Steering Through Privacy: State Law Variation Affecting Auto Dealers

Miller & Martin PLLC Alerts | August 02, 2023

Automotive dealers and their service providers should take note of an important key difference between the California Consumer Privacy Act (CCPA) and other recent state privacy laws designed to protect consumer information. Privacy laws enacted in Virginia, Connecticut, Colorado, and Utah all broadly exempt financial institutions covered by the federal Gramm-Leach Bliley Act (GLBA), which includes most auto dealers per the Federal Trade Commission (FTC), while the CCPA only carves out certain information subject to the GLBA, not auto dealer entities themselves.

The GLBA Privacy Rule[1] enforced by the FTC explicitly states that auto dealers are within its jurisdiction. This rule mandates that auto dealers disclose to consumers, via a privacy notice, the specific personal information they intend to gather, its intended use, and any plans to share it with third parties. In conjunction with that notice, consumers should be provided with a reasonable method and sufficient time to deny the dealer permission to disclose their personal information to unaffiliated third parties. In obtaining personal data, it is incumbent upon dealers to safeguard this information, employing security protocols to thwart unauthorized access, alterations, data leaks, or improper destruction. With the objectives of data integrity and limiting its use, dealers should restrict data collection to what is essential for the declared purpose(s) in their privacy notice. Additionally, they should strive to keep this data accurate and up-to-date. Dealers can find more information under published FAQ resources on the FTC website.[2]

Five years ago, California enacted its well-known CCPA. The CCPA places specific obligations on certain for-profit businesses operating within California that surpass specified revenue or service criteria concerning the personal data of California residents.[3] Its primary goals are to safeguard consumer privacy within the state and grant consumers greater control over personal information collected about them by businesses. Financial institutions subject to the GLBA, including auto dealers, typically need to adhere to the CCPA, except when a business transaction involving a consumer pertains to “nonpublic personal information” as defined by the GLBA.[4] This category may include data such as names, social security numbers, income details, credit scores, phone numbers, and addresses given to an institution for procuring a financial product/service or resulting from a transaction involving a financial product/service.[5] It also includes any list formulated using personally identifiable financial information.[6] It's important to note that the CCPA does not, therefore, except personal consumer information that an entity reasonably believes is legally available to the general public through government records, compulsory public disclosures, or widely distributed media.[7] Thus, such “public” personal information could still be subject to certain CCPA requirements such as disclosure and delivery, correction, or deletion within 45 days upon a verifiable consumer request.[8] For consumers to make these requests, the CCPA requires businesses to offer at least two methods, including a toll-free number or an email address for online-only entities.[9] If a business operates a website, it must allow consumers to submit requests through it.[10] Whether personal information is “public” and thereby falls under the CCPA would be determined on a case-by-case basis, requiring dealer-specific and information-specific evaluation.   

On the other hand, the latest privacy laws adopted in several other states seem to provide complete exemptions for auto dealers as entities. Virginia’s privacy law does not apply to any “financial institution or data subject to Title V of the federal Gramm Leach-Bliley Act.. . . ” Va. Code Ann. § 59.1-576(B)(2023). Similarly, Colorado’s law excludes “financial institution[s] or [] affiliates[s] of a financial institution as defined by and that is subject to the federal ‘Gramm-Leach Bliley Act…’” Colo. Rev. Stat. § 6-1-1301(2)(q) (2023). The same general exceptions apply in both Connecticut[11] and Utah[12], which also exclude financial institutions regulated by the GLBA and its Privacy Rule.[13] 

While adherence to the GLBA Privacy Rule remains obligatory, these exemptions could potentially help dealers sidestep certain state-specific stipulations. For instance, that might include the mandate under the Connecticut Data Privacy Act (CTDPA) to halt the processing of personal data within 15 days of a consumer’s revocation, or the requirement of the Virginia Consumer Data Protection Act (VCDPA) for institutions to formalize data processing agreements with their data processors, incorporating explicit statutory terms.[14] Also, unlike the GLBA, the privacy laws of Colorado, Connecticut, and Virginia require that entities secure a consumer’s consent (or opt-in) before processing any of the consumer’s “sensitive data” as defined under the corresponding state law.[15]

Consumer privacy laws in states such as Colorado, Connecticut, and Virginia further require that covered entities establish clearly-defined contracts or transactions with their service providers and/or data processors.[16] Those mandates may lead auto dealers to demand specific tasks from those providers even where dealers are exempted from the relevant rules. Savvy service providers and processors might reasonably resist such unnecessary demands.

In short, there are clear differences between the consumer privacy laws of (i) California and (ii) most other privacy-active states that are material to auto dealers and their service providers. However, every business’s circumstances and geographical footprint and the consumer information they handle are unique. Therefore, you should consult with privacy professionals and/or legal counsel to accurately assess your specific situation and ensure full compliance with these laws.

For more information or guidance, contact Miller & Martin attorneys Jason McCarter or Racquel McGee, or a member of our Automotive practice. 

[1] See also 16 C.F.R. § 313

[2] Many auto dealers are also covered by the FTC’s Safeguards Rule. See 16 C.F.R. 314.2(h)(2)(ii) (“An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 C.F.R. 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F).”). See also https://www.millermartin.com/uploads/event_docs/UCW%202022/McCarter_Jason_BuckleUpRevisedFTCSafeguardsRuleforRemarketers_QR.pdf.

[3] See Cal.Civ.Code § 1798.140(d).

[4] Cal.Civ.Code § 1798.145(e); 16 C.F.R. § 313.1(b).

[5] 16 C.F.R. § 313.1(n)-(o); see also https://www.fdic.gov/resources/supervision-and-examinations/consumer-compliance-examination-manual/documents/8/viii-1-1.pdf

[6] 16 C.F.R. § 313.3(n)(1)(ii)

[7] Id. at § 313.3(p)

[8] Cal.Civ.Code § 1798.130(2)(A)

[9] Id. at § 1798.130(1)(A)

[10] Id. at § 1798.130(1)(B)

[11] The Connecticut Data Privacy Act is not yet codified but went into effect on July 1, 2023.

[12] The Utah Consumer Privacy Act will go into effect on December 31, 2023, and will be codified as Utah Code Annotated Sections 13-61-102 – 13-61-404.

[13] See https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF; see also https://le.utah.gov/~2022/bills/static/SB0227.html.

[14] See https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF; see also Va. Code Ann. § 59.1-578(A)(5)(2023);

[15] See Colo. Rev. Stat. Ann. § 6-1-1308(7); Va. Code Ann. § 59.1-579(B)(2023); https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF.

[16] For example, the VCPDA requires that processors contractually agree to assist controllers in meeting their consumer privacy obligations under Virginia law by adhering to controllers’ statutorily mandated instructions regarding data processing, nature and purpose of processing, type of data subject to processing, duration of processing, and additional rights and obligations of both parties. See Va. Code Ann. § 59.1-579; see also Colo. Rev. Stat. Ann. § 6-1-1308(7); https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF