Dealership buy sell transactions and customer privacy

Published on


Customer information is often one of the many assets transferred in the sale of a dealership. Customer information is subject to privacy, solicitation, and data security laws regulating its disclosure and use. This article provides a basic overview of some of the main privacy concerns that a selling dealer faces when transferring customer information.

Potential liability for transferring customer information.

Before a dealer sells its customer information to a successor, it should ensure that it has been compliant in collecting that customer information and should consider deleting or not transferring any customer information that it cannot prove that it obtained in a legally-compliant manner. For example, if a selling dealer has certain customer addresses and phone numbers that were collected several years ago and does not know how or when such information was obtained or even when such customers were last contacted, it may want to consult with legal counsel about the risks of transferring such information. This is because California and federal law often require dealerships to obtain affirmative consent (sometimes construed as written consent) before soliciting consumers. On the other hand, if a dealer has a form signed by a customer that provides consent for the dealer to contact them, such information would likely be transferable without risking liability to the selling dealer.

The Gramm-Leach-Bliley Act (“GLB Act”) prohibits dealers (as financial institutions) from disclosing consumer information to third parties unless the consumer is advised of such disclosure, is given the opportunity to opt-out, and does not exercise their opt-out right. There is in an exception to the GLB Act for consumer information shared in connection with the (proposed or actual) sale or transfer of a business or operating unit thereof. However, to minimize potential liability for transferring customer information, the selling dealer should require the purchasing dealer to represent and warrant that it will comply with the GLB Act and related laws, as discussed below.

Minimizing liability for transferring customer information.

The buy-sell agreement needs to be clear about what customer information is being transferred and the selling dealer should aim to make the purchasing dealer responsible for its use of the information. For example, in the buy-sell agreement, the selling dealer could include representations and warranties that the purchasing dealer will maintain and use the customer information only as allowed by state and federal law, including, but not limited to, the GLB Act, the Telephone Consumer Protection Act (regulating telephone solicitation), the CAN-SPAM Act (regulating email solicitations), and will provide legally-compliant opt-out mechanisms with all customer solicitations. The purchasing dealer should also be required to have and maintain legally-compliant and commercially reasonable information security policies and procedures, including encryption technologies. These can help ensure that customer information will be protected after the transfer. Additionally, the purchasing dealer should be required to defend and indemnify the selling dealer for its use and maintenance of the transferred customer information.

Privacy Policy considerations

California law requires all businesses that receive the personal information of customers online (including email addresses and phone numbers) to include a Privacy Policy on their website. Although the overall content and presentation of such policies is beyond the scope of this article, one foundational aspect of a privacy policy is that it must advise customers of how their personal information is used and shared by the dealership. Customers should be advised of the fact that their information will be transferred upon the sale of a dealership. Even before you are thinking about selling your dealership, we recommend including language in your privacy policy explaining that in the event that the dealership sells or otherwise transfers any portion of its business assets, it may transfer consumer information as part of the business sale, merger, dissolution, asset transfer or other disposition of business assets. If your privacy policy needs to be updated to include such language, you should also make sure to include a notification on your homepage informing consumers of the recent change to the privacy policy.

As new telecommunications technologies quickly develop and customer information is obtained and used in new ways, dealerships must be vigilant in ensuring their compliance with privacy laws and related data security and telecommunications laws. In the buy-sell context, the parties should clearly spell out their responsibilities regarding the transfer and use of customer information. We recommend utilizing experienced automotive counsel in analyzing and negotiating these provisions, as consumer privacy litigation can be a large and unnecessary expense for automotive dealers.