The cybersecurity and privacy demands on car dealers are growing at a rapid rate. Car dealers – many of whom process large amounts of sensitive PII – are now required to adopt certain mandatory cybersecurity and privacy safeguards to ensure the protection of client data.In October of 2021, the FTC implemented the new requirements, along with stricter penalties for noncompliance, to the tune of $11,000 in fines per day per incident.
A summary of the new requirements is as follows:
The new ruling creates the requirement for both a fiscal and time investment in order to meet compliance. Car dealers may choose to leverage a third party to assist in alleviating this pressure, or bring expertise in-house; the latter being the more costly option.
If you engage in activities such as providing lease, loan or other financial services or advice, any personal information that you collect to provide these services is covered by the Privacy Rule. The biggest impact the regulation can have on dealers is the fines, to the tune of $11,000 per day, per incident.
Car dealers are subject to the requirements of the Privacy Rule if they:
Even if the individual in question does not submit an application in the traditional sense, you are nonetheless subject to the requirements of the Privacy Rule if you gather personal information about them in connection with the possible financing or leasing of a vehicle. If a person buys a car with cash or arranges financing on their own through another lender, the Privacy Rule does not apply to you because it is considered a private transaction.
A person who merely expresses interest in purchasing a car from you or asks basic inquiries regarding financing or leasing does not require that you provide them with a privacy notice under any circumstances. However, if a person gives you their personal information in connection with a potential transaction, even if they do not complete a formal application — for instance, if they give you their personal information to get a quote on a financial package — you may have other obligations to fulfill. For example, if they give you their personal information to get a quote on a financial package, you may be required to disclose their information to the relevant authorities. Please refer to Question 3 for further clarification.
The answer is dependent on whether the individual in question is considered a “consumer” or a “customer,” both of which are terms that are defined differently by the Privacy Rule. When a person provides personal information to you in the context of perhaps financing or leasing an automobile from you, that person is considered to have become a “consumer.” You are only required to provide customers with a privacy notice (as well as an opt-out notice) in the event that you intend to disclose their personal information to third parties who are not affiliated with your organization.
There are, however, some exemptions to this requirement, and the Privacy Rule outlines these in sections 313.14 and 313.15. These exclusions include disclosures that are made with the consumer’s consent, disclosures that are necessary for law enforcement purposes, and disclosures that are provided to conduct a transaction that was requested by the consumer. When someone makes a purchase agreement with you to buy a car and you either provide them with credit or make arrangements for someone else to provide them with credit, you might refer to that person as a “customer.” After signing a lease agreement with you, a person is considered a “client” in the sense that they are purchasing a product or service from you. Even if you do not intend to share the customer’s personal information with any third parties, you are still required to provide them with a privacy notice prior to the signing of the retail installment contract or lease agreement. This is the case whether you are leasing to them or arranging credit for them.
You are subject to the requirements of the Privacy Rule if you lease automobiles on a non-operating basis and the first period of the lease is at least ninety days long. When a lease is described as “non-operating,” it indicates that the agreement does not include any kind of maintenance or repair services, in contrast to, for instance, car rental services. The guidelines that were presented in Question 3 also apply to you when determining whether or not you are required to provide a person with a privacy notice.
In principle, the Privacy Rule includes any personally identifiable information that you collect in the process of financing or leasing a vehicle for your own personal, domestic, or family use. It does not, however, include the following: l personal information obtained in the course of a sale that you do not help to finance (for example, where the individual secured his own financing or paid in cash); l sales figures that do not contain personal information; and l general retail sales data that is not derived from information about how individuals financed or leased their cars.
To give you an example of how this operates: The Rule does not apply to a list of all of the retail customers who have purchased automobiles from you, provided that the list does not disclose the method by which the customers paid for the automobile and is not derived from any information about the manner in which the purchasers financed their purchases. If, on the other hand, the list indicates which consumers financed or leased their vehicles, then it satisfies the requirements of the Rule. A list of individuals who have submitted an application to you for automobile financing or leasing is also included in this coverage.
SubRosa is a cybersecurity solutions provider specializing in cyber assessments and risk and compliance.
