What Are You Doing to Safeguard Your Customer Data?

We have written extensively on customer data protection issues. There has been no hotter issue considered by state legislatures, principally because of passage in California of consumer data rights legislation with which California dealers have been struggling to comply.

We have noted that the California legislation was passed hurriedly, with complex and confusing provisions that have required subsequent passage of multiple correcting laws. California bureaucrats have compounded the problems by issuing regulations that further muddy the waters. Compliance has been a nightmare for California businesses. Even with the problems caused for California businesses by the California legislation, the publicity for those who sponsored the mandates has been positive. As a result, many states have been considering consumer data rights statutes similar to the flawed California law.

Dealers have concerns about how their data is being handled. Dealers have themselves sought data legislation, most recently a statute enacted in Arizona regulating the rights of franchisors and dealer management system suppliers. DMS suppliers have sued to declare the Arizona legislation unconstitutional. In a recent decision, the court considering the case denied a motion for a preliminary injunction against enforcement of the law by the DMS suppliers, a tremendous victory for Arizona dealers. But unless the DMS providers throw in the towel, the Arizona case will go for some time to a decision, followed by a likely appeal.

Consumer data is liable to be a legislative battleground, even at the federal level, for years to come. Should you be awaiting legislation to do what you can to protect the data your dealership collects?

What You Can Do to Protect Your Data

Dealers have an opportunity now to protect their data.

Virginia passed legislation limiting what a franchisor can do to require a dealer to give a franchisor access to the dealer’s DMS system to capture customer information. Besides those rights, dealers have the ability (limited to be sure) to raise objections when manufacturer programs are overreaching. A dealer’s ability to limit franchisor access to customer contact information can never be absolute since a franchisor must know information about buyers of new vehicles.  Manufacturers must have full customer information on new vehicles to deliver recall information under federal law and to properly administer warranty protections, as examples.

Dealers can do a lot, however, with suppliers who may have access to customer information. Why sign an agreement a supplier hands to you with inadequate data protections? As in any supplier agreement, your dealership has no greater leverage than when the supplier is attempting to do business with you. Use that leverage. If there is any opportunity for a supplier to have access to your customer data, put strict limits on that.

What You Should Require

There are certain things you should require in any contract with a supplier that may have access to your customer data.

  • Require compliance with the Federal Trade Commission’s Information Safeguards Rule. The FTC requires that a dealership provide in a contract with a supplier that the supplier will protect the non-public personal information of the dealer’s customers. Too often, supplier contracts require the dealer to protect NPPI, but they are silent as to the supplier’s obligation to have a NPPI policy and procedure in place. Make sure that the contract with a supplier requires protection of your NPPI, not only to actually protect your information but to comply with the FTC Rule.
  • Regardless of whether the dealer’s data available to a supplier is NPPI, it should be protected from disclosure to others. The exception should be if the supplier receives a subpoena or other compulsory process for the information, but there should be a procedure for notification to the dealer so the dealer can try to protect the information if necessary.
  • As a further protection for a dealer’s information, the agreement should provide specifically that information from the dealership will only be used for providing services under the agreement to the dealer.
  • Whether or not data is NPPI, the supplier should not be permitted to use the data in compilations for its own use or for others.

You may never consider monetizing your data by selling to others. Few dealers do. However, it is your data. It is valuable for your continuing business and is an important part of goodwill value if you sell your business. You should not be giving it away so it can be monetized by a supplier.

Also consider including rights in a supplier contract to have the supplier certify compliance, and even provide for dealer rights to audit the supplier’s compliance with the agreement.

Where You Must Litigate is Important

We have often written about the need in any supplier contract to designate where and how a claim under a contract can be litigated. Most suppliers will tender to a dealer an agreement which provides that the applicable law will be that of the state where the supplier is located and any lawsuit or other non-judicial proceeding must be heard in the city and state where the supplier is located. Why agree to that? The supplier comes to you in your city or town, in your state, to do business with you. It is a hardship for you to go the supplier’s home state and have the laws of that state apply. It is not a hardship for that supplier to go to court in your city or county with the principles of law of your state applying.

This form can be an amendment to a supplier agreement implementing the suggestions in this article. Telling a supplier you will only enter a contract if the supplier agrees to these terms may lead to discussions and negotiations. The goal is to achieve provisions workable for both parties. If a supplier is unwilling to even consider these provisions, consider whether the services of another supplier are necessary to protect your dealership.