FTC CARS Rule Compliance Checklist That Actually Works for Dealerships

Back in 1995, the FTC passed the Standards for Safeguarding Customer Information rule. Nobody outside compliance departments paid much attention. Fast forward to 2024, and the Safeguards Rule—along with the updated CARS Rule (Complying with COPPA, ROSCA, CAN-SPAM, and Standards for Safeguards)—has become something every dealership needs to take seriously.

The problem? Most dealers don't.

We see it constantly. A service director gets a vague email about "new FTC rules." It gets forwarded to someone in the office who thinks it might be about credit cards. Nobody actually reads the regulation. Months pass. Then either a customer complaint lands or an auditor shows up, and suddenly your dealership is scrambling to prove you're handling privacy and customer data the way the FTC expects.

This doesn't have to be your story.

Why the FTC CARS Rule Matters Right Now

The FTC updated its Safeguards Rule in 2023 with teeth. This isn't a recommendation. It's a legal requirement that applies to every dealership, no matter what size.

Here's what changed. The rule now requires dealerships to have a documented information security program. Not vague promises. Actual documentation. And the FTC has been clear: if you can't produce evidence that you comply, you're exposed to significant legal risk, potential fines, and reputational damage.

Dealerships handle customer data constantly. Vehicle history. Payment information. Phone numbers. Email addresses. Driver's license numbers. Home addresses. Social security numbers if you're financing. This data is valuable. Criminals know that. The FTC knows that. And the FTC expects you to protect it like it matters.

The Compliance Checklist That Actually Works

We've seen what works and what doesn't. Below is a practical checklist that dealership leadership can actually implement, not some theoretical ideal.

Step 1: Document Your Information Security Program

Start here. You need a written information security policy.

• Create a single document (or short handbook) that describes how your dealership collects, uses, stores, and disposes of customer information
• Identify who has access to sensitive data (office staff, service advisors, finance managers, technicians)
• Document where customer data is stored (computers, servers, cloud platforms, paper files)
• List all third-party vendors who touch customer data (payment processors, lenders, software providers, dealership management systems)
• Assign one person (not a committee) as the point person for privacy and security. Give them the authority to enforce the policy

This doesn't need to be 40 pages. It needs to be real. A typical dealership can document this in 5-10 pages and be credible about it.

Step 2: Access Controls and Data Minimization

Not every employee needs to see every customer record.

• Finance managers don't need social security numbers for service records
• Technicians don't need complete payment histories
• Front desk staff don't need credit card numbers for a recall appointment
• Set user permissions based on job function only (and actually enforce them in your systems)
• Password protect your desktop computers. Yes, still. (And it's shocking how many dealerships don't.)
• Use multi-factor authentication for cloud-based tools that store customer data
• Remove access immediately when someone leaves the dealership

Say you're a typical five-location group. One technician shouldn't be able to pull customer payment data from a store 200 miles away just because they know the username. Control who sees what. Document why.

Step 3: Inventory Your Vendors and Contracts

The FTC cares about your entire ecosystem, not just what happens in-house.

• List every software vendor you use (DMS, accounting software, email marketing, CRM tools, scheduling platforms)
• Check your contracts with each vendor,do they commit to protecting customer data? Most do, but you need to verify
• Verify that your payment processor is PCI compliant
• Know who has access to your dealership management system and what data they can see
• Establish a process to audit vendor security annually (or quarterly if you're serious about this)

This is exactly the kind of workflow Dealer1 Solutions was built to handle, incidentally. When everything,inventory, customer data, estimates, parts management,sits in one system with permission controls, you have a clear line of sight into who accesses what and when.

Step 4: Create a Data Breach Response Plan

Hope for the best. Prepare for the worst.

• Write down what you'll do if customer data is compromised (stolen, lost, accidentally shared)
• Who do you notify? (Legal counsel first, then the FTC if it's material, then affected customers)
• What's your timeline for notification? (The FTC expects rapid disclosure)
• Who on your team handles the response? (Assign someone now, not during the crisis)
• Keep records of any incidents, even small ones, for compliance documentation

Having this plan written down won't prevent a breach. But it protects your dealership when one happens.

Step 5: Train Your Team on Privacy and Data Handling

Policies don't work if people don't follow them.

• Annual training on customer privacy for all staff who handle personal information
• Make it clear what data is sensitive and why it matters
• Show people the consequences,fines, lawsuits, brand damage
• Provide clear rules: don't share customer info via personal email, lock your computer when you step away, don't discuss customer details with non-employees
• Hold people accountable when they violate the policy

One slip-up can be a data breach. Training reduces the odds.

Step 6: Audit and Update Regularly

Compliance isn't a one-time project.

• Review your security program twice a year (quarterly is better)
• Check that people are actually following the rules you documented
• Update your vendor list when you add or remove software
• Test your data breach response plan (walk through the scenario)
• Keep records of every audit, update, and training session. The FTC will ask for proof

The dealers who get this right treat compliance like they treat vehicle maintenance. You don't fix the brakes once and expect them to last forever.

The Disclosure Piece Matters Too

The CARS Rule also requires clear disclosure about how you use customer information.

• Have a privacy notice visible to customers (in-store, on your website, at the service desk)
• Tell customers what data you collect, why you collect it, and who you share it with
• Make it readable. Not legal boilerplate that nobody understands
• Keep a copy on file showing when you posted it and where

This isn't optional. It's part of the rule.

Your Dealer License Is on the Line

Here's what keeps dealership principals up at night but often doesn't register with their teams: the FTC can suspend or revoke your dealer license for serious compliance violations. Not just fine you money. Actually shut you down.

That won't happen for a missing password on a single computer. But a pattern of negligence? Inadequate safeguards? Failing to disclose to customers how you use their data? That's dangerous.

The good news is that compliance is manageable if you approach it systematically. It doesn't require hiring an outside firm or turning IT into a fortress. It requires documentation, common sense, and accountability.

Start with the checklist above. Assign responsibility. Review it quarterly. You'll sleep better. And if an auditor or a customer complaint ever lands on your desk, you'll have proof that your dealership takes privacy seriously.