It is not uncommon for a dealership to receive a subpoena commanding production of customer records or information. With the present-day labyrinth of federal, state and local laws governing the privacy of customer information, how does the dealership respond? Working with legal counsel, dealerships should understand how to respond when they receive a subpoena for customer records and information. They should know what the governing privacy laws are, what privacy rights those laws seek to protect and how those laws may apply when a subpoena is received.
There are several privacy-related federal and state laws that protect customers’ privacy rights and information in their transactions with a dealership. This article focuses on several federal laws in the context of the dealership’s receipt of a subpoena. First, the Gramm-Leach-Bliley Act (“GLBA”) requires financial institutions – including auto dealerships – to safeguard the confidentiality of customer information. 15 U.S.C. § 6801, et seq. Dealerships are subject to the requirements of the GLBA and the Safeguards Rule, as recently amended,[1] to protect the security and privacy of customer financial information.
The GLBA mandates an “affirmative and continuing obligation” to respect and protect the security, integrity and confidentiality of customer information. Under the GLBA, notices must be provided to customers regarding the dealership’s collection and information sharing policies, and customers must be able to opt-out if they do not want their information shared with nonaffiliated third parties. The GLBA limits only the disclosure of “nonpublic personal information”, which essentially includes any personally identifiable information about a customer, created through utilization of personally identifiable information that is not publicly available. The GLBA allows for certain exceptions for providing information for which the customer cannot choose to opt-out.
The Right to Financial Privacy Act (“RFPA”) affords customers the right to be informed by the government before it obtains nonpublic information. 12 U.S.C. §3401, et seq. The RFPA protects customer records, maintained by dealerships, from improper disclosure to officials or agencies of the federal government. The RFPA also prohibits dealerships from disclosing to the federal government records, without the government first notifying the customer and allowing for passage of a prescribed waiting period. Importantly, the RFPA only applies to the federal government. The RFPA does not apply to requests made by state or local government or private parties.
Under the USA Patriot Act, the government is permitted to obtain personal information about a customer without the customer knowing or obtaining consent from the customer. The Patriot Act requires financial institutions, including auto dealerships, to report a suspicious transaction or activity without notifying the customer.
The foregoing federal laws evolved to govern and protect customer financial privacy through legal requirements and standards, aided by technological and other procedural protocols. Notably, other federal and state laws may obligate dealerships to prohibit disclosure of certain information or redact information pursuant to a subpoena or other disclosure.
When the dealership receives a subpoena, it should confer with its legal counsel to determine if a governmental authority issued the subpoena. Governmental authority for purposes of the laws discussed above, however, does not include state or local government. If a governmental authority issued the subpoena, then the RFPA applies and the burden is on the government authority that issued the subpoena to provide notice to the dealership’s customer and produce a certificate of compliance with the RFPA to the dealership to allow the dealership to comply with the subpoena.
By contrast, if the subpoena is issued by a state or local government authority, then the GLBA applies. As a matter of cautious due diligence, the dealership should consider first asking the state or local governmental authority for permission to contact the dealership’s customer and give the customer a reasonable opportunity to object to the subpoena through seeking to have it quashed, before providing the customer’s information.
Finally, if a dealership receives a private or third-party subpoena issued by a court, the GLBA applies. Whether notice to the customer is first required under the GLBA is unclear. The subpoena may fall within the “judicial process” exception. The dealership should again consult with legal counsel and may consider requesting from the subpoena issuer the right to notify the customer and provide a reasonable opportunity to quash before producing the customer information.
When complying with subpoenas, be mindful of your legal obligations to protect and preserve the privacy of customer information, as will enable the dealership’s compliance with the subpoena without exposing the dealership to liability to the customer for improper or unauthorized disclosure.
[1] See, Dealership Compliance with Updated Federal Safeguards Rule by December 9, 2022 – Don’t Wait, by Julie A. Cardosi, Esq., July 22, 2022, IADA News Magazine, Pub. 12 2022, Issue 2.