The Federal Trade Commission is proposing to amend its Gramm-Leach-Bliley Act (GLBA) rules to allow auto dealers that finance car purchases or provide car leases to provide online updates to consumers about their privacy policies, rather than sending yearly updates by mail. The FTC proposal is consistent with the rule finalized by the Consumer Financial Protection Bureau in October 2014 for financial institutions.
Background. The GLBA requires financial institutions to provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide an opportunity to opt out of the sharing. The FTC issued its rule implementing these provisions in 2000.
The Dodd-Frank Act transferred most of the GLBA privacy notice rulemaking authority to the CFPB; however, the FTC retained authority over motor vehicle dealers. In October 2014, the CFPB finalized a rule allowing companies that limit their consumer data-sharing and otherwise meet certain requirements to post their annual privacy notices online. The FTC stated that its proposed changes are consistent with those issued by the CFPB.
Proposed amendment. Under the proposed revision to the FTC’s privacy rule (16 CFR Part 313), auto dealers that do not engage in certain types of information-sharing activities would be able to provide consumers with the privacy policy solely online, as long as the company notifies consumers on a yearly basis that the policy is viewable online. The rule change would require this notification to be part of some other legally required document provided to consumers.
The revised rule still would require dealers to provide consumers with a written copy of the notice upon request. In addition, if a dealer’s privacy policy has changed since a consumer was last provided a written notice, the consumer must be provided a copy of the new policy in writing. Dealers who share consumers’ personal data with third parties in a way that requires a consumer to have the ability to opt-out would not be allowed to provide their privacy policy only online. The amendments also include clarifications to the language of the rule to reflect the Commission’s authority under the Gramm-Leach-Bliley Act.
The proposed changes will be subject to public comment through Aug. 31, 2015, after which the FTC will decide whether to make the proposed changes final.
For more information about privacy notices, subscribe to the Banking and Finance Law Daily.