← Back to Homepage

Privacy Notice Compliance Checklist: What Dealerships Actually Need to Do

|10 min read
privacy complianceftc safeguards ruledealer licensedata disclosureautomotive compliance

Back in 1970, the Fair Credit Reporting Act became law, and dealerships learned a hard lesson: what you tell customers about their data actually matters. Fifty years later, the FTC's Safeguards Rule updates have made that lesson painfully relevant again, and if your dealership hasn't refreshed its privacy notices since, say, 2016, you're sitting on a compliance blind spot that could cost you your dealer license and a whole lot more.

Here's the thing about privacy compliance: it's boring, it feels bureaucratic, and it's easy to convince yourself that your old template is "fine." Right up until an audit reveals it isn't, or a customer files a complaint, or the FTC decides to look closer at your data practices. The good news? A solid privacy notice checklist takes the guesswork out of the equation.

Why Privacy Notices Matter More Now Than Ever

The regulatory environment around customer data has shifted dramatically. The FTC's updated Safeguards Rule (effective as of December 2023 for most dealerships) tightened requirements around how you collect, store, and handle personal information. Your state's privacy laws might add additional layers on top of federal rules. California's CCPA, for instance, gives customers specific rights to know what data you hold and how you use it. And that's before you consider the patchwork of industry-specific regulations tied to vehicle sales, financing, and service.

What does this mean operationally? Your privacy notice isn't just a legal formality anymore. It's a disclosure tool that tells customers exactly what you're doing with their information. If your notice doesn't match your actual practices, you've got a compliance problem.

Consider a typical scenario: a customer comes in for a service appointment at your dealership. You collect their phone number, email, vehicle VIN, and service history. Do your customers know that you're storing that data indefinitely? That you might share it with third-party vendors for service scheduling or recall notifications? That you retain it for warranty claims and customer follow-up? If your privacy notice doesn't spell this out clearly, you're exposed.

The Core Checklist: What Your Privacy Notice Must Include

Information Collection and Purpose

Start here. Your notice needs to identify every category of personal information you collect and explain why you're collecting it. Don't be vague. "Customer information" isn't enough. Break it down: name, address, phone, email, driver's license number, vehicle history, service records, payment method, financing information.

Then explain the business purpose. Are you collecting phone numbers for service reminders? Say so. Are you gathering email addresses for marketing? Disclose it. Are you retaining VINs for recall tracking? Put it in writing. The FTC wants to see a clear connection between what you collect and why you collect it.

This is where a lot of dealerships slip up. They collect data for one reason (say, processing a service RO) but then use it for another (marketing calls six months later) without ever updating their notice. That's a compliance gap.

Data Sharing and Third Parties

Who else gets access to customer data at your dealership? This list is longer than most dealers realize. Your parts vendor might need VINs for ordering. Your lender might need credit information for financing. Your insurance provider might need accident history for claims. Your CRM system stores everything in the cloud. Your email marketing platform has copies of customer addresses.

Your privacy notice must disclose all of these relationships. And here's the critical part: you need to explain what each third party can and cannot do with that data. If you're sharing customer phone numbers with a service scheduling vendor, your notice should say that. If you're not allowing that vendor to use those numbers for marketing, say that too. The more specific you are, the better your legal position.

Don't hide behind language like "we may share information with service providers." Instead, name categories of service providers and explain what data flows to each.

Data Retention and Deletion

How long do you keep customer records? This matters legally and operationally. From a legal standpoint, many states now require you to disclose retention periods. From an operational standpoint, you should actually have a retention policy in the first place (a lot of dealerships don't).

A typical automotive dealership might retain service records for the life of the vehicle plus some period afterward (say, seven years, to cover warranty claims and potential disputes). Customer contact information used for marketing might be retained for as long as the customer is active, plus a reasonable period after last contact. Financial records related to sales or service might have to be kept longer to comply with tax or lender requirements.

Your privacy notice should reflect your actual practice. If you say you delete data after one year but you're actually keeping it indefinitely, you've created a compliance problem. And if you don't have a documented retention policy, you need one before you finalize your privacy notice.

Customer Rights and How to Exercise Them

Depending on where your dealership operates, customers might have the right to access their data, correct inaccurate information, request deletion (with some exceptions), or opt out of marketing communications. Your privacy notice needs to explain these rights clearly and tell customers how to exercise them.

This usually means providing a mailing address, email address, or phone number where customers can submit requests. Make sure that contact method actually works. If your privacy notice says customers can email privacy@yourdealership.com but nobody's monitoring that inbox, you've defeated the purpose.

Better dealerships are building this process into their operations systems. When a customer requests their data, someone needs to locate it, verify the customer's identity, and respond within the timeframe your state requires (often 30 to 45 days). This is exactly the kind of workflow that operations management platforms are built to handle, because it's easy to miss a request if you're tracking it in email or spreadsheets.

Security Safeguards

The FTC's Safeguards Rule requires dealerships to implement reasonable security measures to protect customer data. Your privacy notice should describe these at a high level. Customers don't need to know your exact encryption standards, but they should know that you take security seriously.

