Skip to content
Close
SEARCH
Join NHADA
Join NHADA
Dealership_Hero

JOIN OUR COMMUNITY

NHADA Supports the Success of Over 500 Motor Vehicle Businesses
BECOME A MEMBER
Updates
Smiling employee's in a line at work

Explore Cost-Effective Insurance & Workers' Comp. Plans

Get a free Quote
REPORT AN INJURY ONLINE (FORM 8-WC)
Association Events
Learn about NHADA's major events and fundraisers.
VIEW ALL EVENTS
UPCOMING EVENTS
INDUSTRY TRAINING
Explore upcoming webinars, seminars, and on-demand training.
VIEW ALL TRAINING
UPCOMING TRAINING
ON-DEMAND TRAINING

Off the Clock Video Series

Explore the fascinating lives of automotive professionals in our new video series, "Off the Clock"

ALL PARTNERS

Can't find what you're looking for? Try one of NHADA's partners.

Find a Partner

LotDrop-Nav_Supplies

Forms & Supplies

Start Shopping

Apparel-1

Corporate Apparel

Start Shopping

PromoItems

Promotional Items

Start Shopping
ComplyAutoMay 21, 2026 3:03:17 PM6 min read

Data Privacy & Cybersecurity: Overview for New Hampshire Dealers

Print this article

As a car dealer, privacy and cybersecurity probably aren't at the top of your daily to-do list, but they should be on your radar. The way dealers collect and manage customer data has changed dramatically in recent years, and the rules around it have gotten a lot more complicated. This article hits five key areas every New Hampshire dealer should know about.

I. FTC SAFEGUARDS RULE

Automobile dealerships are regulated as “financial institutions” under the Gramm-Leach-Bliley Act (GLBA) and must comply with the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, commonly known as the Safeguards Rule. The Safeguards Rule got a major overhaul in 2021 and compliance with the new requirements for dealers isn't simple. Dealers are on the hook for a long list of technical and procedural requirements -- and for most, trying to handle it all in-house is a heavy lift.
What does compliance look like in practice? Dealers need a designated qualified individual overseeing the program who reports to ownership or senior management at least annually. Customer data must be encrypted, both when it's stored and when it's being transmitted. Every employee with access to customer information systems needs multi-factor authentication. On top of that, dealers need access controls, regular vulnerability assessments, penetration testing, and a tested incident response plan. One requirement that often catches dealers off guard: the Rule also requires monitoring and logging of authorized user activity which means you need to be watching for insider misuse, not just outside attacks.

II. STATE PRIVACY LAWS -- A GROWING PATCHWORK THAT INCLUDES NEW HAMPSHIRE

Twenty states have now passed comprehensive consumer privacy laws, and more are on the way. While these laws vary, they share a common core: consumers get rights to access, correct, delete, and opt out of the sale of their data, and businesses face new obligations around data minimization, handling sensitive data categories, and vendor contracts. For a dealership with customers across state lines, several of these laws may already apply at once.

New Hampshire joined the list when Governor Sununu signed the New Hampshire Data Privacy Act (NHDPA). The NHDPA gives New Hampshire residents the right to access, correct, and delete their personal data, get a portable copy of it, and opt out of targeted advertising, certain profiling, and most data sales. But does the NHDPA apply to dealers? It’s a question of the amount and kind of data dealers process.

First, thresholds. The NHDPA applies only to businesses that, during a one-year period, either process personal data of at least 35,000 unique New Hampshire consumers, or process data of at least 10,000 consumers and derive more than 25% of gross revenue from selling personal data.

Second, the NHDPA exempts financial institutions and data subject to Title V of the Gramm-Leach-Bliley Act. Because franchised dealers are financial institutions under GLBA and subject to the FTC Safeguards Rule, there is a strong argument that dealers fall within this exemption. That said, the exemption's scope and how aggressively the NH AG may interpret it is worth confirming with counsel before concluding the NHDPA doesn't apply to your store.

On enforcement: there's no private right of action. Only the NH Attorney General can bring enforcement actions. A 60-day cure period was available through the end of 2025, but as of January 2026, any right to cure is discretionary. Violations are treated as unfair or deceptive acts.

