Monday, January 01, 2007

Kelly's Korner - Privacy Policy Pointers


A rash of recent questions about the “Privacy Policy” lead me to believe that it may be time to review this important aspect of the Graham-Leach-Bliley Act. I do so along with the reminder that none of the information that follows is intended as legal advice. Please consult your attorney for compliance matters concerning your own dealership.

What is the Privacy Policy?
The Privacy Policy is the first part of the Graham-Leach-Bliley (GLB) Act. The Privacy Policy stipulates that businesses who collect information about their clients / customers / consumers must provide notification about what they will do with the information supplied to the business. This includes who will receive the customer information, as well as why and how the information will be shared.

How does the Privacy Policy apply to dealerships?
When dealerships finance vehicle purchases and sell their customers a variety of policies and services, it becomes necessary to share certain information gathered with third parties in order to secure funding and to process the policies and services which the customer chooses to purchase.

Some states require that the privacy form must include an opt-out and/or an opt-in choice for the customer. You will need to check with your dealership’s legal counsel to determine what your privacy policy should contain.

When should the customer receive the Privacy Policy?
It is my understanding that the Privacy Policy should be given to each customer immediately after obtaining the credit application. Most privacy policies I have seen are 2-part NCR (No Carbon Required) forms. The forms have a place for the customer to sign an acknowledgement. The original stays with the deal. The copy goes to the customer.

What happens when the customer refuses to sign?
I recommend that you note on the form that the customer refused to sign and that a copy of the form was given to the customer for later review.

What else should I know about the Privacy Policy?
Many privacy forms state that the dealership takes steps to protect the NPI (Non-Published Information) through physical and electronic safekeeping measures. This statement seems to tie the Privacy Policy to the Safeguards Rule, which is the second part of the GLB Act.

If your dealership uses an online credit application, you should also have an online version of the Privacy Policy. Your association and Reynolds & Reynolds are great sources of sample forms and information.

Compliance with the Privacy Policy of the GLB Act is not optional. For the well being of your personnel and your business, be sure to confirm with your legal counsel that you are in full compliance with both the Privacy Policy and Safeguards Rule contained in the GLB Act.

“Kelly’s Korner”, Oregon IADA Newsletter, January 2007