Will The Gramm-Leach-Bliley Act Change The Auto Industry's Sloppy Data Handling Practices?
A number of dealers and dealer groups have been asking me for advice on how they should interpret the Gramm-Leach-Bliley Act (GLB) before the compliance deadline hits. I quickly point out that I'm not a lawyer and don't give legal advice, but the sheer number of inquiries got me thinking.
I highly recommend that all dealership leaders, especially dealer groups with perceived "deep pockets" by unscrupulous lawyers, read this page carefully.
A Quick History Lesson
When a consumer fills out a form on a dealer's website, how many companies get that information?
In the past, before advanced digital retailing tools, it was easier to answer this question. When dealer websites were first created, website lead forms went directly to the dealer's CRM platform. Most of the initial website forms were not associated with credit applications, and those that offered credit, were secured within an iframe.
The early website forms used by consumers were designed to get more information, schedule a test drive, or to get the mysterious selling price aka "E-PRICE". None of these forms would fall under the GLB today.
When OEMs started organizing/standardizing franchise dealer online websites and marketing, lead form data was FIRST sent to a company (i.e. Shift Digital, Ford Direct), who kept a copy for OEM reporting or match-backs to lead sources. Today, website program managers might even perform data hygiene steps or appending before sending the lead to the dealer's CRM.
This practice of data sharing continues today for most OEMs because the automotive industry is addicted to lead measurement (lead counting, rankings, and performance) and less interested in protecting PII because the changes required would be costly.
Fast-forward to 2022. Could digital retailing put dealers at risk of massive fines via GLB? The once simple CTA buttons have been replaced with digital retailing workflows to present customized prices to consumers (not customers) for leases and auto loans, and it looks like a massive change is coming, due in part to GLB.
Can Dealer's Control The Consumer's Data?
When a consumer visits a dealership website today and clicks on a CTA button that says "Explore Payments" or "Customize Payments", the consumer is entering into a relationship with the dealer to explore lending options they are not a customer (important). Most digital retailing tools require the consumer to provide their name, email, phone, and a zipcode to get "a customized payment" based on their location. This is often called the "unlock" process.
Now, depending on the digital retailing platform, a soft-pull could be included in the retailing workflow adding even more complexity to the issue at hand. According to how I interpret the GLB, this unlocking process is involved in the online process for showing payments for leasing/financing a vehicle to a consumer (not a customer). Thus, I believe a series of GLB obligations are now placed on the dealer because they consumer is not committing to buying/leasing/financing the car.
Are Dealership Online Disclosures GLB Compliant Today?
First, a clear disclosure to the consumer that their data is being shared is required. When a consumer clicks to start (and unlock) a DR process, are GLB compliant disclosures in place?
But the bigger question that dealer's need to ask is: Who else gets that data? This is where things get sloppy.
From what I have heard, the OEM middle manager (i.e. Shift Digital, Ford Direct, Unite Digital, etc.) gets the lead form data and they send data to the OEM, in some form. Obviously the dealer get the data via their CRM and also (in some cases) in their separate DR tool. If a credit application is completed in the DR workflow, then a few other companies will get the data. That's at least five companies so far, and we haven't even spoken about the many credit pre-approval pop-ups on dealer websites.
But keep in mind, that the dealer is on the hook with the GLB law.
Which means that if the dealer can't not show ALL parties who have the data, and that all parties have the proper data management and disclosure practices in place, the DEALER gets the fine.
领英推荐
I am confident that many dealers have not thought about the implications of digital retailing and GLB. Are the website companies also keeping a backup copy of all lead form data in case a server farm fails? How many days is that data stored? The more you think of it, the more scared you should be.
Who Else Gets Consumer Data?
It's common for dealers send out equity mining offers through third party vendors based on whether the consumer leased or financed their vehicle. The data sharing and management practices of these vendors can cause the dealer to get a fine under GLB. Any marketing communications, send by marketing agencies, that are triggered based on information that the consumer leased or financed a vehicle with the dealer fall under GLB.
What About OEM Mandated Platforms?
