On December 9, 2021, the Federal Trade Commission (FTC) revised what is known as the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), which regulates the data privacy practices of financial institutions to require auto dealerships to – among several other things – more intentionally oversee the data privacy and security practices of their service providers. Although these regulations were finalized nearly a year ago, the FTC provided dealerships, their service providers and others subject to these rules one year to come into compliance.  As December 9, 2022 is right around the corner, it is time for dealerships and service providers that have not addressed these rules to consider how to structure their relationship for compliance. 

To start down this path, dealerships should assess what types of information they share with their service providers and service providers should assess what types of information they receive from dealerships. Importantly, the GLBA is not only concerned with personally identifiable information like names paired with phone numbers, addresses or other identifiers but extends its scope to what it terms “customer information,” which is broad enough to cover any information about a consumer resulting from any transaction involving a financial product or service between the dealership and the consumer. Even the fact that an individual has been a dealership’s customer qualifies under this broad term.

Likewise, service providers – “any person or entity that receives, maintains, processes or otherwise is permitted access to customer information through its provision of services” to dealerships – should identify the types of customer information they receive from dealerships, what they do with it and how it is stored and protected.

Taking these initial steps now is critical to being well-positioned to meet the FTC’s December compliance deadline for the updated Safeguards Rule requirements. As noted above, one of the several new data security requirements for dealerships is to oversee service providers. This includes:

1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;

2. Requiring service providers by contract to implement and maintain such safeguards; and

3. Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards.

In discussing these oversight requirements, the FTC rejected a “one-size-fits-all approach,” given the variation among service providers. The Commission did make clear, however, that the new regulations would require institutions like dealerships to “assess the risks service providers present and evaluate whether they continue to provide the safeguards required by contract,” emphasizing the importance of adequate data privacy and security safeguards built into these relationships through contracts. 

The FTC has become notably more aggressive in the data privacy and security context. Since the GLBA authorizes fines up to $100,000 against non-compliant entities per violation and up to $10,000 against officers and directors in their personal capacities per violation, dealerships have ample incentive to comply with the GLBA’s new requirements outlined above. Given the importance of those contractual safeguards and the absence of clearly prescribed contractual requirements, dealerships and service providers will be best prepared to negotiate efficient, effective and compliant contractual safeguards by first understanding the nature and extent of any customer data exchanged between the parties and designing reasonable safeguards accordingly.