What does the Colorado Privacy Act mean for auto lenders? | Auto Finance News What does the Colorado Privacy Act mean for auto lenders? | Auto Finance News
Auto Finance News

No products in the cart.

Subscribe
  • Home
  • News
    • All News
    • Exec of the Year
    • Innovation & Technology
    • Management
    • Compliance & Regs
    • Risk Management
    • Capital & Funding
    • Sales & Marketing
    • Powersports
  • Events
    • DEMOvation Challenge 2021
    • Auto Finance Risk Summit
    • Auto Finance Summit
    • Auto Finance Innovation Summit
  • EXCELLENCE
    • Best Practices
    • Topics
      • Compliance
      • Customer Experience
      • Technology
    • White Papers
    • Glossary
  • Magazine
    • Latest
    • Archives
  • Podcast
  • Data
AFN PLUS
Log In
No Result
View All Result
Auto Finance News
  • Home
  • News
    • All News
    • Exec of the Year
    • Innovation & Technology
    • Management
    • Compliance & Regs
    • Risk Management
    • Capital & Funding
    • Sales & Marketing
    • Powersports
  • Events
    • DEMOvation Challenge 2021
    • Auto Finance Risk Summit
    • Auto Finance Summit
    • Auto Finance Innovation Summit
  • EXCELLENCE
    • Best Practices
    • Topics
      • Compliance
      • Customer Experience
      • Technology
    • White Papers
    • Glossary
  • Magazine
    • Latest
    • Archives
  • Podcast
  • Data
AFN PLUS
Log In
No Result
View All Result
Auto Finance News
No Result
View All Result

What does the Colorado Privacy Act mean for auto lenders?

Paul LysobeybyPaul Lysobey
August 25, 2021
in Compliance
Reading Time: 4 mins read

The governor of Colorado on July 7 signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA), making Colorado the third state after California and Virginia to enact comprehensive consumer data privacy legislation.

While the CPA will be impactful for auto lenders, the law provides a significant exemption for data collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to explain how they share and protect their customers’ private information. Whether the data is pursuant to the GLBA will ultimately depend on the timing of collection, including whether the data is collected before or after a borrower applies for credit.

Applicability

The CPA applies to “controllers” and “processors” of personal data. A controller is a person that determines the purposes for and means of processing personal data; a processor is defined as a person that processes data on behalf of a controller. The CPA broadly defines “processing” to include the collection, use, sale, storage, disclosure, analysis, deletion or modification of personal data.

As such, an auto lender that determines how or why personal information is collected or used may be considered a controller under the CPA.

The CPA applies to “controllers” of personal data including auto lenders who:

  • Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado; and
  • Either control or process the personal data of 100,000 Colorado consumers or more during a calendar year, or
  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 consumers or more.

Consumers’ personal data rights

The CPA creates new personal data rights for Colorado consumers. Consumer rights under the CPA include:

  • The right to opt out of the processing of personal data for certain purposes;
  • The right of access to confirm whether a controller is processing the consumer’s personal data and to access the consumer’s personal data;
  • The right to correct inaccuracies in the consumer’s personal data; and
  • The right to delete personal information, and the right to data portability.

Consumers may exercise these rights by submitting a request to a lender specifying which rights the consumer wants to exercise. A lender must respond to the request to inform the consumer of the action taken. The controller must act without “undue delay” or no later than 45 days after receipt of the request. This holds true unless the controller notifies the consumer that they have extended that period, and the reasons for delay, within 45 days of receipt of the request. If the controller takes no action in response to the request, it must also notify the consumer within 45 days of the reasons for not acting, along with instructions for how to appeal the decision.

A lender is not required to comply with a consumer’s request to exercise a right under the CPA if the lender is unable to validate the consumer’s identity to authenticate the source of the request using commercially reasonable efforts.

Duties of controllers

The CPA provides a list of specific duties applicable to auto lenders under the law as controllers of personal data. In addition to exercising care and transparency, controllers also have a duty to specify a purpose for using a consumer’s data; restrict collection of data to what is adequate, relevant and reasonably necessary; avoid secondary use of data; and avoid unlawful discrimination against consumers. The CPA also specifies that a controller must not process a consumer’s “sensitive data,” as defined under the CPA, without first obtaining the consumer’s consent, or parental consent for a child under age 13.

Exemptions

The CPA lists people and information exempt from the scope of the law, including notable exemptions with respect to the GLBA. The law exempts: data collected, processed, sold or disclosed pursuant to the GLBA if done in compliance with the GLBA; and any financial institution or affiliate as defined by the GLBA.

Thus, any data collected after the GLBA applies to the transaction — i.e., after the consumer makes a request for a prequalified offer or applies for credit — will not be subject to the CPA. For example, data collected during the loan application process, origination or servicing would be exempt under the CPA. However, any personal data a vehicle dealer or lender collects from passive website visitors before the consumer applies for credit will be subject to the CPA notwithstanding the GLBA exemption.

Other exemptions include information created to comply with the Health Information Portability and Accountability Act (HIPAA); certain activities regulated by the Fair Credit Reporting Act (FCRA); data regulated by the Children’s Online Privacy Act; data regulated by the Family Educational Rights and Privacy Act; and data maintained for employment record purposes.

Personal data processed pursuant to an exemption may only be processed for a purpose specifically authorized by the CPA. Processing of personal data must be necessary, reasonable and proportionate to the specific purpose.

