Category: Compliance

Digital Solutions to Counter Increasingly Sophisticated Fraud

Posted on

Summary: Auto retailers are facing a surge in complex identity‑based scams that threaten both operational efficiency and customer trust. This article breaks down the evolving fraud landscape and shows how modern verification and compliance tools can help dealerships detect risks earlier and protect sensitive information more effectively.

__________

Fraud attempts and identity theft related to car buying, leases and loans are a significant problem for auto dealers and lenders. The Federal Trade Commission’s Consumer Sentinel Network Data Book 2024 tracked more than 197,000 auto-related fraud reports that year, while identity theft reports exceeded 1.1 million.

These categories both increased year over year, and its clear that the types of fraud and identity theft dealers and lenders face are becoming more sophisticated.

Synthetic ID Fraud

One type that is on the rise is synthetic identity fraud. In these cases, fraudsters create a false identity for a car buyer that’s made up of real pieces of information. The name might be from one person, the address could be from someone else, and the social security number may be stolen from a minor or someone who is deceased. Individually, the items of data check out, but they definitely do not describe a single, real person.

Fortunately, there are advanced compliance tools available for dealerships to help them assess the risk of synthetic ID fraud for each transaction.

Other Identity Fraud

Just because synthetic ID fraud exists doesn’t mean that more traditional fraud attempts have died out. “Know your customer” verification steps are vital to ensure that customers are who they say they are, have legitimate and verifiable employment and income, and are authorized to purchase a vehicle in the U.S.

A digital compliance solution can help dealerships detect fraud attempts at every step of the deal. It can also give dealers the ability to follow and document the proper ID verification steps including red flags, OFAC checks, and out-of-wallet questions as needed.

Identity Theft

Dealerships are not only at risk of selling to someone using a stolen identity—they also handle personal identifying information (PII) for prospects and customers that could fall into the wrong hands and continue the vicious cycle.

This is another area where a digital compliance solution helps safeguard the dealership and its customers. Store customer PII digitally to avoid situations where photocopied drivers’ licenses and other sensitive information might be left on a copier or desk where anyone might see them. Digital transactions also reduce the risk that documents may fall into the wrong hands in transit to a lender or state DMV—or be accessed from a file cabinet within the dealership during long-term storage.

Safeguard Your Dealership

Explore how the Dealertrack Compliance solution protects dealerships and consider taking a self-guided demo or requesting a one-on-one consultation.

For a handy guide to the latest compliance knowledge for dealerships, download the free 2026 Dealertrack Compliance Guide.

Disclaimer: This is not meant as legal advice, and we do not purport to provide any legal or regulatory analysis. Consult with your attorney for any legal, regulatory, or compliance questions you may have.

3 Ways to Safeguard Your Dealership in a Consumer-Driven Market

Posted on

3 Ways to Safeguard Your Dealership in a Consumer-Driven Market

After a few roller-coaster years, consumers are still interested in buying cars and car inventories have continued to stabilize to meet their needs. Still, the industry is expected to see declines in consumer demand and increases in auto loan delinquencies moving forward. These changes result from various economic factors, including high interest rates, rising car prices, and other financial strains on consumers.

As auto dealers look for ways to serve reluctant consumer buyers, and auto lenders work to address more loan delinquencies, federal and state regulators are monitoring the industry to ensure consumers are being treated fairly.

Here are three initiatives you can take on to ensure your dealership remains compliant:

1. Establish a culture of compliance

The best way for dealerships to protect themselves in this environment is by creating a culture of compliance, data security, transparency, and honesty with customers.

Here are some of the ways to do that:

  • Documentation – Establish processes to document your compliance and risk assessments for every deal and store that data securely. Using an electronic system to track and record your completed processes for each deal can be invaluable in the event of an audit or regulatory inquiry.
  • Consistency – One of the hallmarks of many consumer protection regulations is non-discrimination. Be sure every customer receives the right consumer notices at the proper times during the deal process to document any exceptions. Create a systematic customer complaint system and work to resolve complaints using a consistent process with timelines and escalation procedures.
  • Data Protection – More and more state data privacy laws require businesses to provide certain rights regarding personal information collected by the business. Consider using secure digital storage solutions to ensure that you are protecting and storing customer data your state-required period.

2. Protect your reputation and your profitability

Today’s consumers are empowered to seek remedies from a variety of sources when they have a negative experience. Between the online complaint databases maintained by the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC), state attorneys general, data protection agencies, and the Better Business Bureau, the risks to your dealership of a prolonged consumer dispute multiply.

Consistently following compliance best practices is the best way to protect customers and avoid the ramifications of non-compliance.

3. Download the 2025 Dealertrack Compliance Guide

Sign up now and get the free guide to serve as a compliance reference all year long. Know which regulations apply to your dealership so you can build a solid compliance plan to safeguard your business.

Disclaimer: This is not meant as legal advice, and we do not purport to provide any legal or regulatory analysis. Consult with your attorney for any legal, regulatory, or compliance questions you may have.

