bureau in association with media and marketing companies to get companies that track consumer Web behavior to adopt a self-regulatory program that will give consumers enhanced control over the collection and use of data regarding their Web viewing for online behavioral advertising purposes. The FTC’s Self-Regulatory Principles for Online Behavioral Advertising, initially published in 2009, have been adopted by many companies that track online behavior and represent a “best practice for disclosing the nature of their Web tracking and giving the consumer an opportunity to opt out.” An Advertising Option Icon and accompanying language have been adopted to be displayed within or near online advertisements or on Web pages where data is collected and used for behavioral advertising. The icon links to a clear disclosure statement regarding the company’s online behavioral advertising data collection and use practices as well as an easy-to-use opt-out mechanism. The FTC has stated that privacy should be promoted at every stage of a product design and made transparent to consumers. It also has said that data should only be collected consistent with the context of a particular transaction or consumers’ relationship with the company, or as required or authorized by law. Beyond that, the FTC has indicated that companies should make appropriate disclosures to consumers at “a relevant time and in a prominent manner – outside of a privacy policy or other legal document.” The Chairman of the FTC summarized their position as follows: “We have proposed a “Do Not Track” mechanism that will allow you [the consumer] to easily specify what information you want to share about your browsing behavior and have those preferences travel with you to every website you visit. Technologies to create such a system exist already.”

FTC and FCC Rules on Telemarketing and Using Cell Phone Numbers

Regulators are cracking down on telemarketing and the making of unsolicited phone calls, especially to cell phone numbers. According to a National Health Interview Survey available at the CDC’s website, almost half of U.S. households no longer have land lines and use their cell phone as their home number, so these new rules require extreme caution when calling customers because the cost of calling or texting to cell phones can be $500 – $1,500 under the Telephone Consumer Protection Act.

Laws and regulations concerning telemarketing, email, and fax restrictions are discussed in Topic 7: The FTC: Marketing and Advertising Vehicles, and Credit Terms.

Recommended Practices

Create your FCRA-GLB Privacy Notice using the FTC’s Model Consumer Privacy Online Form Builder. It explains what personal information your dealership collects, how it collects and uses the personal information, and with whom it shares the information. (See example at the end of this Topic.) Write your FCRA-GLB privacy notice in the present tense (“We do the following”) and avoid hyperbole such as “we will never share your information” or “we maintain the highest security practices.” Date your privacy notice. If you share customer information with affiliates, be sure to comply with all applicable law. A best practice is to include the Affiliate Marketing Rule disclosure and notice in your model FCRA-GLB Privacy Notice form which meets the requirements of both the FCRA’s Affiliate Marketing Rule and GLB’s Privacy Rule. Alternatively, you may choose to use the “safe harbor” notice under the Affiliate Marketing Rule to send a single notice to disclose the customer’s right to opt out of the affiliates’ use of customers’ eligibility information to market or solicit. You can then give this Affiliate Marketing notice once every five years, unlike the combined FCRA-GLB Privacy Notice which you have to give annually for as long as the person remains your customer. If you decide to send a separate Affiliate Marketing notice, remember, you must also separately send an annual GLB notice. (Note that if you sell a vehicle to a customer and assign the contract to a financing source, that person is no longer considered your customer for privacy notice purposes unless they have another credit relationship with your dealership.)
Have your privacy notices reviewed by your counsel to ensure the notices contain all of the required disclosures. You should also make sure that your privacy notices accurately reflect your actual information collection and sharing practices. Be careful about pooling information with affiliates or your parent company into a central database, as doing so can be considered sharing information with affiliates.
Confirm whether and how you share information with third parties in accordance with your current FCRA-GLB Privacy Notice. Many DMS providers “pull” information out of your DMS system and use it for their own purposes and not merely to service your account. Doing so is considered third-party sharing under GLB. If your privacy notice says, “we don’t share” and your DMS provider is taking and giving access to customer information to third parties (even without your knowledge), you may be in breach of your privacy notice and face a prospective class action. Given the nature of the DMS system used by many dealers, it may be a safer practice to indicate in your FCRA-GLB Privacy Notice that you do share and give customers the right to opt out. If possible, contractually prohibit your DMS providers from pulling customer data from your DMS system for any reason other than to service your account. Any such access to customer data for purposes that extend beyond servicing their account must be disclosed, and appropriate opt-out rights for sharing must be given in your privacy notice. Make sure to contractually require your affiliates and other entities with which you share customer information to comply with your privacy notices as well.
Give your FCRA-GLB Privacy Notice to each consumer who provides you their personal information. Provide it when the person first gives you their personal information, or soon thereafter. Clearly and conspicuously post your FCRA-GLB Privacy Notice on your dealership website, link to it from your online credit application form (a good practice is to compel a consumer to link to the privacy notice and be forced to scroll through it before they can submit the online credit application), and give a copy to every consumer who comes into your store inquiring about financing. The FTC has an internal group that reviews company privacy notices and “mystery shops” to uncover violations.
Date your privacy notices so that you will always know that the version you are using is current. If you use one of the model notice forms, this dating reserves the right to change your privacy notice at any time. Put updated privacy notices on your website when you do make a change. The model “safe harbor” FCRA-GLB Privacy Notice forms require dating your privacy notices.
Set up a process in your dealership to collect and manage all customer opt-outs from your customers. Customers have many opt-out rights. One way to manage them is to establish separate opt-out lists for each of these and use them before sharing information or conducting marketing activity as necessary. However, to simplify the process and reduce the chance for errors, keep one master list of customers who send opt-out notices to your dealership concerning any information sharing and remove all these customers from all databases that you share or use for contact purposes, including common databases within a dealership group. Having a single omnibus opt-out system is a much simpler process and will make you less likely to commit an error that could constitute a compliance violation.
If your dealership is engaged in online tracking for advertising purposes, you should consider use of the Advertising Option Icon and giving consumers a Do-Not-Track opt-out mechanism. At minimum, disclose in your Terms of Use on your website what you are doing in the way of placing cookies on users’ devices and the nature of the tracking you do. Transparency in data collection and use was a priority in the FTC’s Final Privacy Report released in March 2012.
If your does business in California, you should evaluate your CCPA obligations and specifically whether you will need to have the CCPA “Do Not Sell” link accessible on your website.

