The Federal Trade Commission (FTC) has developed these additional FAQs to help auto dealers comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule. The following questions and answers show how the Privacy Rule applies to specific situations that auto dealers may face. Before reading this, you may want to familiarize yourself with the FTC’s small business guide, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, and the Frequently Asked Questions for the Privacy Regulation. Other business guidance is available on the FTC’s Gramm-Leach-Bliley Act page.
Please note that this information does not address possible legal obligations you may have under the FTC Safeguards Rule, the Fair Credit Reporting Act, or other federal and state laws.
Activities and Entities Covered by the Privacy Rule
1. Does the Privacy Rule apply to me?
The Privacy Rule applies to car dealers who:
- Extend credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family, or household use;
- Arrange for someone to finance or lease a car for personal, family, or household use; or
- Provide financial advice or counseling to individuals.
If you engage in these activities, any personal information that you collect to provide these services is covered by the Privacy Rule. Examples of personal information include someone’s name, address, phone number, or other information that could be used to identify them individually. The Privacy Rule applies if you collect personal information about someone in connection with the potential financing or leasing of a car, even if that person does not fill out a formal application. The Privacy Rule does not apply to you if a person buys a car with cash or arranges financing on their own through another lender.
2. Do I need to give a privacy notice to everyone who walks into my showroom?
You don’t need to give a privacy notice to someone who simply expresses an interest in buying a car from you or asks general questions about financing or leasing. However, if a person gives you personal information in connection with a potential transaction, even without completing a formal application — for example, if they give you personal information to get a quote on a financial package — you may have other obligations. For more information, see Question 3.
3. When do I have to give someone a privacy notice?
The answer depends on whether the person is a “consumer” or a “customer” — words that have their own meanings under the Privacy Rule. A person becomes a “consumer” when (s)he gives you personal information in the context of possibly financing or leasing a car from you. You only need to give them a privacy notice (and an opt-out notice) if you intend to disclose their personal information to nonaffiliated third parties. However, there are exceptions to this requirement which are set forth in sections 313.14 and 313.15 of the Privacy Rule. These exceptions include disclosures to process a transaction requested by the consumer, disclosures made with the consumer’s consent, and disclosures for law enforcement purposes. If someone enters into a contract with you to buy a car and you extend them credit or arrange for someone else to extend them credit, they become your “customer.” In the leasing context, once someone enters into a lease agreement with you, they become your “customer” as well. Whether leasing or arranging credit, you must give them a privacy notice no later than at the time of signing of the retail installment contract or lease agreement — even if you do not disclose their personal information to others. For more information about your general responsibilities to “consumers” and “customers,” see Section II of How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act; Section B of the Frequently Asked Questions for the Privacy Regulation; and 16 C.F.R. §§ 313.4(a) and 313.10(a).
4. I lease cars to individuals. How does the Privacy Rule apply to me?
If you lease cars on a non-operating basis where the initial term of the lease is at least 90 days, the Privacy Rule applies to you. “Non-operating” means that the lease agreement does not include maintenance or repair services, unlike, for example, car rental services. As for when you have to give a person a privacy notice, the same rules outlined in Question 3 apply to you.
5. Is all the information that I obtain in connection with financing or leasing a car covered by the Privacy Rule?
In general, the Privacy Rule covers personal information you obtain in the course of financing or leasing a car for personal, family, or household use. However, it doesn’t cover: l personal information obtained in the course of a sale that you don’t help to finance (e.g., where the individual secured his own financing or paid in cash); l sales figures that don’t contain personal information; and l general retail sales data that isn’t derived from information about how individuals financed or leased their cars. To illustrate how this works: A list of all the retail customers who bought cars from you falls outside the Rule — assuming that the list doesn’t reveal how they paid for the car and isn’t derived from any information about how their purchases were financed. However, if the list specifies which customers financed or leased their cars, it would be covered by the Rule. A list of people who applied to you to finance or lease a car would also be covered.
