Barrie: Compliance Requires Constant Action

September 13, 2025

By Barrie Charapp Beaty
Charapp & Weiss, LLP
bbeaty@cwattorneys.com

Compliance requires continual implementation, reminder and training.  This is a refresher of the Privacy and Safeguards Rules.

The Privacy Rule

The Privacy of Consumer Financial Information Rule (The Privacy Rule) was implemented under the Gramm-Leach-Bliley Act, requiring dealerships to provide notices and to comply with limitations surrounding the disclosure of consumer nonpublic personal information.  Nonpublic personal information is personally identifiable financial information and any list, description, or grouping of consumers that is created using any personally identifiable financial information that is not publicly available (16 CFR 313.3).

As it relates to dealerships, the Privacy Rule protects both consumers seeking financing or leasing from a dealership and customers who have begun the financing or leasing of an automobile.

The Privacy Rule applies to dealerships because they extend credit, arrange to finance or lease automobiles for personal use, or provide financial advice or counseling to individuals.

The FTC Privacy Rule mandates that:

  1. Dealerships provide notice to their customers about their privacy policies and practices
  2. Describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties AND
  3. Provide a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of the disclosure

(16 CFR 313.1)

The Privacy rule provides a list of information that dealerships should include in their privacy notices. In the privacy notices, dealerships should include:

  • The categories of nonpublic personal information that they collect
  • The categories of nonpublic personal information that they disclose
  • The categories of affiliated and nonaffiliated third parties to whom they disclose nonpublic personal information to, with some exceptions
  • The categories of personal information about their former customers that they disclosed and the categories of affiliated and nonaffiliated third parties that they disclosed nonpublic personal information about their former customers too, with some exceptions
  • If dealerships disclose nonpublic personal information to nonaffiliated third parties, they must provide a separate statement of the categories of information they disclosed and the categories of third parties with whom they have contracted
  • An explanation of the consumer’s rights to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method by which the consumer may exercise this right.
  • Any disclosures that dealerships make under the Fair Credit Reporting Act, specifically, notices regarding the ability to opt out of disclosures of information among affiliates
  • Dealership policies and practices with respect to protecting confidentiality and security of nonpublic personal information
  • Disclosures of nonpublic personal information to third parties as authorized by the Privacy Rule

(16 CFR 313.6)

The Privacy rule also requires an opt out notice to consumers, explaining the right to opt out of disclosures. The opt out notice that dealerships must provide shall state:

  • That you disclose or reserve the right to disclose nonpublic personal information about your consumer to a nonaffiliated third party
  • Consumer has the right to opt out of that disclosure
  • A way for consumers to exercise their right to opt out

(16 CFR 313.7)

Dealerships should work with their forms provider to provide correct privacy notices.  To ensure compliance, your dealership should have a checklist of documents that are included in the deal file, which should include the privacy notice.  Your dealership should be performing deal file audits to ensure that your deal files are accurate, correct, and have the required documents. It is important for dealerships to reach out to their legal counsel to ensure compliance.

FTC’s Safeguards Rule           

The FTC’s Safeguards Rule was issued in order to implement the requirements of the Gramm-Leach-Bliley Act.  Since 2003, the FTC has required dealerships to enforce safeguards to protect the nonpublic personal information of their customers.

In 2021, the FTC’s Safeguards Rule was amended to require greater compliance requirements of dealerships.  Again in 2023, it was amended further to require dealerships to report data breaches and security incidents involving the information of 500 or more consumers no more than 30 days after discovery of the incident/breach.  The Safeguards Rule protects customer information such as applications for financing/leasing, spreadsheets of all customers who financed/leased automobiles from a dealership, and other financial information of consumers who financed/leased automobiles from a dealership.

The FTC requires that dealerships maintain a written information security program to protect customer information stemming from an amendment of the Safeguards Rule in 2021. The Safeguards Rule states that a dealership’s information security program should be designed to achieve these goals:

  • Ensure the security and confidentiality of customer records and information
  • Protect against any anticipated threats or hazards to the security or integrity of such records AND
  • Protect against unauthorized access or use of customer records and information which could cause substantial harm or inconvenience to their customers

(15 USCS § 6801)

Staying in Compliance with the FTC’s Safeguards Rule

Dealerships must maintain compliance with the FTC’s Safeguards Rule.   The Safeguards Rule states 10 elements to meet the standards of the Rule.

  • Designate a qualified individual to oversee, implement, and enforce your information security program
  • Base your program on a risk assessment that assesses the sufficiency of any safeguards in place and identifies foreseeable risks to security, confidentiality, and integrity of customer information that could result in a breach
  • Design and implement safeguards to control the risks you identify through risk assessment
  • Test and monitor the effectiveness of the program, including periodic penetration/vulnerability assessments
  • Implement policies and procedures to train personnel on your information security program
  • Oversee service providers on matters including the risk they present and the adequacy of their safeguards
  • Prepare to adjust your information security program after evaluating potential negative impacts the program may have
  • Create an incident response plan to respond to and recover from any security event affecting the confidentiality, integrity, or availability of customer information in your control.
  • Require your qualified individual, mentioned above, to report to your dealership’s governing body at least annually on the current state of your information security program and the risks associated with it
  • Notify the FTC of security breaches involving the information of at least 500 consumers within 30 days of discovery of the breach

(16 CFR § 314.4)

Dealerships must be proactive in implementing, executing, and maintaining their information security programs to protect themselves and the information of their customers. Dealerships should seek the advice of counsel as well as the services of compliance companies like ComplyAuto due to the increased requirements of the Safeguards Rule.

For more guidance on both Rules, the FTC posted updated FAQs for dealers on the Privacy and Safeguards Rules.