III. THE 700CREDIT BREACH: A CAUTIONARY TALE

In December 2025, 700Credit -- a leading provider of credit and compliance solutions to the automotive industry -- confirmed that a breach had occurred within its systems between May and October 2025, affecting over 5.8 million individuals across approximately 18,000 dealerships and exposing unencrypted names, addresses, and Social Security numbers. This was the latest in a series of high profile breaches at dealer vendors and this incident delivered several key lessons.

First, breach notification obligations vary significantly by state -- some regulators permitted 700Credit to submit agency and consumer notices on dealers’ behalf as an authorized agent; others did not, requiring dealers to file independently or through their state dealer association. The National Automobile Dealers Association (NADA) coordinated a consolidated filing with the FTC on behalf of affected dealers, but this was an accommodation, not a standard right, and it does not relieve dealers of individual state-level obligations. Second, and most importantly: the dealership -- not its vendor -- retains ultimate legal responsibility for regulatory compliance. While a vendor may manage the notification process, the dealer owns the underlying legal obligation. Third, vendor oversight is a real-time legal duty under the Safeguards Rule, not a one-time contract exercise. Dealers must maintain current vendor inventories, written safeguard provisions, and pre-established incident response plans before the next event occurs. "Of course, this follows the 2024 CDK breach incident, as well as several highly publicized breach events at dealerships themselves. Getting a handle on your vendors, their data security posture, and your potential obligations in the event of a breach at your vendor are critical to understand."

IV. COOKIE BANNERS AND WEBSITE TRACKING

Every New Hampshire dealership website is a data collection environment, quietly routing visitor information to third-party advertising and analytics platforms through tracking technologies most dealers never think about. That's a problem for several reasons covered in this article.

State privacy laws treat the use of these tools as data processing activity subject to opt-out rights. Federal and state UDAP laws create additional exposure. But the most immediate risk for most dealers right now is litigation. Demand letters and lawsuits are being filed across the country, all centered on the same basic allegation: the website collected or shared user data without meaningful consent which allegedly violates a state or federal law against wiretapping or recording. A cookie banner that merely discloses the existence of cookies, without providing a functional and accessible opt-out, does not satisfy state or federal requirements and will not protect you from these claims. Unfortunately, these claims are rampant right now, and they are nationwide and not limited to CA or other high risk jurisdictions.

Dealers need to take three steps. First, ensure your website has a compliant cookie consent banner, one that actually works, not just one that checks a box. Second, audit your website data flows so you understand what information is being collected and where it is going. Third, make sure the vendor managing your consent platform has both the legal knowledge and the technical capability to do this right. These are not the same thing, and many vendors have one without the other.

This is a complicated area of law. ComplyAuto offers tools specifically designed to give dealers visibility into and control over what is happening on their websites. Learn more at complyauto.com.

V. THE IMPERATIVE OF PROACTIVE DATA SECURITY

Every framework discussed above points to the same conclusion: businesses entrusted with consumer data must protect it proactively. A defensible program begins with a current data inventory -- knowing what personal data is collected, where it is stored, with whom it is shared, and how long it is retained. Technical controls must follow: encryption, multi-factor authentication, least-privilege access, monitoring, and patch management. Employee training on phishing and data handling is both legally expected and practically essential. And a tested incident response plan -- with outside counsel and forensic resources pre-identified -- can mean the difference between a manageable event and a regulatory catastrophe.

New Hampshire dealers are operating in an environment where the stakes keep rising. Federal obligations under the Safeguards Rule, a new state privacy law with an AG's office empowered to enforce it, and a rapidly evolving threat landscape mean that doing nothing is no longer a viable option. The cost of building a strong data security program is a fraction of what a major breach or an enforcement action will cost you. ComplyAuto can help you get there. www.complyauto.com.

DISCLAIMER: This article is for general informational purposes only and does not constitute legal advice. Consult qualified legal counsel regarding your specific obligations.

NHADA Attorney Partners
NHADA Diamond Compliance Partner ComplyAuto

avatar

ComplyAuto

RELATED ARTICLES