The Federal Trade Commission issued a Frequently Asked Questions document to help dealers comply with the Safeguards Rule.
Dealers work with manufacturers and vendors to ensure customer information is protected as required by the Safeguards Rule. However, there have been questions regarding how dealers can comply with the rule regarding contracts with OEMs and other vendors.
The FAQ provides a useful summary of the key Safeguards Rule duties applicable to dealers and cites the 2005 FAQ on the Privacy Rule and Auto Dealers and FTC Safeguards Rule: What Your Business Needs to Know.
Key points from the FAQ that address specific situations to dealers:
- Dealers need to notify the FTC of a breach as soon as possible and no later than 30 days after discovery if there is an unauthorized acquisition of unencrypted information unless there is reliable evidence to show that there has not been, or could not reasonably have been, unauthorized acquisition of the customer information in question.
- Sharing a list of all customers who have purchased a vehicle with an OEM is not covered under the Safeguards Rule or the Privacy Rule—name and address information alone does not trigger the requirement to provide a privacy notice or opportunity to opt-out to an individual under the Privacy Rule. If a list, however, contains information obtained in the financing process, including the fact that the individual sought or obtained financing or leasing, dealers would need to comply with the Privacy Rule.
- Storing all information obtained from individuals in one comprehensive database (interest in buying a vehicle, applied for and obtained financing) with name, address, vehicle purchased, and social security number would need to comply with the Safeguards Rule. The Privacy Rule will also need to be followed if a dealer provides OEM access to the complete database unless an exception applies. A database and list generated from the database do not have the same compliance obligations. A list generated from that database with names and addresses of everyone that purchased a vehicle alone would not be subject to the Safeguards Rule or Privacy Rule if the list does not include other protected information.
- Overseeing a service provider does not mean dealers have to get the service provider to agree to meet all requirements of the Safeguards Rule. The Safeguards Rule gives dealers flexibility to select service providers whose safeguards are appropriate for the customer information they will be using.
NADA will continue engaging with the FTC to ensure dealers have clarity to comply with the Safeguards Rule and Privacy Rule that protects customer information and does not burden business.
NADA offers a variety of optional resources to assist dealers with compliance, including:
This memorandum is offered for general informational purposes only and is not intended to constitute legal advice. Each dealer should seek their own legal counsel and make their own independent business decisions and work with their attorneys to ensure compliance with the law.
Be sure to consider NHADA's Legal Partners for further guidance.