← Back to Homepage

FTC Privacy Notice Updates: What's Changed, What Dealers Are Missing, and Why Your Dealer License Depends on It

|6 min read
complianceprivacyftcdealer licensesafeguards rule

Back in 1970, the Fair Credit Reporting Act was brand new, and most car dealers were still filing customer paperwork in cardboard boxes. The idea that you'd someday need to tell customers exactly how you're handling their data would've seemed absurd. But here we are, nearly 55 years later, with the FTC cracking down harder than ever on how dealerships collect, store, and protect customer information.

If you haven't updated your privacy notice recently, you're sitting on legal risk that could tank your dealer license faster than a transmission failure in a flood lot. The landscape shifted again in 2023, and frankly, a lot of dealers are still scrambling to keep up.

What Actually Changed (And What Dealers Keep Getting Wrong)

The FTC's Safeguards Rule updates, which took full effect in June 2023, tightened requirements around data security and customer disclosure. Most dealers understand they need a privacy policy. What they often miss is that the new rules require much more specific language about what happens to customer data once they hand it over.

Here's the honest version: your old privacy notice probably isn't cutting it anymore.

The updated Safeguards Rule requires that you disclose your actual security practices to customers. That means spelling out things like whether you're encrypting customer data, how long you're holding onto information, who has access to it, and what happens if there's a breach. It's not enough to say "we keep your information safe." You need to explain the actual safeguards you've implemented.

Say you're a typical 30-unit franchise running customer files through a CRM system (whether that's Dealer1 Solutions, traditional dealer management software, or even spreadsheets that should've been retired in 2015). You need to tell customers exactly how that system works, how it's secured, and what third parties can see their data. Do your finance managers share customer SSNs with lenders? Do your service writers upload photos of customer vehicles to cloud storage? Does your F&I manager send signed documents to email addresses? All of this needs disclosure.

The part dealers often skip: the FTC expects you to keep this notice current. If your security practices change, your privacy notice has to change with them. Posting a notice from 2019 isn't compliance. It's a paper trail showing negligence.

The Disclosure vs. Reality Problem

Here's where a lot of dealers get themselves into trouble (and honestly, it's the kind of thing that keeps compliance officers up at night). You write a privacy notice that says you're implementing industry-standard security measures. Then an auditor asks what those actually are, and your answer is "uh, we use passwords?"

That disconnect between what your notice promises and what you're actually doing is how you lose your dealer license.

The FTC has been increasingly aggressive about enforcement. Between 2023 and 2024, they've pursued cases against several major auto retail chains for vague or misleading privacy disclosures. The pattern is the same every time: dealership collects customer data, claims to safeguard it, fails to actually implement the safeguards they disclosed, breach happens or gets discovered, and then the FTC comes in asking hard questions about why your notice didn't match your reality.

Your privacy notice needs to be a true reflection of what your dealership actually does. Not what you aspire to do. Not what you plan to do next quarter. What you do right now.

What Hasn't Changed (But Dealers Still Mess Up)

The fundamentals haven't shifted as much as people think. You still need customer consent to collect personal information. You still can't share data with third parties without disclosure. You still need to maintain accurate records of who has access to what.

What's new is the enforcement teeth. The FTC has upgraded their monitoring capabilities, and dealer groups are now on their radar in ways they weren't five years ago. If you're operating multiple locations, each one is technically liable for its own compliance posture.

And here's the thing that catches a lot of smaller dealers off guard: your privacy notice needs to be accessible. Not buried in fine print on your website's footer. Not written in legal jargon that requires a law degree to parse. Customers should be able to understand it. Regulators definitely will be reading it, and they're not impressed by complexity that obscures transparency.

The Paper Trail Problem

One of the biggest vulnerabilities isn't even about your current practices. It's about documentation. The Safeguards Rule requires you to maintain records showing that you've implemented your stated security measures. That means audit logs, employee training documentation, vendor contracts with data-handling clauses, and evidence that you're actually reviewing and updating your privacy practices.

If you get audited and can't produce records showing you reviewed your security practices in the last 12 months, that's a violation. If you can't show that employees were trained on data handling, that's another one. The FTC doesn't just care about what you do. They care that you can prove you did it.

This is exactly the kind of workflow that dealership operations software was built to handle. Tools like Dealer1 Solutions give your team a single audit trail of who accessed customer data and when, which makes it infinitely easier to document compliance during an inspection.

What You Need to Do Right Now

First, review your current privacy notice. Print it out. Read it. Does it accurately describe how your dealership handles customer data? If you're not sure, that's already a problem.

Second, identify where customer data lives. Your DMS. Your CRM. Your email. Your text messaging platform. Cloud storage. That spreadsheet in the F&I office (you know the one). Document who has access to each of these systems and what data they contain.

Third, audit your actual security practices. Are you using encrypted email? Password managers? Two-factor authentication? Are customer files in locked cabinets or left on desks? These aren't rhetorical questions. You need real answers. Document them.

Fourth, update your privacy notice to reflect that reality. Then put it in front of every customer. Not just at the dealership. On your website. In your follow-up communications. Make it obvious.

Finally, establish a process to review and update this notice annually. Make it somebody's job. Compliance is ongoing, not a one-time checkbox.

The Dealer License Angle

Here's the part that should light a fire under your operation: state dealer boards are increasingly coordinating with the FTC on privacy enforcement. A privacy violation that triggers an FTC investigation can absolutely result in your dealer license being challenged or revoked. It's not a fine you pay and move on. It's a regulatory action that affects your ability to sell cars, period.

So this isn't a "nice to have" compliance thing. This is a protect-your-business thing.

The dealers staying ahead of this are treating privacy compliance like they treat inventory management. It's systematic. It's documented. It's reviewed regularly. And it's absolutely aligned with what they're telling customers.

Your privacy notice is a legal document. Treat it like one.

Stop losing vehicles in the recon process

Dealer1 is the all-in-one platform dealerships use to manage inventory, reconditioning, estimates, parts tracking, deliveries, team chat, customer messaging, and more — with AI tools built in.

Start Your Free 30-Day Trial →

All features included. No commitment for 30 days.

← Back to Blog
FTC Privacy Notice Updates: What's Changed, What Dealers Are Missing, and Why Your Dealer License Depends on It | Dealer1 Solutions Blog