It gets more interesting for OEM mandated website platforms and digital retailing tools. If the dealer has ZERO choice in the software used for online retailing, how does the dealer transfer liability to the OEM? The answer right now is that the dealer is still on the hook for all data collected on their website because the consumer is starting the relationship with the local dealer on their website.
Will the automotive industry have to embrace a type of anonymized LeadiD platform that other industries leverage?
Is There A Better Way Forward?
Yes, that is the good news. It would require a different mindset from dealers and vendors that limits where the PII is stored. Dealer groups will lead the way, since they have the most to lose. The penalties that trigger GLB fines are vague so this is a multi-million dollar problem for public dealer groups. Dealer groups have power to influence vendors and most already have some type of data warehouse platform in place to manage consumer data.
One solution is for the dealer to protect the initial consumer information (PII) collected via a form and assign that consumer a unique ID, similar to what LeadiD has done in other industries. The dealer would house the PII and share the LeadiD with third parties that would provide data in order to append into their data warehouse for retailing and contracting.
In this framework, the number of people with access to PII is dramatically reduced. For example, the unlock form would be controlled by the dealer. Once a consumer fills out their basic contact info, the dealer could initiate a signal to unlock their website's digital retailing tools or trade-tool without giving that information to the third-party tool providers.
You see, TradePending or Roadster, doesn't need PII to provide a trade-value for a vehicle but they ask for PII because dealers are hooked on getting leads.
There is also another benefit of the dealer controlling the unlock: a better consumer experience. This would mean that the consumer would not be asked to fill out their information multiple times during their session, by different vendor tools, which is common today.
Let's Discuss A Path Forward
A framework for complying with GLB will be shared on May 21st at the Automotive CXO Summit in the Napa Valley. The Automotive CXO Network is comprised to C-Suite executives from dealer groups with 10+ franchise stores. I have invited Atul Patel, co-founder of Orbee and one of the original partners in LeadiD, to share how dealers can prepare for GLB from a technology framework.
We will also have some additional resources to share to help dealers prepare for GLB and I hope that the automotive industry will rethink our sloppy lead handling processes that right now could be leaving dealers on the hook for massive fines.
Dealer group executives that would like to attend the CXO Summit on May 21st are welcome to contact me. Technology and legal firms that have an expertise in GLB solutions and compliance are also welcome to contact me.
A lot of this privacy concern is because the consumer/customer is NOT coming to a dealer website to sell their personal data. They are NOT looking to become a "lead." They are not submitting information so it can be stored in a data lake. The problem is that the consumer/customer is willing to pass on information if it is necessary to buy a car, but not to become a lead, a product of near invisible tracking, that is bought and sold. That's a separate business than selling a car. If consumer/customer owns their own personal id and their own data, then they really should be the only ones entitled to sell it.
18,148 Followers Gather Technology On Demand Auto Insurance, Identity & Insurance Verification and Policy Transfer plus The Gather $1,000,000 Guarantee For The Automotive Industry
2 年Soft Credit Pulls are still needed if you want an accurate payment calculated without doing a hard pull. However, there is no question that many vendors are not going through the proper requirements of providing accurate Firm Offers of Credit, taking necessary steps to properly identify who they say they are and also giving bad advice (like a soft pull Prequalify does not require an Adverse Action letter). Also, this data must be properly safe guarded closely in tandem with the credit bureaus.
Great Article Brian! You nailed it. There are Storm Clouds coming and they are going to reak havoc on unprepared and unsuspecting dealers and dealer groups. Someone huge will be served up as a sacrificial lamb and will then wake dealers up to this. It is coming. We are currently working with dealers to prepare them for the onslaught of litigation. Steps need to be taken now, before the storm. #TACITO #TACITODIRECT #GRAMMLEACHBLILEYACT #PRIVACY #Privacypolicies
Healthcare Executive | Patient Safety | Strategy & Innovation | Capital Campaign | Artificial Intelligence AI in Healthcare | Board Governance
2 年Brian - Great insights into an ever evolving business. Thank you.
Founder & CEO | Veteran | Building Hamilton Bay a single source of procurement for builders and developers
2 年It would be the vendors that provide the service would it not?