Automobile dealer performs credit checks of potential client without her consent
PIPEDA Report of Findings #2015-005
March 31, 2015
An individual and an automobile dealer were in discussions over the purchasing and financing of a vehicle. According to the individual, the nature of the financing, either in the name of her business or with her as a co-signer with her business, was still to be determined.
As negotiations continued, the individual noticed on her personal credit report that the automobile dealer’s bank had already conducted two credit checks, five days apart. She asked the dealer if the checks could be removed from her file and was told that was not possible, although the dealer did offer apologies.
The dealer also explained that it was trying to be efficient and expedite the delivery of her vehicle, which is why it had sent her personal information (e.g., her social insurance number) on to the bank for approval. The individual was not satisfied and filed a complaint with our Office. At the same time, her purchase and finance negotiations with the dealer stopped.
The dealer explained to our Office that it was standard practice for a business manager to meet with each prospective financing customer in order to: explain the purpose for conducting a credit inquiry; review a credit application; and ensure that the customer’s signature was obtained on the credit application before proceeding. The dealer claimed that such a meeting did occur with the complainant and that she had signed a credit application. However, the dealer was unable to produce a copy of the signed application, saying certain documents had been destroyed before the business moved offices.
In addition, the dealer explained that two credit checks were conducted on the complainant to cover the two possible ways of financing being considered (in the name of the complainant’s business or with her as a co-signer with her business). The dealer however admitted that it had not obtained separate consent from the individual for one of the credit checks.
Before our investigation concluded, the dealer said it had amended two procedures. The first ensures that when an individual is considering multiple financing options, separate credit inquiries ─ each with its own consent ─ are run. The second introduced a new document handling procedure and a fixed retention schedule for files that do not conclude with a sale. Staff received training for both new procedures.
In conclusion, since there was no evidence presented to our Office that the complainant had signed the two credit checks, PIPEDA Principle 4.3 regarding user knowledge and consent prior to disclosing personal information was contravened.
However, as we were satisfied with the dealer’s response to the issues raised by the complaint, we determined that the matter was well-founded and resolved.
- The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In general, for “hard pull” credit checks that may impact one’s credit score, organizations should obtain a separate consent from the individual concerned for each “hard pull” credit check performed on them.
- Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods.
- Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An example of this type could be credit and financing information.
Report of Findings
Complaint under the Personal Information Protection and Electronic Documents Act (the "Act" or "PIPEDA")
The complainant alleges that an automobile dealership (or the “respondent”) collected her personal information without her consent. Specifically, the complainant alleges that the respondent performed two checks on her personal credit report without her express authorization.
The respondent represented that its standard procedures require sales staff to obtain express consent from customers before proceeding with a credit check. The organization, however, acknowledged that they were unable to provide evidence that the complainant’s consent had been obtained in the two instances at issue, as: (i) the credit application that would have allegedly evidenced consent for the first inquiry had been inadvertently destroyed during a move; and (ii) it had not obtained consent from the complainant specifically for the second inquiry.
Subsequent to the events which led to this complaint, and after our intervention, the respondent implemented new policies and procedures with a view to ensuring that: (i) a customer’s consent is provided each time prior to the company accessing his or her credit information; and (ii) proof of consent is retained for an appropriate length of time.
Accordingly, our Office concluded this complaint to be well-founded and resolved.
- The complainant alleges that the respondent, an automobile dealership, collected her personal information without her consent. More specifically, she claims that the respondent conducted two inquiries on her personal credit report without her authorization.
Summary of Investigation
- The complainant entered into discussions with the respondent with the aim of financing a vehicle for her business.
- The complainant endeavored to finance the vehicle in the name of her business, or alternatively, if that was not possible, as a personal co-signor with the business.
- The complainant alleges that she “didn’t sign anything” in relation to the prospective transaction.
- Shortly after entering into negotiations with the respondent, the complainant noted on her personal credit report that the respondent’s bank had conducted two credit inquiries, five days apart.