Disclosures to Service Providers
6. As a courtesy to my customers, I sometimes hire an outside marketing company to send holiday greeting cards or advertisements about “specials” in my service department. To do this, I have to give the marketing company my customers’ names and addresses. I’ve provided my customers with a privacy notice, but because I don’t usually disclose their information except as required by law, I haven’t given them an opt-out notice. Do I now need to give an opt-out notice to my customers before disclosing this information to the marketing company?
If you want to send flyers to all of your customers, you don’t need to give them an opt-out notice as long as you don’t distinguish between those who financed or leased and those who didn’t. A list of all your customers — without reference to whether they financed their car or paid for it outright — falls outside the Privacy Rule, as long as the list wasn’t derived from information about how they obtained their car. For more information on privacy notices and opt-out notices, see Section II of How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.
7. A follow up to Question 6, but instead of sending the mailing out to all my customers, I want to send it out only to those customers for whom I arranged financing. Do I need to give an opt-out notice before I give the outside marketing company my customer list?
In this situation, the Privacy Rule applies because you derived the list from the provision of a financial service. However, the “service provider” exception to the Privacy Rule lets you give the marketing company your finance customer list without providing an opt-out notice if you meet both the following requirements: l You gave your customers a privacy notice during your initial transaction that includes a statement that you share nonpublic personal information in order to market your own products or services; and l You enter into a contract with the marketing company that prohibits it from disclosing or using the information except to carry out the marketing you have requested. If you don’t meet both these requirements, you must give people an opt-out notice and a reasonable opportunity to opt out before disclosing their personal information to the marketing company. If you send the mailing out yourself, without disclosing any information to third parties, you don’t have to meet the requirements stated above. For more information on opt-out notices, see Section F of the Frequently Asked Questions for the Privacy Regulation and 16 C.F.R. § 313.10. For more information on the “service provider” exception, see Section G of the Frequently Asked Questions for the Privacy Regulation and 16 C.F.R. § 313.13. Remember that even if you do not have to give an opt-out notice, you may still be required to give annual privacy notices that describe your privacy policies and practices.
8. When someone agrees to finance the purchase of a car with my dealership, they sign a retail installment contract. I immediately assign the contract to a third party lender. Do I have to give a privacy notice to the purchaser?
9. When the retail installment contract is assigned, does the third party lender have to give a privacy notice? If so, when?
When you assign the retail installment contract, including the servicing rights, to a third party lender, that lender now has a customer relationship with the individual borrower. Since the customer relationship was not established at the customer’s election, the third party lender must deliver its privacy notice to the customer within a reasonable time after it buys the contract. Alternatively, if the third party lender is known when the customer signs the retail installment contract, that lender may arrange to have the dealer give the lender’s privacy notice to the customer when the dealer gives its own notice. In addition, the third party lender must give the customer an annual notice for as long as the customer relationship continues. See 16 C.F.R. § 313.5(a) for more information.
10. I extend credit to people who buy cars from me through retail installment contracts. I keep the contracts and do not assign them to others. What are my obligations?
Where you do not assign the contract, the people remain your customers and you need to give them an initial privacy notice, an opt-out notice (if applicable), and an annual notice for as long as the customer relationship lasts. See 16 C.F.R. §§ 313.4(a), 313.5(a)(1), and 313.10(a)(1) for more information.
11. I receive personal information from someone who applies for financing for the purchase of a car. After processing the application, I decide not to accept the application for credit. I have no plans to share this person’s information, other than as required by law. Do I have to give this individual a privacy notice?
No. A person whose application for credit has been denied is considered a “consumer” — not a “customer” — and therefore you do not have to give them a privacy notice as long as you do not share their personal information. See Question 3 and 16 C.F.R. §§ 313.3(e)(2) for more information about privacy notices and “consumers.”
Disclosures Under Exceptions to the Notice and Opt-Out Requirements
12. When I sell a car, I am required by law to report certain information about the sale to the manufacturer for recall purposes, whether I arrange financing for the purchase or not. Can I continue to report this information about the sales I finance to the manufacturer under the Privacy Rule? Do I have to give an opt-out notice to the buyer?