Compliance Trends for Dealerships

Posted on

Disclaimer: This is not meant as legal advice, and we do not purport to provide any legal or regulatory analysis. Consult with your attorney for any legal, regulatory, or compliance questions you may have.

In an ever-changing regulatory landscape, resources that help you stay up to date on what’s new are important for maintaining your dealership’s reputation and avoiding costly missteps. The Dealertrack Compliance Guide is available each year as a free download to serve as reference guide.

Here are some of the compliance trends we’re seeing:

1. More consumer data privacy

Thirteen states—California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia—have enacted new data privacy and data security laws. Several other states are considering legislation to enact similar laws. Many of these laws become effective this year, so it’s important for dealers to pay special attention to data and security obligations and be proactive in incorporating these new state requirements in compliance action plans.

The New York Department of Financial Services Cybersecurity Rule, amended as of April 29th, requires multi-factor authentication (MFA) for all user accounts accessing information systems.

Things to think about: Data privacy laws apply to all personally identifiable information (PII) collected from consumers. Help protect customer data with a policy forbidding the use of personal devices for data collection. Consult with legal counsel and software vendors to ensure that your information systems and processes meet requirements for handling and securely storing customer data.

2. Tightening security measures

Fraud grew to $8.1 billion in 2022, with a substantial increase in the prevalence of synthetic identity fraud*, which involves fake identities being stitched together from pieces of real identifying information taken from various sources.

Given the rise of fraud, the FTC and states continue to focus on cybersecurity and related enforcement. Throughout this year, expect to see stricter data security and identity theft regulations, more guidelines about how to prevent synthetic ID fraud, and additions to the Safeguards Rule, including expansions of required security measures similar to what we described in the section above.

To protect against identity theft and fraud, many states have also passed laws that restrict how dealers can use and handle a customer’s social security number (SSN) and other non-public information. This can include denying goods or services to a person who declines to give their SSN.

Things to think about: Have plans in place to safeguard your dealership against direct fraud loss and costly lender chargebacks as the result of fraud. Consider adding additional ID verification steps such as pulling out of wallet questions—and look for a compliance solution that can alert you to potential synthetic ID fraud attempts.

3. New data breach disclosure requirement

As of May 13, 2024, non-bank financial institutions have a new data breach disclosure requirement. The Federal Trade Commission (FTC) recently updated the Gramm-Leach-Bliley Safeguards Rule, requiring non-bank financial institutions to report to the FTC any event where unencrypted customer information involving 500 or more consumers has been acquired without authorization.

Things to think about: If your dealership provides financing directly to customers, take note of this regulation and work with your legal counsel to find out how it applies to you.

4. Quiet hours

Having someone’s phone number doesn’t give you the green light to call them anytime you want. The Telephone Consumer Act (TPCA) establishes new federal quiet hours before 8:00 a.m. and after 9:00 p.m. You could be fined $500-$1,500 per call or text message under this if you haven’t obtained written consent from the recipient.

Things to think about: Always maintain a “do not call” database to avoid unwanted communication with consumers. Check the settings of your automated systems to ensure they’re programmed to respect quiet hours. Remember to keep customers’ time zones in mind.

5. Aftermarket pricing transparency and disclosures

Consumer protection regulations and enforcement are increasingly focused on consistent pricing and proper disclosures for F&I aftermarket product sales.

Things to think about: It’s more important than ever for dealerships to provide timely consumer notices and disclosures. Consider using a menu solution to present aftermarket products to car buyers transparently and consistently and ensure that every product is offered to every customer—at the same price point.

The answers to your compliance questions

Get the free 2026 Dealertrack Compliance Guide so you have it handy whenever you need to check, or double check, the current rules, regulations, and best practices.

*Source: Point Predictive 2023 Auto Fraud Trends Report

The Financial Impact of Non-Compliance

Posted on
Summary: Non‑compliance can significantly impact a dealership’s bottom line, exposing it to fast‑growing fraud risks and severe regulatory fines. This post highlights how rising auto loan fraud—now exceeding $8.1 billion in exposure—and costly penalties tied to OFAC, Red Flags, and other rules make consistent compliance practices essential for protecting revenue and preventing legal and operational consequences.
___________________

There’s a reason that compliance looms large for auto dealers – and it has everything to do with the bottom line. Failing to establish and follow consistent compliance practices can cost a dealership in two ways:

Fraud

On one hand, you have fraud risk, which is growing at an alarming rate. According to the 2025 Auto Fraud Trends Report from Point Predictive, auto loan fraud totaled more than $9.2 billion in origination risk exposure last year. Fraudulent entries on those buyers’ loan applications included fake or falsified employment, income and identity information, often combined to create a synthetic identity unrelated to a single, real person.

