By: Mark Sanborn
Senior Product and Regulatory Counsel
The U.S. now has 19 omnibus state privacy laws, with a number of additional states poised to pass similar laws.1 This patchwork of state laws are often quite complicated, and difficult for businesses to address alone. While they largely follow many of the same overall themes, there are wide variations, and they contain varying provisions and exceptions. One example is the treatment of “financial institutions” subject to the Gramm-Leach-Bliley Act (GLBA). Several state privacy laws contain language indicating that GLBA financial institutions are exempt from portions of the state’s privacy law.
While these types of exemptions should give dealers at least an argument in any future enforcement or litigation action under some state laws2, they are far from a panacea. In short, there are many reasons why dealers may wish to take steps to comply with the state privacy law requirements despite such exemptions. Some of the reasons dealers may need or wish to comply with these laws are discussed below:
- The Scope of the Exemption Is Untested and Unclear.
The GLBA exemptions may not uniformly apply to all of a dealer’s operations or affiliated entities. Some affiliates may be required to comply with state privacy laws even if another affiliate has grounds for exemption. Even within a company with diverse operations, questions have arisen under several state laws whether a company is exempt across all its activities simply because it has an affiliate or division that provides financial products or services. This uncertainty is exemplified by companies like Facebook and Google, both of which offer financial products and services likely subject to the GLBA, but do not claim broad, company-wide exemptions from state privacy laws in states with entity-level exemptions. The full extent of these exemptions has not been tested in court, and at least one state with an entity-level exemption is considering revising its statute to clarify or remove the exemption entirely because of this question. - Avoiding Consumer Confusion.
Many consumers may not fully grasp the legal distinctions in the laws and may question why their rights under state law regarding personal information vary across different parts of the business they interact with. Many dealers (and OEMs) choose to simply comply with the requirements to show consumers they take privacy seriously, and/or rather than explain the reason why these consumer rights are not being honored by the dealership. Privacy policies are also becoming ubiquitous, and expected by consumers. Dealers need a policy, and if they have one, it of course should be accurate, defensible and compliant. - Cookie Consent Banners Protect Against More Than State Law Claims.
Dealers need compliant website consent management tools that offer users options for tracking and information collection, along with privacy policies, not only to address state privacy laws but also broader compliance and risk mitigation objectives. Critically, this includes providing adequate consent choices for consumers that will protect dealers against the recent spate of wiretapping and related class action claims. - FTC Considerations.
The FTC retains broad authority to enforce privacy requirements under both the GLBA and its UDAP authority – and it has taken enforcement action in these areas. Moreover, the GLBA defines cookies as nonpublic personal information,3 which creates obligations to notify users about its collection and disclosure under both the GLBA Privacy and Safeguards Rules, which are distinct from state privacy laws. Given dealers’ obligation to comply with GLB (and protect against litigation), any added burden to comply with a state privacy law will be modest.
These are just some of the numerous reasons to take steps to comply with these laws, and it is critical that dealers employ a compliant cookie consent banner and privacy policy for many reasons beyond state privacy law compliance. The good news is that employing the ComplyAuto cookie consent banner tools will automate state privacy law compliance – by automatically handling, categorizing, and responding to consumer requests – as part of an overall solution that includes cookie management and privacy policy. This will simply and efficiently avoid complications for dealers, and “future-proof” the dealership regardless of an exemption.[us_separator show_line=”1″][vc_column_text]1 This is accurate as of September 2024.
2 In many states, these exemptions were strongly advocated for by your state association, looking to protect you and their
other members.
3 16 C.F.R. § 313.3(o)(2)(i)(f); 16 CFR 314.2 (o)(2)(i)(f).[/vc_column_text]