Dive Brief:
- The Federal Trade Commission on Monday warned auto dealers that recently updated regulations require them to protect customer data.
- The FTC modernized the Safeguards Rule twice in the past five years, and now it wants car dealers to understand their responsibilities.
- The guidance reflects the commission’s continued interest in protecting driver privacy, despite the change in political leadership following President Donald Trump’s election in 2024.
Dive Insight:
The Safeguards Rule, mandated in a 1999 law, is one of the FTC’s core cybersecurity regulations. The commission updated the regulation in 2021 to require more specific security precautions from covered companies, and in 2023, it broadened those requirements to include notifications within 30 days of data breaches affecting at least 500 people. Among the covered industries: car dealers that offer financing to customers.
In a Frequently Asked Questions document, the commission explained how car dealers should comply with the rule’s requirements to “develop, implement, and maintain a comprehensive written information security program that is sufficient to protect customer information.”
The document describes 10 elements of a compliant program, including written risk assessments, regular evaluations of protective measures, employee training, third-party vendor oversight and incident-response plans.
The document explains the difference between compliance with the Safeguards Rule and the Privacy Rule, answers questions about potential dealership practices and describes how dealers must ensure that their third-party service providers comply with the law.
The security and privacy of car customers’ data — especially the reams of sensitive information collected by cars themselves — has become a pressing issue as vehicles incorporate more internet-connected technology. Tesla’s car privacy issues have garnered significant attention, but other carmakers have also faced scrutiny, including General Motors, whose customers sued it in August 2024 for selling their driving data without notice.
The FTC has pursued cybersecurity and privacy cases more vigorously under Democratic leadership, but Republicans have grown increasingly willing to hold companies accountable for mishandling data. The Texas attorney general’s office has been scrutinizing car companies’ sale of driving data to third parties, including insurance companies. In January, the office sued the insurer Allstate as part of that investigation.
Correction: A previous version of this story mischaracterized the 2021 and 2023 updates to the Safeguards Rule.
