← Back to Homepage

5 Critical CARS Rule Mistakes Dealers Make (And How They Cost You)

|8 min read
ftc compliancecars ruledata privacydealer safeguardsregulatory risk

Most dealers think they're compliant with the FTC CARS rule right now. They're not.

Not because they're bad operators or negligent. But because the rule itself is confusing, the penalties are severe, and the guidance from Washington keeps shifting. Dealers are making real mistakes that could cost tens of thousands in fines, regulatory action, or worse: loss of their dealer license.

This isn't theory. The FTC has already started enforcement actions. And the dealers getting hit aren't the obvious bad actors—they're middle-market operations that thought they had things covered.

Myth #1: "We're fine because we don't sell used cars as new"

Wrong place to start.

The FTC Safeguards Rule (part of the CARS framework) doesn't care if you're selling one used vehicle or five hundred. It applies to every dealer. Period. The rule requires that dealers establish, implement, and maintain a comprehensive information security program to protect customer personal information and nonpublic business information.

What does that actually mean? It means you need documented safeguards. Written policies. Staff training. Incident response plans. Regular risk assessments. Most dealers don't have these documented. They have practices, maybe. But practices and policies aren't the same thing in a regulatory audit.

A typical scenario: A dealer has been running the same way for ten years. Nobody's ever had a data breach. The general manager thinks security is "fine." But when an FTC investigator arrives and asks to see the written information security program, the dealer has nothing to show. That's a violation, even if no data was actually compromised.

And here's the kicker—you can't retrofit compliance after an inspection starts.

Myth #2: "Our CRM handles all the privacy stuff automatically"

Your software is part of the solution. It's not the solution.

Plenty of dealers believe that because they use a reputable dealer management system or CRM, compliance is automatic. Wrong. The software provider's security features are just one piece. You still need to:

  • Know what personal data you're actually collecting and storing
  • Limit access to that data to employees who need it
  • Have a process for securely deleting or disposing of that data
  • Monitor for unauthorized access or breaches
  • Train your staff on data handling
  • Have a written plan for responding to a breach

The FTC expects the dealer (you) to own this. Not your software vendor. If a customer's social security number leaks because your team left a laptop unlocked in the service lane, or because someone clicked a phishing email, you're the one facing the violation.

This is exactly the kind of workflow challenge that tools like Dealer1 Solutions address,giving you a single platform where data access, user permissions, and activity logs are transparent. But even with the right tools, you still need the policies and training in place.

Myth #3: "Disclosure compliance is separate from security compliance"

They're the same thing now.

The CARS rule has two major components. One requires accurate disclosure of vehicle history, odometer readings, prior use, and damage history. The other requires safeguarding customer data. Dealers often treat these as two separate compliance boxes.

But here's where it gets dangerous: If you can't prove your information security program is working, you can't prove you haven't altered disclosure documents. And if you can't prove your data safeguards, the FTC assumes your disclosure might be falsified. The two rules are operationally linked.

Consider a real scenario. A dealer sells a 2017 Honda Pilot with 105,000 miles. The carfax shows a prior insurance loss. The dealer discloses it. Good. But three months later, the FTC investigates because of a customer complaint about something unrelated. During the investigation, auditors find that your security program doesn't have adequate controls over who can edit vehicle records. That weakness now calls into question whether the odometer reading or damage disclosure was actually accurate. You're now defending two violations instead of one.

This is why documentation matters so much. You need an audit trail. You need to be able to show that your system controls prevented tampering with disclosure information.

Myth #4: "Small dealers and one-rooftop operations don't get audited"

Actually, they do. A lot.

The FTC has enforcement resources focused specifically on smaller operations. Why? Because smaller dealers are less likely to have formal compliance programs. They're easier targets. And the FTC uses these cases to set precedent for the entire industry.

Large dealer groups get audited too, obviously. But they usually have compliance officers, legal review, and documented policies. The FTC knows that going after a 25-location group requires more resources and better evidence. Going after a five-store group that doesn't have a written information security program? That's an easier case to build and win.

And the penalties don't scale down much based on dealership size.

