For years, the automotive industry has navigated a complex landscape of regulations, from sales practices to lending laws. Yet, a new, intensified focus from the Federal Trade Commission (FTC) on data security and safeguards is rapidly emerging as a paramount concern.
While some dealerships and lenders may harbor a false sense of security, believing their operations are too small to attract regulatory attention or that significant compliance efforts can be deferred, recent enforcement actions by the FTC against prominent automotive groups deliver a stark and urgent warning: the hammer is indeed poised to drop, and the time for robust cybersecurity measures is not in years, but now.
The Shifting Sands of Enforcement
The notion that only the largest corporations and dealerships are susceptible to FTC scrutiny on data security is a dangerous misconception. The FTC’s commitment to protecting consumer data is unwavering, and its enforcement capabilities are far-reaching. While headlines often focus on multi-million-dollar penalties levied against household names, the agency’s strategy demonstrably includes pursuing entities across the spectrum, including those within the automotive sector. The FTC’s recent actions serve as a bellwether, indicating a heightened level of vigilance and a willingness to act decisively.
Consider, for instance, the recent actions taken against General Motors and OnStar. In January 2025, the FTC announced a proposed order against GM and OnStar for allegedly collecting, using, and selling drivers’ precise geolocation data and driving behavior information without adequately notifying consumers and obtaining their consent. This action, the FTC’s first related to connected vehicle data, highlights the agency’s expanding purview beyond traditional financial data to encompass the vast array of information generated by modern vehicles.
While this particular case involved a manufacturer and its connected services arm, the underlying principle – the mishandling of sensitive consumer data – resonates deeply with dealerships and lenders who similarly collect and manage a wealth of personal information from their customers. The FTC’s complaint against GM alleged that their enrollment process for OnStar and the Smart Driver feature was confusing and misleading, failing to clearly disclose how precise geolocation and driving behavior data would be collected and sold to third parties, including consumer reporting agencies, impacting insurance rates.
This precedent underscores the critical importance of transparent data collection practices and robust consent mechanisms for any entity handling consumer data, and auto companies of all sizes are now in the FTC crosshairs.
Beyond the “Big Guys”
While not directly a Safeguards Rule enforcement, the FTC’s ongoing focus on deceptive practices within the auto industry, including allegations of misrepresenting vehicle prices, deceptively charging for add-on products, and pressuring customers for positive reviews, further emphasizes the agency’s broad oversight. Although the FTC’s Combating Auto Retail Scams (CARS) Rule was recently vacated on procedural grounds, the underlying principles of consumer protection and the agency’s commitment to combatting unfair and deceptive practices remain.
Dealerships should not view the CARS Rule’s fate as a reprieve from regulatory scrutiny. Rather, it simply redirects the FTC’s focus back to existing consumer protection laws, including the Safeguards Rule. Auto-related complaints consistently rank among the top 10 categories reported to the FTC, underscoring the ongoing need for vigilance.
June: A Timely Reminder of the Safeguards Rule’s Mandate
As we are now in June, it’s particularly pertinent to reflect on the Federal Trade Commission’s (FTC) Safeguards Rule. It was in June 2023 that the updated FTC Safeguards Rule’s compliance deadline came into full effect for auto dealerships. This rule, stemming from the Gramm-Leach-Bliley Act (GLBA), mandates that financial institutions – a definition that explicitly includes auto dealerships and lenders due to their handling of sensitive customer financial information – implement comprehensive information security programs to protect customer data.
This anniversary serves as a critical reminder that compliance is not a one-time event, but an ongoing, evolving commitment. Many dealerships, while having made initial efforts, may still be struggling to fully meet or maintain the new and complex security standards, which include conducting periodic written risk assessments, implementing multi-factor authentication (MFA), encrypting sensitive information, training security personnel, and developing incident response plans. The fact that many businesses are still playing catch-up signifies the persistent challenge and, concurrently, the heightened risk of non-compliance.
The Safeguards Rule mandates that any business collecting or maintaining sensitive customer information related to financial accounts and transactions must develop, implement, and maintain a comprehensive written information security program (ISP). This includes details like Social Security numbers, bank account information, and loan documents – the very backbone of auto financing. Failure to adhere to these requirements can result in severe financial penalties, currently up to approximately $50,125 per violation, which can quickly escalate given the volume of consumer data handled by dealerships. Beyond monetary fines, a breach can also lead to protracted legal action from affected customers.
Beyond Compliance: The Imperative of Reputational Integrity
The financial penalties associated with non-compliance and data breaches are undoubtedly severe, but they represent only a fraction of the total cost. The reputational damage inflicted by a cybersecurity incident can be far more enduring and devastating. In an era where trust is a primary currency, a data breach can erode consumer confidence, leading to a loss of existing customers and a significant impediment to attracting new ones.
A dealership’s brand is built on reliability, service, and, increasingly, trustworthiness in safeguarding personal information. A public disclosure of a data breach, even if contained, can trigger a cascade of negative publicity, social media backlash, and a perception of negligence that can take years, if not decades, to repair. The cost of public relations campaigns, crisis management, and the long-term impact on sales figures can easily eclipse any direct fines. Moreover, a breach can also damage relationships with lending partners, who rely on dealerships to be responsible stewards of shared customer data.
The FTC’s sharpened focus on data security, underscored by recent enforcement actions and the recurring anniversary of the Safeguards Rule in June, leaves no room for complacency. For auto dealers and lenders, safeguarding customer information is no longer just a regulatory obligation. It is an indispensable component of financial stability, brand reputation, and long-term viability.
Related Stories:
