Exempt in part, lenders should still prepare for Calif. privacy act

In many ways, auto lenders are exempt from a new California consumer privacy law — but experts still advise that lenders scour their data inventory before counting themselves out of the law's scope.

The California Consumer Privacy Act, effective this coming Jan. 1, affects all businesses in California meeting certain thresholds, including many auto companies.

Among other requirements, the law orders businesses to honor consumers' demands to access personal information collected about them, know whether their personal information is sold or disclosed and to whom, and opt out of the sale or sharing of personal information. Consumers can also demand that a business and its affiliates, such as vendors, delete their personal information.

But personal information that is collected to comply with the federal Gramm-Leach-Bliley Act, which lenders must follow, is exempt from the disclosure and deletion requirements in the California Consumer Privacy Act. Under the Gramm-Leach-Bliley Act, financial institutions must have a security plan to protect the confidentiality and integrity of consumers' personal information. It requires companies to give consumers privacy notices that explain their information-sharing practices.

But beyond Gramm-Leach-Bliley, lenders should take inventory of the customer data at their fingertips. That is because customer data unrelated to the financing of a vehicle is subject to the California act, sources say.

Gramm-Leach-Bliley is a "data-driven exemption," said Meghan Musselman, partner at law firm Hudson Cook. "So, in order to determine that your data is exempt, you have to go do a data inventory. [Lenders] will have some data that's outside of that exemption."

Auto lenders, for instance, could have information related to the sale of the vehicle or its warranties, which are not always related to the financing of the vehicle.

Whether lenders must comply with the new law largely depends on what they do with customer data.

"It's not that if you are a financial institution under [Gramm-Leach-Bliley], you're exempt from" the new California law, Musselman said. "It's that you have to look at each piece of data essentially and determine that the data is exempt."

Many websites, for example, automatically collect consumers' IP addresses and cookies. That information is covered by the act, Musselman said. If an auto lender's website collects such information, it must comply.

Many lenders and vendors make the data anonymous, which could make them exempt from the new law, said Melanie Cliff, partner at law firm Scali Rasmussen.

"Are you aggregating? Are you de-identifying? Are you using pseudonyms for these customers and their data? If so, that would be considered an exception," said Cliff.

Cliff said she's seen a shift among lenders. Many were already aggregating the data and making it anonymous, and if they haven't, most are preparing to.

Many vendors also work with both dealers and lenders and have consumer data.

"They're kind of in a sweet spot where they collect the information from different sources," she said.

There is some urgency to the preparation work. As they determine how to comply, lenders, vendors and dealers are rushing to prepare for the act before it takes effect next year. Cliff said, "It's a shock to the system."