The Dealer's Playbook for FTC CARS Rule Readiness
The Dealer's Playbook for FTC CARS Rule Readiness
Most dealers are still treating FTC CARS Rule compliance like an optional oil change. You know the type: "We'll get to it eventually. It's probably not that serious." And then the inspection hits, or worse, the penalty letter arrives, and suddenly everyone's scrambling to figure out what customer data they're actually holding and where it's going.
Here's the reality. The FTC's Safeguards Rule updates (and the newer CARS Rule specifically targeting dealers) aren't bureaucratic theater. They're regulatory teeth, and the agency has shown it's willing to use them. If you're running a dealership in 2024 and haven't built a compliance framework around customer privacy and data security, you're betting that you won't be the one they decide to make an example of.
The good news? Compliance doesn't require a total operational overhaul. It requires structure, documentation, and honest self-assessment. Here's the playbook.
1. Understand What Data You Actually Have (And Where It Lives)
This sounds obvious, but most stores can't answer it cleanly. You've got customer personal information scattered across your DMS, your CRM, email systems, text message platforms, phone logs, service records, F&I paperwork, and probably a few spreadsheets someone created in 2019 that no one's touched since.
Start with an honest inventory. What customer data are you collecting? Names, addresses, phone numbers, email addresses, driver's license numbers, Social Security numbers, payment card information, financial information, vehicle history. Now: where does it live? Your DMS vendor's cloud server. Your local hard drives. Your service advisor's laptop. Third-party vendors you've hired to handle telematics, roadside assistance, extended warranty programs.
This audit is required under the Safeguards Rule, and it's the foundation of everything that comes next. You can't protect what you don't know you have. And you can't disclose what you can't account for.
Consider a typical scenario: a 2019 Toyota Camry comes in for service. The customer provides their phone number, email, and vehicle history. That data lives in your service RO. If you're using a modern DMS with built-in customer management, that's one database. If your service director also keeps a personal notes file and your parts manager has their own customer contact list, that's three. Add in your F&I department's separate CRM for financing customers, your text message platform's stored conversation history, and your email system's archives, and you've got at least six places where that customer's information exists. The FTC expects you to know all six.
2. Map Your Data Flows and Third-Party Relationships
Customer data doesn't stay in your dealership. It flows out to vendors, and the FTC cares deeply about where it goes.
You're sharing data with your DMS vendor, your F&I software provider, your email marketing platform, your SMS service, your telematics provider, possibly a third-party warranty company, maybe a customer feedback platform collecting CSI data. Some of these vendors have access to raw customer information. Some are processing it. Some are storing it on your behalf. All of them represent legal and security risk if they aren't properly vetted and contractually obligated to protect that data.
The CARS Rule requires that you have written agreements with these vendors that specify how they can use customer information, require them to implement reasonable safeguards, and obligate them to notify you if there's a breach. This isn't new practice. This is standard contract language. But most dealers have never reviewed it.
Go through each vendor relationship. Do you have a data processing agreement? Does your DMS vendor's contract specify that they're not selling your customer data to third parties? Does your SMS platform have encryption in transit and at rest? Can you get a copy of their security audit (SOC 2 compliance, for example)? If the answer to any of these is "I don't know," that's a compliance gap.
3. Build a Written Privacy Policy and Stick to It
The Safeguards Rule requires written policies. Not a vague commitment to "customer privacy." Actual, detailed, documented procedures that govern how you collect, use, store, and disclose customer information.
Your privacy policy should address:
- What customer data you collect and why
- How long you keep it
- Who internally has access to it
- What vendors you share it with and for what purpose
- How customers can access or correct their information
- How you'll notify customers if there's a breach
- How you dispose of data when you no longer need it
This isn't theoretical. Actually scratch that, it is theoretical, but the FTC expects you to live it. If your policy says you'll delete customer data after two years, and your DMS is still holding five years of records, you've got a documented violation. If your policy says F&I staff won't share customer SSNs with vendors without written consent, and someone in your finance office is emailing SSNs to a warranty company unencrypted, you've got a breach.
The policy has to be real, and it has to be enforced. That means training your team on it, auditing compliance regularly, and updating it when your practices change.
4. Implement Reasonable Safeguards (Not Military-Grade Security, But Real Ones)
The FTC doesn't expect every dealership to hire a CISO or deploy enterprise-level encryption everywhere. But it does expect "reasonable" safeguards. That means:
- Password requirements and access controls (not everyone needs to see every customer's SSN)
- Encryption for data in transit and at rest where feasible
- Regular software updates and patches on systems that hold customer data
- Secure disposal of physical records (shredding, not dumpsters)
- Incident response plan (who do you call if there's a breach?)
- Regular risk assessments to identify vulnerabilities
A modern DMS with role-based access controls addresses several of these at once. Tools like Dealer1 Solutions give you a single, auditable place to manage customer data, track who's accessing it, and enforce security policies across your team. But even without fancy software, you can implement basics: change your default DMS passwords, require multifactor authentication for critical accounts, encrypt customer SSNs in spreadsheets if you have to keep them, and stop emailing payment card data unencrypted.
5. Document Everything and Audit Regularly
Compliance is only as strong as your documentation. The FTC will ask for evidence that you've implemented these controls. That means keeping records of your privacy policy, your vendor agreements, your staff training logs, your risk assessments, and your breach response procedures.
Set a calendar reminder quarterly to audit your compliance posture. Have you updated your vendor list? Have any of your third-party relationships changed? Have you trained new staff on data handling? Are your systems still logging access to sensitive customer data? This doesn't have to be elaborate. A spreadsheet tracking vendor compliance, a folder with signed agreements, and a log of staff training sessions goes a long way in showing the FTC you're taking this seriously.
6. Have a Breach Response Plan Ready
You're going to have a security incident at some point. A staff member emails customer data to the wrong address. A hard drive gets stolen. A vendor gets compromised. The question isn't if, it's when.
The CARS Rule requires that you notify affected customers without unreasonable delay if there's a breach involving their personal information. That means having a plan before it happens. Who's your incident commander? What's your notification timeline? Do you have legal counsel lined up? What information are you legally required to disclose?
Most dealers don't have this documented until they need it. Have it ready now.
Compliance with the CARS Rule and the broader Safeguards Rule isn't a one-time project. It's ongoing operational discipline. But it's far easier to build it intentionally than to scramble when the FTC shows up with questions.