Common safeguards to mention: encrypted data transmission, restricted access to customer records, regular security audits, employee training on data handling, and incident response procedures. If you don't have these in place, implement them before you publish your notice. Otherwise you're making promises you can't keep.

The Implementation Checklist: Getting It Done Right

Audit Your Current Practices

Before you write a single word of your updated privacy notice, spend time documenting what your dealership actually does with customer data. Walk through each department. Parts managers, service directors, sales staff, F&I—ask them what information they collect, how they use it, and where it goes.

You'll probably discover data flows you didn't know existed. Maybe your detail shop takes photos of vehicles and stores them in the cloud. Maybe your service scheduling system integrates with a texting platform. Maybe your parts manager has a personal list of customer email addresses for promotional offers. Document all of it. Your privacy notice can only be accurate if you know what's actually happening.

Identify Your Legal Obligations

What privacy laws apply to your dealership? At minimum, you're subject to federal rules like the FTC Safeguards Rule and the Fair Credit Reporting Act. If you operate in California, you're subject to the CCPA (and soon the California Privacy Rights Act). If you're in Virginia, Colorado, Connecticut, or Utah, state-level privacy laws apply. If you handle health information related to customers with disabilities, HIPAA might touch you. If you collect data on minors, COPPA has requirements.

The safest approach is to research your state's privacy laws and the FTC's latest guidance, then draft a notice that meets the highest standard. If your notice complies with California law, it's likely to cover most federal and state requirements elsewhere. (This is a generalization, not legal advice—consult your dealership attorney to be sure.)

Draft and Review

Write your privacy notice in plain language. Avoid legal jargon where possible. The FTC actually prefers notices that customers can understand, not dense legal documents that nobody reads. Break your notice into sections with clear headings. Use bullet points where they help readability.

Once you've drafted it, have your dealership's attorney review it. Don't skip this step. A lawyer can spot compliance gaps and flag language that could expose you to legal risk. The cost of legal review (typically $500 to $2,000 depending on your attorney) is trivial compared to the cost of an FTC enforcement action or a data breach lawsuit.

Make It Accessible

Where does your privacy notice live? It should be visible and easy to find. Post it on your website, in your showroom, in your service waiting area, and in any digital channels where you interact with customers. If you collect data online (via a contact form, appointment scheduling tool, or customer portal), your privacy notice should appear before customers submit information.

Make it mobile-friendly. A lot of customers access your dealership online via phone. If your privacy notice is only readable on a desktop, you've lost half your audience.

Document Your Compliance Process

This is critical from a legal defense standpoint. Document the date you updated your privacy notice, who reviewed it, what laws you consulted, and what changes you made. Keep a copy of the old notice for your records. If you ever get audited or face a complaint, you want to be able to demonstrate that you took compliance seriously and updated your practices when regulations changed.

The Ongoing Maintenance: Keeping Your Notice Current

Privacy compliance isn't a one-time project. As your dealership evolves, your notice needs to evolve too. Add a new customer relationship management system? Update your notice to disclose how that system handles data. Start a new marketing campaign using customer phone numbers? Disclose it. Hire a third-party vendor for any purpose? Add them to your disclosure list.

Set a calendar reminder to review your privacy notice at least annually. More often if you operate in a state with changing privacy laws. The regulatory landscape is moving fast, and staying ahead of it protects your dealer license and your reputation.

One practical note: keep your privacy notice separate from your terms and conditions. Customers need to be able to find it quickly without wading through 20 pages of legalese. And when you update it, make it obvious what changed. A simple "Updated [date]" note at the bottom goes a long way toward demonstrating good faith compliance.

Why This Actually Works

A solid privacy notice checklist forces you to think systematically about your data practices. It's not glamorous, but it works. Dealerships that tackle this checklist methodically tend to find compliance gaps they didn't know existed. They discover redundant data collection, unnecessary third-party sharing, or security vulnerabilities that can be fixed before they become problems.

And here's the business case: customers increasingly care about privacy. A clear, transparent privacy notice builds trust. It shows you respect their information and take their rights seriously. In a competitive market where customer loyalty matters, that's worth something.

The alternative,ignoring privacy compliance until an audit or complaint forces you to act,is expensive and damaging. FTC enforcement actions can result in civil penalties, mandatory audits, and reputational harm. State attorneys general are increasingly aggressive about privacy violations. And if customer data gets breached because you didn't have proper safeguards in place, you're looking at notification costs, potential liability, and a hit to your brand.

So use this checklist. Audit your practices. Update your notice. Get legal review. Post it prominently. Document your process. And then maintain it as your business evolves. It's not complicated, but it does require discipline and follow-through.

Stop losing vehicles in the recon process

Dealer1 is the all-in-one platform dealerships use to manage inventory, reconditioning, estimates, parts tracking, deliveries, team chat, customer messaging, and more — with AI tools built in.

Start Your Free 30-Day Trial →

All features included. No commitment for 30 days.

← Back to Blog