Enforcement

The Colorado attorney general and Colorado district attorneys have exclusive authority to enforce the Colorado CPA. There is no private right of action under the CPA. Note that before an enforcement action is commenced, the attorney general or district attorney must issue a notice of violation to the lender or controller for an opportunity to cure or rectify the situation, if it is deemed possible. The controller has 60 days after receipt of the notice to cure the violation. In addition, any violation of the CPA is considered a deceptive trade practice under Colorado law.

Going Forward

The CPA becomes effective on July 1, 2023. The Colorado attorney general must also adopt rules by that date to detail and explain certain aspects of it, including the opt-out mechanism for consumers. By January 1, 2025, the attorney general will adopt rules governing the process of issuing opinion letters and interpretive guidance.

Although the effective date of the law is almost two years away, auto lenders covered under the CPA as controllers should act now to build consumer data tracking and mapping procedures to ensure that compliance procedures are in place. Moreover, with several other states currently considering their own data privacy legislation, lenders should be prepared for the enactment of additional state data privacy laws.

Paul Lysobey is an associate at McGlinchey. He advises clients on compliance with the Truth in Lending Act (TILA), Fair Debt Collection Practices Act (FDCPA), Servicemember Civil Relief Act (SCRA), Fair Credit Reporting Act (FCRA), and the Equal Credit Opportunity Act (ECOA).

Auto Finance Summit, the premier industry event, returns October 27-29 in Las Vegas. The Summit continues to bring together the best and brightest in the industry year after year for unparalleled networking and professional education. To learn more about the 2021 event and register, visit www.AutoFinanceSummit.com.

Tags: complianceCompliance Insider
Previous Post

Mexico warns of automaker exodus if car dispute not settled

Next Post

Wells Fargo’s Tanya Sanders joins AFS executive dialogue panel

Related Posts

Extensions on extensions: Financing despite low inventory
Compliance

Extensions on extensions: Financing despite low inventory

July 29, 2022
CFPB zeros in on Servicemembers Civil Relief Act 
Compliance

CFPB zeros in on Servicemembers Civil Relief Act 

July 25, 2022

COMPLIANCE

sponsored by mcglinchey

Extensions on extensions: Financing despite low inventory

CFPB zeros in on Servicemembers Civil Relief Act 

CUSTOMER EXPERIENCE

sponsored by mcglinchey

Defending against a recession: Proactively managing portfolios using AI, alternative data

The value of partner alignment in lending software

TECHNOLOGY

sponsored by solifi

Transparency key in auto finance, but dealers and consumers are split on its improvement

5 ways technology can accelerate your auto finance business

Next Post
Wells Fargo’s Tanya Sanders joins AFS executive dialogue panel

Wells Fargo’s Tanya Sanders joins AFS executive dialogue panel

About

ABOUT US

PRIVACY TERMS

ADA COMPLIANCE

CODE OF JOURNALISM ETHICS

Manage Cookie Consent

Contact Us

ADVERTISE

HELP CENTER

Follow Us

twitter twitter linkedin podcast

©2022 Royal Media & Auto Finance News

No Result
View All Result
  • Home
  • News
    • All News
    • Exec of the Year
    • Innovation & Technology
    • Management
    • Compliance & Regs
    • Risk Management
    • Capital & Funding
    • Powersports
  • Events
    • DEMOvation Challenge 2021
    • Auto Finance Risk Summit
    • Auto Finance Summit
    • Auto Finance Innovation Summit
  • Excellence
    • Best Practices
    • Topics
      • Compliance
      • Customer Experience
      • Technology
    • White Papers
    • Glossary
  • Magazine
    • Latest
    • Archives
  • Podcast
  • Data
  • +PLUS
  • SUBSCRIBE
  • Log In / Account

© 2022 Royal Media

Powered By MemberPress WooCommerce Plus Integration
THIS WEBSITE USES COOKIES

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “I CONSENT”, you consent to the use of ALL the cookies.

Cookie settingsI CONSENT

Review our Cookie Policies
.
Manage Cookie Consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
34f6831605sessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
a64cedc0bfsessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
CookieConsentPolicy1 yearUsed to apply end-user cookie consent preferences set by our client-side utility.
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
crmcsrsessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
JSESSIONIDsessionThe JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKENsessionCloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
LSKey-c$CookieConsentPolicy1 yearUsed to apply end-user cookie consent preferences set by our client-side utility.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
__cf_bm30 minutesThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmpsessionZoho sets this cookie for the login function on the website.
663a60c55dsessionThis cookie is related to Zoho (Customer Service) Chatbox
e188bc05fesessionThis cookie is set in relation to Zoho Campaigns
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid2 yearsVimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
__Host-GAPS2 yearsThis cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_dc_gtm_UA-1038974-31 minuteUsed to help identify the visitors by either age, gender, or interests by DoubleClick - Google Tag Manager.
_fbp3 monthsThis cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr3 monthsFacebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
test_cookie15 minutesThe test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-idneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextIdneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requestsneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
caf_ipaddrsessionNo description available.
citysessionNo description available.
countrysessionNo description available.
gnt_eidsessionNo description available.
gnt_eu6 hoursNo description
iamcsrsessionZoho (Customer Support) sets this cookie and is used for tracking visitors (for performance purposes)
systemsessionNo description available.
traffic_targetsessionNo description available.
Save & Accept
Powered by CookieYes Logo
Go to mobile version