Syncing 10,000 leads/mo? GET A DEMO

A guide to the FTC car dealerships’ new lead generation rules

ftc car dealerships

To any automotive, motorcycle, RV, and powersports dealership in the country, June 9, 2023 wasn’t just any day in the calendar. It was probably marked in red as the day when everything changed.

According to the FTC Safeguards Rule, auto dealers now have to comply with a new set of guidelines with the aim of better protecting their customers’ personal information from cyber attacks.

This article is a “dealer guide” to the FTC Safeguards Rule, to help you:

  • Learn who is covered by the new regulations;
  • What are the steps to guarantee compliance;
  • What this all entails for auto dealerships;
  • And how you can optimize your automotive lead generation campaigns thanks to LeadsBridge.

What is the FTC Safeguards Rule?

The Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is a set of regulations that require financial institutions to develop and implement a comprehensive information security program.

The purpose of the Safeguards Rule is to protect the security, confidentiality, and integrity of customers’ Personally Identifiable Information (PII) from cyberattacks, identity theft, and other forms of fraud.

What businesses fall under the Safeguards Rule? 

The Safeguards Rule applies to all financial institutions that are subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act

A business can be identified as a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities.”

As listed in Section 314.2(h) of the regulation, here are a few examples of the kinds of entities that are considered financial institutions under the Safeguards Rule:

  • Mortgage lenders
  • Payday lenders
  • Finance companies
  • Mortgage brokers
  • Account servicers
  • Check cashers
  • Wire transferors
  • Collection agencies
  • Credit counselors and other financial advisors
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors

Considering that buying or leasing a car is one of the biggest financial transactions for many consumers (aside from buying a house), the FTC Safeguards Rule involves auto dealers as well.

Why you should comply with the new FTC car dealerships rules

The main reason why the FTC regulations for auto dealers should be taken very seriously from now on is this number right here: $50,125. This is the maximum amount per incident that the FTC can fine you.

Take a moment to think about how many items of PII (current and past) you and your staff have on your computers, phones, and business systems. This includes driver’s licenses, insurance cards, ID’s, and any other document that has a customer’s name along with additional information about them. 

It may be hundreds, if not thousands. Now take that number and multiply it by $50,125. Considering that each of those PII items counts as an individual incident, that is a lot of money for a dealership owner to have to pay.

Then, how can you avoid that?

FTC regulations for auto dealers: What to do

The new FTC Safeguards Rule requires dealerships to implement an information security program – a set of procedures and guidelines – that they have to follow in order to protect their customers’ information from unauthorized access or data breaches.

According to the FTC car dealerships cybersecurity regulations, “customer information” is “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” Basically: Information about your own customers and information about customers of other financial institutions that have provided that data to you.

Your information security program has to be written down, and it must be drafted taking into consideration the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information you handle. To know exactly what this means for your business, you should consult with your legal advisor.

Here is a set of FTC car dealerships’ guidelines that auto dealers will be required to follow.

Implement access controls

You must implement and periodically review access controls. Meaning, you need to determine who can access customers’ information and how they can access it. For example, your company may require employees to log in with a unique user ID and password, or use an electronic key card system. Once access controls are in place, remember to review them regularly.

Keep an inventory

Know what information you have and where you keep it. You need to have a clear understanding of your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel.

Encrypt information in transit and at rest

Encryption is a process of transforming comprehensible data into an incomprehensible format. This way, anyone who does not have the key won’t be able to access the information. Out of all the FTC car dealerships rules, this is probably the one that most auto dealers are not prepared for: The end-to-end encryption requirement for everything in transit and at rest over external and internal networks.

Every item of PII that is shared digitally between the consumer and the dealership must be encrypted in transit, which means that from now on – in order to be FTC compliant – sales staff will no longer be able to transfer PII via unencrypted text or email. Additionally, utilizing services that hide your IP can further ensure anonymity and protection online.

Auto dealers will have to resort to alternative solutions like, for example, encrypted email services. Or, they could direct their customers to provide the information via phone call or directly on a website.

Assess your custom apps

If your business has developed custom applications that store, access, or transfer customers’ data, make sure they meet FTC compliance standards for auto dealerships.

Implement MFA

You’re required to implement Multi-Factor Authentication (MFA) to access your business’s applications or customers’ data. In addition to username and password, MFA adds an extra layer of security by requiring users to provide one more authentication factor – which can be a one-time code or biometric characteristics – when logging in.

Dispose of customer information securely

You’re allowed to hold on to certain records no longer than two years after your most recent use of it. After that, you’re required to take secure measures to destroy it.

Anticipate and evaluate changes to your information systems

If you’re planning on changing your information systems – which include new equipment, technology, software, updates, or personnel changes – you have to evaluate how that could affect customer information security, and take measures to make sure you’re still compliant with the new FTC motor vehicle trade regulation rule.

Keep an access log

You’re required to put in place a log system to monitor when authorized users access customers’ data, and to keep an eye on potential unauthorized access.

Please note that these guidelines are not comprehensive. The best way to ensure compliance is to have your legal and compliance teams complete a thorough review of these new FTC regulations.

Automate your dealership’s lead generation with LeadsBridge integrations

With the added complexities of the FTC car dealerships regulations, auto dealers will have to find solutions to help them make their lead generation activities easier and faster.

Thankfully, LeadsBridge offers a number of industry-specific integrations to help auto dealerships share their lead data across their marketing stack safely, automatically, and in real time.

The way it works is very easy: by connecting your martech stack with LeadsBridge’s integrations, whenever a lead fills out a form (either on an advertising platform, or on your website), that lead will be automatically sent to your CRM, email marketing software, autoresponder, or any other marketing tool, in real time.

Check out our most popular integrations for the automotive industry.

ADF/XML – while being one of the most popular tools for auto dealerships – is under scrutiny  right now because it uses a non-encrypted transfer mechanism which could be vulnerable to interception or unauthorized access.

But don’t fret. ADF/XML also works via HTTPS – which is secure – and via email.

The LeadsBridge integration for ADF/XML via email uses a TLS encryption, which helps make it more compliant to the FTC car dealerships security requirements, as long as the destination system accepts minimum TLS v1.2 encryption standard.

However, if the destination doesn’t accept this kind of encryption, then the ADF/XML standard allows previous TLS versions to be used at reduced security effectiveness. But only when this specific instance occurs.

Explore all automotive integrations here

Our automated integrations allow you to take immediate action on your newly acquired leads, giving you a huge head start over the competition. Not to mention, they free you from having to manually download and upload data into different platforms, giving you back the time you need to push your leads through the funnel.

The best part? Our integrations are 100% CCPA compliant. Why? Because we never store any of your lead data, we just pass it through across your platforms, which helps you maintain compliance with the new regulations mentioned above.

If you’re looking for some inspiration on how to best advertise your auto dealership, check out these articles below:

Final thoughts

The way auto dealerships are going to approach lead generation from now on is never going to be the same. With the FTC car dealerships new regulations in place, auto dealers will have to be very careful with how they handle their customers’ data. In order to avoid heavy fines – with a maximum of $50,125 per incident – they will have to put in place safety measures to help their businesses guarantee FTC compliance.

Thankfully, LeadsBridge automated integrations can help you share lead data across platforms safely, automatically, and in real time.

Explore all of our automotive integrations here and start automating with LeadsBridge!

Marialuisa Aldeghi

Try LeadsBridge now!