In general, you must give an opt-out notice before you share information with nonaffiliated third parties. A manufacturer is not considered your “affiliate” unless it controls your management or your policies, or you are under common control with the manufacturer. However, there are situations when you may share personal information with nonaffiliated third parties without providing consumers an opportunity to opt out of the disclosure. These limited circumstances are listed in sections 313.14 and 313.15 of the Privacy Rule. In this situation, you are reporting on behalf of your dealership to the nonaffiliated manufacturer under an exception that permits disclosure to comply with federal, state, or local laws. You would not need to give an opt-out notice to the buyer. However, because the manufacturer received the information from you under one of the exceptions to the opt-out requirement, it may not use the information for unrelated purposes like marketing. See 16 C.F.R. § 313.11(a). You may also disclose general retail sales data to the manufacturer about all your customers — even if you are not required to do so by law — as long as the data does not reveal information about how the customers financed their purchases. See Question 5 above.
13. Occasionally, a third party lender whom I contact denies a consumer’s application for financing. Can that lender give me the reasons for the denial so I can let the consumer know?
Yes. When you send an individual’s application for financing to a third party lender, the lender can give you information about why the loan was denied so you can give the information to the applicant. The Equal Credit Opportunity Act (ECOA) permits a creditor (here, the third party lender) to disclose the reasons for taking an adverse action through a third party (here, the car dealer) when the third party submits an application to a creditor on behalf of the consumer. The car dealer must comply with the notice requirements of section 202.9 of Regulation B under ECOA, including providing the consumer a statement of the action taken and the reasons for the denial. In this situation, the third party lender is disclosing information to you to comply with federal law, as permitted by the Privacy Rule. Because you receive personal information from the third party lender under an exception to the Privacy Rule, your ability to use and disclose the information is limited. The limits are discussed in Section G of the Frequently Asked Questions for the Privacy Regulation.
14. When I assign or sell a lease or retail installment contract to a third party lender, do I have to give an opt-out notice to my customers?
No. The disclosure of personal information to a third party lender is allowed under the exception to the Privacy Rule concerning secondary market sales, including sales of servicing rights or similar transactions related to a consumer’s transaction.
15. Car manufacturers generally require dealers to complete a retail delivery report (RDR) about every purchase or lease transaction. Under the Privacy Rule, am I allowed to disclose this information to the manufacturer?
General retail sales information about everyone who buy cars from a car dealer can be provided on the RDR because this information falls outside the scope of the Privacy Rule. Information like name, address, vehicle make and model, and vehicle identification number may be disclosed because these categories are not related to whether or how the car was financed. However, any personal information you obtain in the course of financing or leasing is covered by the Privacy Rule. This includes the fact that a car has been financed or leased or any other information derived from the financing or leasing. For example, if the RDR not only has customers’ names, addresses, and vehicle information, but also notes which customers financed or leased their cars, the Privacy Rule would apply. Therefore, unless the disclosure of this information falls within one of the exceptions under sections 313.14 or 313.15, you cannot give the information to the nonaffiliated manufacturer unless you first give the customer an opt-out notice and a reasonable opportunity to opt out. Where the personal information is disclosed under an exception, the manufacturer may use the information only for that purpose and can’t use the information to market to those customers.
16. When I lease cars to individuals, there is often a manufacturer’s rebate offered in connection with the lease. For my customers to qualify for the rebate, I need to disclose personal information from the lease transaction to the manufacturer. If the customer wants the manufacturer’s rebate, do I have to give an opt-out notice to her before sending the information to the manufacturer?
No. In this case, you are processing a transaction at the individual’s request, and can disclose personal information to nonaffiliated third parties like the manufacturer to process the rebate. However, you may disclose to the manufacturer only information necessary to process the rebate. Further, the manufacturer may use this information only to process the rebate and may not use it for other purposes, such as marketing
For More Information
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Your Opportunity to Comment
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.