Attorney Published Article
New State Privacy Laws Impact Auto FinanceRead Time: 3 mins
The regulation of consumer privacy and security in the United States traditionally has been sectoral in nature. In other words, outside of more highly regulated industries like financial services or health care, the use and disclosure of consumer data has been regulated under general federal and state prohibitions on unfair or deceptive acts and practices, rather than under specific consumer privacy laws.
That began to change when the California Consumer Privacy Act (CCPA) became effective on Jan. 1, 2020. The CCPA, as subsequently amended by the California Privacy Rights Act, represents an effort to comprehensively protect consumer data across industries. It grants consumers several rights with respect to their data, including:
- The right to know how a business collects, uses and shares their personal information;
- The right to delete personal information a business has collected;
- The right to opt out of the sale of personal information;
- The right to correct inaccurate personal information; and
- The right to limit the use and disclosure of certain types of sensitive personal information.
10 States Follow Suit
Since the CCPA was enacted, several states have passed similar legislation, some of which is already effective and some which will become effective over the next two years. Those states include Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah and Virginia. Additional legislation is pending in other jurisdictions and could pass in the near future.
These laws generally mirror the CCPA in that they give consumers the right to access, correct and delete their personal information, and to opt out of the sale of their personal information, and require businesses to post privacy policies to inform consumers of these rights and how to exercise them.
Some also require enhanced consent requirements for the collection and use of especially sensitive data and/or give consumers additional rights with respect to data portability (i.e., the right to access personal data in a format that enables the consumer to transmit the data to another entity).
Related Applicable Laws
Of special significance to the auto finance industry, however, these new laws have more limited application to financial services than the CCPA.
The CCPA exempts data that is subject to the federal Gramm-Leach-Bliley Act (GLBA), which is the primary federal law that regulates the use, disclosure and protection of non-public personal information by financial institutions. But the CCPA does not completely exempt financial institutions from its requirements.
A financial institution may be subject to the CCPA regarding consumer data that is not considered non-public personal information under the GLBA (e.g., information collected about consumers who have not yet applied for a consumer-purpose financial product or service).
Auto Finance Exemptions as Financial Institutions
The new state laws, however, contain blanket exemptions for financial institutions that are subject to the GLBA and, in some cases, also for their subsidiaries and affiliates.
Under the GLBA, a financial institution is any institution whose business is engaging in an activity that is financial in nature or incidental to financial activities as described in the Bank Holding Company Act. Among other things, these activities include making, acquiring, brokering or servicing loans or other extensions of credit, and leasing personal property on a non-operating basis where the initial term of the lease is at least 90 days.
Auto dealers that enter into retail installment contracts or leases, sales finance companies that purchase those contracts and third-party creditors extending auto loans to consumers all would be considered financial institutions under the GLBA and, thus, generally are exempt from these new state privacy laws (other than the CCPA).
More to Come?
Even though the comprehensive state privacy laws that have been enacted to date have limited applicability to financial services, the auto finance industry still should monitor developments in this space closely as some upcoming state laws may have more impact.
The proliferation of these laws and the increasing complexity of the patchwork of state laws and regulations also may spur additional action at the federal level. The industry should continue to be aware and comply with existing state laws and regulations which may apply depending on the circumstances, which include data breach notification requirements in all 50 states, financial privacy laws in California and Vermont, and information security program requirements in Massachusetts and New York.
This article was first published in Auto Finance Excellence, a sister service of Auto Finance News. McGlinchey is pleased to serve as the official Compliance partner of Auto Finance Excellence, providing insights and thought leadership through webinars, podcasts, and monthly columns.