- The complainant contacted several representatives of the respondent to make her concerns known and request that it have the inquiries removed from her credit report.
- The complainant provided us with copies of email correspondence, between herself and the respondent, discussing her concerns. The organization sent an email confirming that the credit agency could not remove the inquiries from the complainant’s credit file, and offering her an apology. In a subsequent email, the respondent explained to the complainant that it was trying to be efficient and expedite the delivery of her vehicle, and that is why it had sent her personal information (e.g., her social insurance number) to the bank for approval.
- Dissatisfied with the organization’s response, the complainant filed a complaint with our Office.
- In its representations to our Office, the respondent explained that it performs a credit inquiry in respect of customers who wish to finance a vehicle, for the purpose of assessing their eligibility for such financing.
- The respondent indicated that it was standard practice to have a business manager meet with each prospective financing customer in order to explain the purpose for conducting a credit inquiry. During the meeting, the business manager was also expected to review a credit application, and to ensure that the customer’s signature was obtained before proceeding with an external credit check.
- The organization’s credit application to be signed by the customer states that the customer authorizes the dealer and any affiliated credit agency or the customer’s financial institution to lead an investigation into the customer’s employment and credit history.
- While the respondent represented that the complainant had met with a business manager and had signed a credit application, and while it would appear that the complainant did provide certain elements of her personal information to the respondent during the financing negotiations process (see paragraph 7, above), the organization acknowledged that it was unable to provide evidence that it had obtained consent for the initial inquiry. They explained that a number of documents, including those pertaining to the complainant, were inadvertently destroyed when the company moved to a new location.
- To explain why it had requested two credit inquiries on the complainant’s file, the respondent clarified that it had conducted an initial credit pull to assess financing in which the complainant was a co-signatory with her business. The respondent proceeded to perform a second check on the complainant’s file, in order to evaluate a second option of financing with the complainant as sole signatory. The organization acknowledged that it had not obtained consent before proceeding with this second check.
- The respondent attested that it has amended several processes after learning of the circumstances underlying the complainant’s concerns.
- When it was discovered that relevant documents had been destroyed in the course of the respondent’s relocation, the organization established a filing system specifically for files that do not end with the sale of a vehicle. The respondent drafted a policy with respect to the handling of these files, which includes a retention schedule. It also communicated to, and trained, staff with respect to the implementation of that policy.
- During the course of our investigation, the respondent also agreed to create a documented procedure to ensure, in instances where multiple financing options are being considered by a single individual, that consent for each credit inquiry is obtained by the organization. It subsequently communicated, and provided training, to staff with respect to this new procedure.
- In making our determination, we applied Principle 4.3 of Schedule 1 of the Act, which provides that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- We accept the respondent’s assertion that it conducts a credit inquiry for the purpose of verifying a customer’s credit-worthiness for vehicle financing. In this case, the initial credit inquiry was requested by the respondent with a view to determining whether the complainant was eligible to finance a vehicle, and at what rate.
- In our view, this practice, and the associated purpose, is explained via the language displayed prominently just above the signature line on the Customer Credit Application.
- However, based on the complainant’s assertion that she did not sign any documentation, the fact that the respondent was unable to provide a copy of a credit application evidencing that it had obtained express consent for the initial credit inquiry, and the respondent’s acknowledgement that it had failed to obtain her consent for the second credit inquiry, we accept that the respondent indeed failed to obtain the complainant’s consent prior to the collection of her credit information.
- In our view, therefore, the respondent contravened Principle 4.3 of Schedule 1 of the Act.
- We acknowledge, however, that subsequent to our intervention, the respondent has since implemented: (i) certain procedures and associated training with a view to ensure that its staff obtain adequate consent for future credit inquiries, as well as (ii) a new filing system, retention policy and associated training to ensure that proof of consent is retained in future.
- Accordingly, we conclude that the matter is well-founded and resolved.
- Date modified: