A new model for auto dealers?

Share This Page

There are three letters every auto dealer should know about. GTO? XKE? Good guesses, but not what we had in mind.

We’re talking about GLB.

The Gramm-Leach-Bliley Act requires financial institutions to give their customers initial and annual notices about their privacy policies. If the company shares certain customer information with particular types of third parties, they also have to give customers the opportunity to opt out of sharing. The FTC’s Privacy of Consumer Financial Information Rule – friends call it the GLB Privacy Rule – explains the specifics.

In this context, the definition of “financial institution” extends beyond places with tellers, vaults, and pens tethered to the counter. And post Dodd-Frank, much of the rulemaking authority under GLB is now with the CFPB. But there’s an important exception. The FTC retains rulemaking authority when the financial institution in question is an auto dealer. We’ve proposed a change to how the GLB Privacy Rule will operate for auto dealers and we’re asking for your feedback.

What’s under consideration? A revision that would allow dealers that finance cars or offer car leases to provide online updates to consumers about their privacy policies, rather than send yearly updates by mail. Dealers could do that only if they notify consumers annually that the policy is viewable online. The proposed rule change would require that notification to be part of some other legally required document provided to consumers.

Dealers would still have to provide a written copy of the notice if consumers ask for one. And if you’ve changed your privacy policy since a consumer last received a written notice, you’d still have to give them a hard copy. What about dealers who share consumers’ personal data with third parties in a way that gives consumers an opt-out right? The proposed online option wouldn’t apply to them.

Those are just some highlights of what's under consideration, so be sure to read the Federal Register Notice for details. The goal, of course, is to keep the rules the FTC enforces up to date and streamlined.

Interested in weighing in? File an online comment by August 31, 2015.



Auto dealers are the worst offenders of privacy policies. They provide written disclosures but does not abide by them.

Most consumers doesn't even know, disclosure is requrred

Could the rule require the company to share the names of the third party companies that it opts to provide the consumer info with or without consent? Need the transparency here!

I like it but would add that the re: line should sufficiently notify the recipient that privacy choices are contained in the body of the email.

If you have any thoughts about what the Rule should require, feel free to file a comment by the August 31st deadline. We welcome feedback and suggestions. It's easy to do online and doesn't require anything formal. (Sorry, but a comment to a Business Blog post doesn't become part of the public record when a rule is under review.)

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.