The FTC's recent enforcement actions have included civil penalties, injunctions, and orders to implement specific compliance programs. Dealers have also been required to hire third-party auditors to verify compliance going forward. Some have lost the ability to finance vehicles or use certain dealer services. And in cases involving intentional deception, the FTC has recommended that state regulators revoke dealer licenses.

A small operation that thinks it's flying under the radar needs to understand: You're actually more vulnerable, not less.

Myth #5: "As long as we're not selling clunkers as certified pre-owned, we're okay"

This is the most dangerous myth because it's half-true.

Yes, the CARS rule exists partly because of the odometer fraud and flood damage scandals from the 1980s and 1990s. But the rule isn't about whether you're a bad actor. It's about whether you have documented safeguards and transparent practices.

A dealer with a spotless reputation can still violate the CARS rule if:

  • They don't have a written policy on how vehicle history is obtained and verified
  • They don't disclose material prior damage even if they didn't know about it
  • They don't have controls preventing unauthorized changes to odometer records
  • They don't have a documented process for responding to customer disputes about disclosure accuracy
  • They don't train staff on what disclosures are required

Reputation doesn't count in a regulatory audit. Documentation does.

What Top-Performing Dealers Do Differently

Dealerships that stay out of compliance trouble have a few things in common.

First, they have a written information security policy that covers data collection, storage, access, retention, and disposal. It's not fancy. It's not a 50-page legal document. But it exists, it's specific to their operation, and employees have actually read it.

Second, they assign accountability. Someone on the team owns compliance. Not as a side gig on top of their other job. As an actual responsibility with time, budget, and authority. It might be the general manager at a small store, or a compliance officer at a larger group. The point is: Someone's name is on it.

Third, they document everything. Every vehicle history check. Every disclosure provided to the customer. Every staff training session. Every time someone accesses the customer database. This creates an audit trail. When the FTC investigator shows up, you have evidence that your safeguards actually worked.

Fourth, they use systems that create audit trails automatically. Manual compliance is compliance that doesn't hold up. You need software that logs who accessed what, when, and why. Tools like Dealer1 Solutions give your team a single view of every vehicle's status and every data transaction, which makes compliance documentation almost automatic.

Fifth, they update their practices as guidance changes. The FTC updates its CARS rule interpretations regularly. Good dealers subscribe to FTC alerts, review guidance documents, and adjust their practices. Bad dealers assume the rule is static.

The Real Risk: It's Not Just Fines

Most dealers think of CARS rule violations as a regulatory fine. Write a check, move on.

That's not how it works.

The FTC has authority to:

  • Issue a civil penalty (up to thousands of dollars per violation)
  • Require implementation of a compliance program, monitored by a third party at the dealer's expense
  • Restrict the dealer's ability to finance vehicles, sell extended warranties, or participate in certain dealer networks
  • Report violations to your state licensing board
  • Seek injunctive relief that changes how you operate

State regulators then have the option to suspend or revoke your dealer license. That's not a fine. That's your business.

And once you've been under FTC enforcement, every future complaint gets scrutiny. You're marked.

Where to Start

If you're reading this and thinking "We don't have most of this stuff," you're not alone. But you need to move fast.

Start by doing an honest inventory of what you actually have. Do you have a written information security policy? Do you have documented staff training on data handling? Do you have a process for responding to customer disputes about disclosure accuracy? Do you have controls preventing unauthorized edits to vehicle records?

Then build what's missing. Get legal review if you can afford it. At minimum, talk to your state dealer association. They often have templates and guidance.

Then implement it. Don't let it sit in a file. Train your team. Use software systems that create audit trails. Audit yourself regularly.

The dealers who get hit by the FTC aren't the ones who are trying. They're the ones who assume they're fine.

They're not.

Stop losing vehicles in the recon process

Dealer1 is the all-in-one platform dealerships use to manage inventory, reconditioning, estimates, parts tracking, deliveries, team chat, customer messaging, and more — with AI tools built in.

Start Your Free 30-Day Trial →

All features included. No commitment for 30 days.

← Back to Blog