Understanding How to Navigate Data Sharing Agreements With Manufacturers While Ensuring GLBA Privacy Rule Compliance

Paul R. Norman , Patrick L. Breen | 07.25.23

Over the past several months, manufacturers have been urging dealers to enter into data sharing agreements permitting third-party vendors to share the dealer’s customer data directly with the manufacturer itself. Manufacturers are justifying these agreements on the grounds that they will allow dealers to have full integration with the manufacturer’s data fields. But these data sharing agreements raise legal concerns when compared to the obligations dealers have under the Gramm-Leach-Bliley Act to protect nonpublic personal information of customers. This article outlines key provisions of the Act and strategies dealers can use to protect themselves and customers from unlawful disclosure. 

The Gramm-Leach-Bliley Act and The Privacy Rule: What Do They Require Dealers To Do?

The Gramm-Leach-Bliley Act (“GLBA”) establishes standards for financial institutions regarding the disclosure of nonpublic personal information to third parties. Dealers qualify as ​“financial institutions” who must comply with the GLBA because dealers actively engage in financial activities such as leasing and credit sales. 

One important component of the GLBA is the FTC Privacy of Consumer Financial Information Rule, also known as the ​“Privacy Rule.” The Privacy Rule is intended to protect consumers’ nonpublic personal information (“NPI”), which refers to any personal information collected by a financial institution in connection with providing a financial product or service. NPI includes personally identifiable information and any list, description, or other groupings of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. NPI does not include any information that is otherwise publicly available or information that a dealer has a reasonable basis to believe is publicly available. 

The Privacy Rule requires dealers to (1) provide a clear and conspicuous notice of their policies and practices regarding NPI and (2) allow customers to opt out of disclosure of their own NPI. 

What Rights Do Dealers Have With Respect To Data Sharing Agreements? 

Many data sharing agreements that manufacturers are pressuring dealers to execute, require dealers to provide third-party vendors and manufacturers with ​“dealer data” that falls within the Privacy Rule’s definition of NPI. Unless the use of this ​“dealer data” falls within one of the exceptions under the Privacy Rule, dealers who enter into data sharing agreements with manufacturers risk violating the Privacy Rule and possibly other applicable privacy laws and policies. 

Wisconsin Statutes § 218.0116(1)(ys) prohibits manufacturers from using any NPI obtained from a dealer, unless the use falls within an exception under the Privacy Rule. This provision of the Wisconsin Motor Vehicle Dealer Law overrides any inconsistent contract provisions between a dealer and manufacturer. Dealers, therefore, have a right to push back against manufacturers who are requiring them to enter into agreements that compel disclosure of customer NPI. 

One method to preserve the dealer’s rights is to write a letter to the manufacturer stating that the dealer expects the manufacturer to comply with Wis. Stat. § 218.0116(1)(ys) and only use customer NPI shared pursuant to the data sharing agreement in a manner that falls within an exception under the Privacy Rule. Putting the dealer’s position in writing like this makes clear that it may seek relief under Wisconsin law if the manufacturer uses NPI in any manner that causes injury to the dealer or its customers.

Conclusion

The Privacy Rule under the GLBA requires dealers to protect customer NPI and Wisconsin law prohibits manufacturers from using that NPI in any manner that does not fall within an exception to the Privacy Rule. Therefore, dealers should consider seeking legal advice prior to entering into a data sharing agreement that may put them at risk of violating the Privacy Rule in order to preserve their rights against the manufacturer if any violation occurs.