Additional Resources

The FTC’s Privacy Rule and Auto Dealers:

https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-privacy-rule-auto-dealers-faqs

FTC Model Privacy Notice Online Form Builder:

http://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf

Line-by-line instructions to complete model privacy notice — Go to page #62965 (FTC rules begin at the bottom of this page in this Federal Register notice):

http://www.gpo.gov/fdsys/pkg/FR-2009-12-01/html/E9-27882.htm

Background on the FCRA:

http://epic.org/privacy/fcra/

Information about the DPPA:

http://www.accessreports.com/statutes/DPPA1.htm

Information on the CCPA:

https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf

Example of a Model Privacy Notice Form

The following is a sample of a privacy notice. This sample is for illustrative purposes only. Consult your attorney to ensure the notice you intend to provide to your customers complies with the law. Note: You will also need to add any required states’ notices as applicable.
Review Sample Privacy Notice Form

What's new for 2021!

In addition to the CCPA, which went into effect on January 1, 2020, California passed the California Privacy Rights Act., which amends the CCPA and goes into effect on January 1, 2023 (with a 12 month “lookback” period for the personal information in scope).

Did You Know?

The CCPA gives California consumers addtional rights regarding the collection and use of their personal information.

Compliance Tip

A privacy notice is considered a contract with your customers, so make sure your dealership’s business practices follow what is stated in your privacy notice.

Did You Know?

Privacy notices are not negotiable and should not be negotiated with any customer, even if the customer refuses to sign them.

Did You Know?

Regulators are cracking down on telemarketing and the making of unsolicited phone calls, especially to cell phone numbers. Fines for calling or texting to cell phones can be $500 - $1,500 under the Telephone Consumer Protection Act.

Recommended Practice

Use the FTC’s Model Consumer Privacy Online Form Builder.

Recommended Practice

Have your privacy notices reviewed by your counsel.

Recommended Practice

Confirm that your third-party information sharing practices are in accordance with your current privacy notice.

Recommended Practice

Give your FCRA-GLB Privacy Notice to each consumer who gives you their personal information.

Recommended Practice

Always date your privacy notices.

Recommended Practice

Consistently collect and manage all customer opt-outs.

Recommended Practice

Alert customers if you use online tracking and give them them a way to opt out.

Recommended Practice

California dealerships: Find out whether you need to add the CCPA "Do Not Sell" link to your website.

Topic 6

Next Topic

Aftermarket Product Selling

GO TO NEXT TOPIC

Topic1

Key Changes to the F&I Compliance Environment

Topic2

Looking Ahead: Considerations for Your 2021 Compliance Action Plan

Topic3

Credit Applications, Credit Reports, and Contracts

Topic4

Data Safeguards and Identity Theft Protection

Topic5