Automotive retailers faced a July 1 deadline brought about by the U.S. Congress' Gramm-Leach-Bliley Act to provide customers and consumers with an initial privacy notice in writing. Dealers must describe the personal information they obtain, how the information is used and with whom it is shared.

This act is why customers and consumers of various financial institutions have received special mailings or notices highlighting these privacy issues. The act distinguishes between consumers and customers. Consumers are people who have applied for credit, whether or not credit is extended; customers are consumers who have been extended credit or executed a lease deal.

So, as a retailer required to provide this information, you've met the deadline. Situation resolved? Hardly! The act is just one of the first pieces of privacy legislation to be enacted. Literally hundreds of additional state and federal privacy laws are under consideration. In fact, if you want to stay on the cusp of the entire privacy and data security matter, you will want to consider taking some additional steps to ensure the privacy of your data and gain the respect and trust of your customers and consumers.

Without spending too much time on the details of the act or rehashing information already known by most retailers, let's take a quick look at it. It's a U.S. financial data privacy and security law affecting financial institutions and their use of customer and consumer data. These institutions include dealerships and manufacturers because they provide financial services to their customers when financing a vehicle.

This and other privacy legislation aims to control and protect personally identifiable information, such as names, addresses, phone numbers and credit history, received by companies engaged in certain types of businesses.

Dealers should take proactive steps to make certain their dealerships are in compliance with the act, as well as other privacy and data security laws and guidelines.

To get dealers on that road, it is imperative to prioritize the following:

  • Develop a privacy policy: Not to be confused with the basic type of policy found on most web sites, a retailer's privacy policy should cover customer and consumer information from the cradle to the grave, with every facet of the dealership (and every associate within those facets) on board and trained to comply with the policy.

  • Conduct a privacy audit/assessment: Use this not only to determine how you're currently doing in lines of privacy, but also to identify your weak spots as well as potential areas of importance that will need to be addressed as privacy acts continue to emerge and evolve.

  • Determine legal and regulatory responsibilities: A retailer's privacy responsibilities are more than complying with Gramm-Leach-Bliley. In fact, many states are currently reviewing privacy legislation that will be more protective of an individual's privacy rights than this federal legislation. Be proactive and meet what's expected of the dealership by such legislation. In doing so, consult your attorney and/or state and national associations for assistance in interpreting these laws, and work with privacy specialists on compliance issues.

  • Use electronic storage and shred documents: Ever hear of dumpster divers searching for documentation in an alley behind a business? It happens. Think of all the information about your customers that appears on documents that dealerships throw away. Identity theft is a big data security issue. Use a crosscut shredder concurrently with electronic document storage.

  • Inform and market: A retailer may be required to notify customers and consumers on how he or she is using their personal data and, in some situations, to give them the option to opt out. Talk to your customers and consumers about how you use their personal information. This can help win their trust — and their ongoing business.

  • Gain trust with Internet shoppers: With ever-increasing on-line transaction activity, new and previously unaddressed privacy and data security issues will continue to surface. A retailer's greatest defense — and best offense — is a proactive, comprehensive and consistent stance on privacy.

  • Commit to protecting information security: This extends to firewalls and similar anti-hack technologies. Make sure these efforts protect customer and consumer information from associates who may wish to use it to their own benefit.

  • Train, train, train: Unless all associates are uniformly trained on the dealership's privacy policies and protection efforts, all of a retailer's privacy activities will be for naught.

  • Ensure partner involvement: Much like training, a retailer must make sure to involve all dealership partners, such as car companies and service providers, in the privacy policies and protection efforts at hand. Make sure your partners take the same precautions you do with the information you share.

Those are first steps to achieving privacy compliance. Yet, considering the breadth and scope that privacy entails, it's advisable for a retailer to use the services of a consultant versed not only in privacy but also the automotive retailing industry. Such a consultant could ensure compliance while helping the retailer best use customer and consumer data.


Michael McNeil is chief privacy officer and vice president of Data Services at The Reynolds and Reynolds Co.