AFSA Conference: Psst ... PII is a Potential Problem in Auto Finance Services

It’s only fitting that privacy can be a hidden issue.

The impressive innovative platforms and services that are connecting lenders to borrowers, dealers and service providers were on full display at the recent AFSA conference in Las Vegas. These platforms aim to make the finance process better, faster or more efficient but, to do so, many of the services must rely on shared consumer information. It wasn’t surprising to us that the pitfalls of using consumers’ personally identifiable information (PII) were well known to participants, but, as my colleagues in the Digital Media, Technology & Privacy Practice Group of Davis & Gilbert have noted in several articles available in the links below, compliance with applicable laws is not that easy and requires diligence and ongoing monitoring. Given the common representation and warranty by originators and sponsors in securitization documents that the loans complied with applicable laws, privacy can become one of those latent issues that comes to light if investors incur losses, and the truth and accuracy of reps becomes an issue.

Privacy Laws, Generally

In general, consumer privacy laws exist at the state and federal level. Some federal examples include the Fair Credit Reporting Act, which limits the usage of consumer credit information to legitimate business needs, allows consumers to correct inaccurate information in credit reports and excludes certain types of information from being included. Under the Federal Trade Commission Act, the Federal Trade Commission has the power to protect consumers from unfair or deceptive practices and has been able to act on data privacy issues that way.

States have approached privacy from a variety of directions. Recent laws, such as New Jersey’s Personal Information and Privacy Protection Act, restrict the collection of data by retailers and then regulate how that information is retained or shared. Colorado requires protection of PII, mandating disposal of PII in both paper and electronic records, and notifying consumers of data breaches.

But many companies have had to make changes to their systems to address the sweeping data privacy protections that have been recently put into place by California through the California Consumer Privacy Act (CCPA), which puts some control of personal information back into the hands of consumers.

CCPA and Similar Laws

As highlighted in Davis & Gilbert’s alert, effective January 1, 2020, the CCPA applies to companies that collect California consumers’ personal information and either have annual gross revenues in excess of $25 million, process the personal information of 50,000 or more California consumers, households or devices or derive 50 percent or more of their annual revenues from selling California consumers’ personal information.

It protects Californians even when not in California, so actions must be taken to address this by anyone receiving Californians’ data. For some companies, the solution has been to make their CCPA policies available to all Americans.

The CCPA permits consumers to ask what personal information is being collected on them and what is being sold on them, it empowers consumers to opt-out of the “sale” of their personal information (or opt-in if the user is under 16 years of age) with some limited restrictions, and, within certain limits, grants consumers the right to request personal information to be deleted.

To complicate the process for compliance, the CCPA currently only has draft regulations. Final regulations are still not available and clarifications and revisions to the draft regulations have been coming from the CA Attorney General as recently as last week. As my partner, Gary Kibel of D&G’s Privacy Practice, suggests, “Companies need to carefully examine their privacy practices in light of the CCPA, since new compliance standards and updated disclosures may be necessary given the significant changes the CCPA introduced.”

Meanwhile, the CCPA has spawned other states to follow suit. Nevada enacted an opt-out style law of its own for the sale of data, applying more broadly to companies than the CCPA but the definition of “sale” and the substance of the personal information is more narrowly tailored in the Nevada law. Nevada also does not require companies to provide a notice of this right to opt-out.

As referenced in a recent Davis & Gilbert Privacy Alert, trends in proposed state legislation across the country that mimic, mirror or exceed the CCPA in many ways, including more opt-in approaches, clear notice for consumers of their rights and creating a fiduciary-like role in handling PII.

As more states enter this space, the more complicated the overlap of different requirements is going to get.

AI and PII

The proliferation and acceptance of artificial intelligence systems was evident at AFSA this year. AI is being marketed as the way to better underwriting, consumer understanding and fraud prevention, all of which implicate the use of potentially sensitive consumer data.

For example, Accenture has talked about the ability of “AI-generated intelligent signals” which can “enable banks and fintech lenders to tap new sources of consumer data for predictive insights, including the use of advanced analytics to predict which vehicle options a consumer may want, and telematics and other on-board sensors which give captive lenders insight on customer behavior like never before.

Separately, on the underwriting front, Byrider is using PointPredictive’s AI services to help identify the higher and lower risk loan applications they are getting. PointPredictive’s product uses AI to evaluate applications across the industry (60 million so far) and learn from them and help find fraud. As noted by BBVA USA Direct Consumer Product Manager Michael Hucul, AI can enhance auto loan risk analysis by helping to identify common traits of someone who may be fraudulent or in financial stress. All of these applications carry with them the obligation to properly handle PII.

Looking Ahead

As the amount of available consumer information increases and the speed of decision making becomes more and more important, all participants engaged in sharing consumer information will need to ensure they have the proper consumer privacy policies in place. Even where an originator securitizes the loan, it may not be able to escape legal exposure based on breach of privacy laws given the recourse afforded investors and trustees through representations and warranties regarding compliance with laws.

Given the transformative nature of the legal landscape and the political uncertainty of the election year, constant monitoring of the law and practices is needed to prevent a bad privacy policy from making public news.

Nicole Serratore, an Attorney, in the Insolvency, Creditors’ Rights & Financial Products Practice Group of Davis & Gilbert, contributed to this post.