Recently issued guidance from the Federal Trade Commission (FTC) addresses frequently asked questions about the application of the agency’s Safeguards Rule, 16 C.F.R. § 314.1 et seq., to new car dealers since the 2023 overhaul of that rule. The latest guidance also reaffirmed the FTC’s 2005 guidance to new car dealers regarding the agency’s Privacy Rule, 16 C.F.R. § 313.1 et seq., and addressed how dealers should handle information received from consumers and customers in connection with financing a vehicle purchase. The FTC’s recent guidance confirms that OEMs, or Original Equipment Manufacturers, who receive basic customer information from dealers, such as names and addresses for the purpose of activating warranties and providing recall notices, typically are not “service providers” to dealers under the Safeguards Rule.
Safeguards Rule Applies to “Financial Institutions”
At the direction of Congress in the 1999 Gramm-Leach-Bliley Act, the FTC first adopted the Safeguards Rule in 2003 to require “financial institutions” to implement data security safeguards to protect customer information. The FTC updated the Safeguards Rule in 2021 to require financial institutions to adopt written information security programs to protect customer information and to implement certain minimum safeguards consistent with current technology. A 2023 amendment to the Safeguards Rule also requires financial institutions to notify the FTC as soon as possible—and no later than 30 days after discovery—of security breaches involving the unauthorized acquisition of at least 500 consumers’ unencrypted information.
The Safeguards Rule broadly declares that any “institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.” The FTC’s recent guidance declares that “dealers who finance (or facilitate the financing of) automobiles for consumers are financial institutions for purposes of the Safeguards Rule, since lending money is considered a financial activity,” and the Safeguards Rule itself says that dealers that lease vehicles for longer than 90 days are financial institutions because “leasing personal property . . . is a financial activity.”
Most new car dealers engage in financing and leasing activity and are subject to the Safeguards Rule. As such, they are obligated to adopt a written information security program sufficient to protect “customer information,” i.e. non-public personally identifiable information customers provide to obtain the financing. Customer information includes information derived from personally identifiable financial information, such as a list of all customers who financed their new car purchase with a dealer. The FTC’s recent guidance declares that certain information in a dealer’s possession, like applications for financing and spreadsheets of the names and addresses of customers who financed or leased vehicles, will always be covered by the Safeguards Rule, while other information, like general sales data reports and vehicle service and maintenance records, do not qualify as “customer information.”
OEMs Typically Are Not “Service Providers”
The Safeguards Rule requires that financial institutions that disclose customer information to a “service provider,” i.e., any person or entity who receives customer information “through its provision of services directly to a financial institution,” must monitor the safeguards that service provider uses to protect that information. OEMs who receive information from dealers are not “service providers” unless they are providing dealers with financial services; merely providing OEMs with a customer list and addresses, for example, or submitting Retail Delivery Reports that contain customer names, addresses, and Vehicle Identification Numbers (VINs) for purposes of activating warranties and providing recall notices, does not trigger any obligations under the Safeguards Rule or the Privacy Rule. Likewise, providing OEMs records of vehicle service histories do not trigger any obligations under these rules.
The FTC’s recent guidance further clarifies that even if a dealer commingles “customer information” (i.e. social security numbers and other personal financial information) with other information (such as the names and addresses of all vehicle purchasers) in a single database, a list generated from that database consisting of the names and addresses of everyone who purchased a vehicle from the dealer would not be “customer information” subject to the Safeguards Rule or the Privacy Rule, so long as the list does not indicate that the individuals sought or obtained financing or leasing from the dealer, or included other personal nonpublic information about them. Moreover, the recent guidance confirms that merely sharing information with an non-service provider with the customer’s consent to allow the customer to obtain a rebate or tax credit in connection with a vehicle purchase does not subject the non-service provider to the Safeguards Rule or Privacy Rule, even if the nonpublic personal information disclosed is “customer information,” so long as the information disclosed is only the information needed for the rebate, and so long as the information is not used by the recipient for any other purpose, such as marketing.
