Thomas B. Hudson is a partner in the law firm of Hudson Cook LLP.

Thomas B. Hudson is a partner in the law firm of Hudson Cook LLP.

I recently read a complaint filed by a consumer in federal court against a North Carolina dealer. The complaint contained 11 counts, all centering around alleged identity theft by an F&I manager who supposedly faked a credit application and leaked the consumer’s private information to other parties. The claims that got me thinking, however, were those pertaining to the dealership’s privacy policies.

One count claimed the dealership committed an unfair and deceptive trade practice when it falsely represented to its customers that it had created and implemented a system of “physical and electronic safeguards,” and that it restricted access to customer information entrusted to it by customers and potential customers. In actuality, the dealership had no such system in place. The dealership was “talking the talk,” but wasn’t “walking the walk.”

Another count argued that the dealership’s action constituted “negligence per se” for failure to comply with the Gramm-Leach-Bliley Act, the federal law that imposes privacy and safeguarding responsibilities on dealers and other creditors. Still another count alleged a “breach of express and implied contractual duty to safeguard confidential financial information.”

As I read the complaint, I recalled several recent legal audits we’d done for dealers. We asked the dealers to produce for our review all of the documents they provide to customers and potential customers.

Each of the dealers included a copy of their privacy policy in the document review. Each privacy policy said something like, “Our dealership has created and implemented a system of physical and electronic safeguards.” The policy also stated, “We restrict access to customer information entrusted to it by customers and potential customers.” Does that sound familiar?

When we asked the dealers to show us the “system,” we got blank looks. The “system” didn’t exist. It was all talk and no walk.

So the dealers, who had no existing privacy safeguarding systems, were handing out privacy policies and posting them on their websites to tell their customers that such systems were in place. That’s the basis of the unfair and deceptive act or practice claim in this lawsuit.

So, what are you telling your customers about your privacy safeguarding practices? You are probably handing out a document titled “Privacy Policy,” and you probably also have your privacy policy posted on your dealership’s website.

But have you read that policy? Is your dealership actually doing what your privacy policy says it is doing with regard to protecting consumer information?

If so, do your dealership sales and financing practices and procedures mirror the code’s provisions? Or are you all talk and no walk? If your practices don’t measure up to your own posted description of your conduct, count on some plaintiff to turn that discrepancy into an unfair and deceptive act or practice claim. When one does, you can bet I’ll be writing about your case on this page.

Comparing the “walk” with the “talk” at your dealership — and making sure they match — can head off claims like this one and keep you out of court.

About the author
Tom Hudson

Tom Hudson


Thomas B. Hudson Esq. was a founding partner of Hudson Cook LLP and is now of counsel in the firm’s Maryland office. He is the CEO of LLC and a frequent speaker and writer on a variety of consumer credit topics.

View Bio