Pub. 18 2019-2020 Issue 2

N E W J E R S E Y C O A L I T I O N O F A U T O M O T I V E R E T A I L E R S I S S U E N O . 3 , 2 0 1 9 22 new jersey auto retailer The Gramm-Leach-Bliley Act ( “GLB” ) Act was enacted November 12, 1999 to address concerns relating to con- sumer financial privacy. The first Rule under the Act, known as The Privacy Rule, went into effect on July 1, 2001, requiring financial institutions to provide notice of sharing practices to customers/consumers and clarified the requirements for infor- mation sharing practices. Shortly thereafter, The Safeguards Rule went into effect on May 23, 2003, which aimed to protect identity theft of the consumer’s non-public information. Obvi- ously, it has been quite a while since these rules were enacted and the dealership environment for collecting, storing, and man- aging customer information has changed dramatically. Both The Privacy Rule and The Safeguards Rule fall under Federal Trade Commission (“ FTC ”) enforcement. If you are unfamiliar with the changes that have occurred in FTC regulatory authority, the civil penalties for non-compliance have increased substantially over the last 10 years. Originally, when the rules were first enacted, penalties started at $11,000 per violation. This increased overtime to $16,000 per violation, and in 2016, the maximum civil penalty reached $40,000. In 2018, the FTC again published inflation-adjusted civil penalty amounts, increasing the $40,000 threshold to $42,530 starting February 14, 2019. The Privacy Rule By definition, a dealership is considered a financial institution at the time of purchase and must comply with all Federal and State regulations in the course of lending and leasing automo- biles. As stated above, The Privacy Rule requires financial insti- tutions to provide notice of their sharing practices. A common misconception is that the Privacy Notice only needs be delivered to customers when a vehicle is delivered. However, both con- sumers ( individuals who inquire to buy and fill out a credit application ) and customers ( individuals who purchase a vehicle from the dealership ) should both receive a Privacy Notice. The Privacy Notice requirements were also updated in April 2010 to include “Safe Harbor” protection, encouraging the use of the FTC’s Form Builder Form. To promote compliance with the Privacy Rule, the “Safe Harbor” provision provides a model form from the FTC website and explains the timing requirements for giving the Privacy Notice to customers. One of the most common mistakes dealers make in this area deals with the timing requirement for giving the Privacy Notice. The requirement states that the Privacy Notice should be provid- ed to the consumer/customer prior to the submission of their non-public information to a third party. The standard practice in many dealerships is to submit a credit application to a lender or run a credit check, prior to delivery of the vehicle. Submitting the application and running credit has transferred non-public information to a third party, so the timing of the Notice has been triggered. Therefore, the best time to provide a Privacy Notice to the consumer/customer is at the time the credit application is filled out by the individual(s). Hand-delivery or electronic acknowledgement of receipt of the form is required, and as a best practice, a signature to acknowledge receipt should be received. The regulation also permits an electronic disclosure and acceptance of the Privacy Notice in an electronic media on a web-based application. Dealership personnel who provide and explain the Privacy Notice to the customer should also be trained accordingly. Those salespeople who have not read and do not understand the Rule believe that the Notice is primarily designed to make the individual aware that the dealership will not sell or share their non-public information. In reality, the Notice is designed to let the customer/consumer know who the dealership is going to Does Your Dealership Currently Comply With the Gramm-Leach-Bliley Act? BY JUDY VANN KARSTADT, MPFS, DCOP