That’s one reason identity verification is such a vital compliance step. Not only does it help the dealership comply with the OFAC checks and the FTC’s Red Flag Rule, but it lets the dealership confirm that the buyer is who they say they are before that person has the opportunity to take possession of a vehicle under false pretenses.

Fines and Penalties

OFAC is a good example of the second way non-compliance can be costly because violating it can come at a steep cost in criminal and civil penalties and fines. OFAC stands for the Office of Foreign Asset Controls and it requires car dealers to check consumers against its Specially Designated Nationals and Blocked Persons (SDN) list to make sure they aren’t tied to illegal activities. Anyone on the list is prohibited from making a purchase.

Violating OFAC SDN requirements falls under five different regulations: Trading With the Enemy Act (TWEA), International Emergency Economic Powers Act (IEEPA), Antiterrorism and Effective Death Penalty Act (AEDPA), Foreign Narcotics Kingpin Designation Act (FNKDA) and Clean Diamond Trade Act (CDTA). Each regulation carries civil penalties ranging from tens of thousands to more than $1.8 million. (31 C.F.R. § 501, App. A).

Each of the regulations includes criminal penalties for knowing violations that can lead to a decade or more in prison and additional fines for the dealership up to $10 million, depending on which rule has been violated.

Although OFAC is an extreme example, there are fines associated with all of the regulations that a dealership’s compliance program addresses. Here are some of the maximums for potential dealership violations in 2025:

  • Red Flags Rule and Risk-Based Pricing Rule Notice – up to $4,983 per knowing violation
  • Privacy Notices and Adverse Action Notices – up to $53,088 per instance

Download the Dealertrack Compliance Guide to reference the Guide to Penalties (starting on page 171) for a list of the 2025 fines. Keep the guide on hand throughout the year to serve as a useful compliance resource.

Need help making sure your dealership stays on top of compliance? Dealertrack Compliance has integrated checkpoints and monitoring from leads to contracts to help you maintain compliance on every deal. Schedule a demo to find out how.

Data Safeguards & Identity Theft Protection: F&I Compliance Tip

Posted on
Summary: Auto dealerships are increasingly targeted by identity theft and data breaches, making strong data‑safeguard practices more essential than ever. This post outlines three practical F&I compliance tips—establishing clear acceptable‑use policies, creating a proactive breach‑response plan, and ensuring secure transmission of customer information—to help dealerships protect sensitive data and reduce fraud risk.

Identity theft and data breaches continue to be a serious and ongoing issue for consumers and businesses.

In fact, according to Experian, the FTC logged more than 1.1 million identity theft reports in 2024 (the most recent year for which stats are available), leading to total monetary losses of $12.74 billion. That includes the misuse of credit card data, as well as personal identity information. Amid this environment, Small to Midsize Businesses (SMB) such as auto dealerships are perfect targets.

With the increase in remote transactions, identity verification is more important than ever. You can help protect your dealership by implementing a few commonsense steps, and by encouraging your staff to follow best practice safeguards:

Tip #1: Acceptable Use

Help control risk by adopting an “acceptable use” policy that ensures employees are not sharing their device, are adhering to strong passwords, and that any corporate-owned data is encrypted. Text messaging should also be discouraged as it is discoverable from the device in litigation and the use of acronyms or shorthand often leads to misunderstandings.

Tip #2: Have a Plan

Have a pre-established plan in place to deal with data security breaches. The FTC has said that an Information Security Program must include a detailed incident and breach response and notice plan to execute in the event of any security breach or database hack in which customer information is or may have been wrongfully accessed, whether by internal or external persons. Pre-identify a team of people to manage the breach and responses. The team should represent each department that might be affected by a breach or that has to be mobilized to interact with the public, including legal, human resources, privacy, security, IT, communications, and, if you are publicly traded, investor relations. Part of the team’s role is to analyze risks to data, data flow, and worst-case scenarios. Test your plan periodically by doing mock drills. Consult your attorney to know your state law and the laws of your customers’ states of residence about when you give notices to customers about data breaches.

Tip #3: Secure Transmission

Do not transmit customer information over insecure channels such as unencrypted email, P2P systems, or wireless access points. These are not secure media. The FTC has cited the absence of data loss prevention software and an intrusion detection system in these media as inadequate practices for an Information Security Program

To get more tips and recommended compliance practices, access the free 2026 Dealertrack Compliance Guide. 

7 Features Your Compliance Software Should Have

Posted on
Summary:
Choosing the right compliance software is essential for protecting your dealership from audits, fines, and fraud. This post outlines seven must‑have features—including real‑time visibility, automated Red Flags and OFAC checks, compliant menu selling, secure document storage, built‑in disclosure and notice tools, Adverse Action reporting, and integrated checkpoints—to help dealerships strengthen compliance, streamline workflows, and reduce risk.
________________________________

With the constant threat of audits, fines, lawsuits and fraud, every dealership must take compliance seriously. Fortunately, there are cost savings to be found in integrating finance and sales flow compliance functions. Here are seven features to look for when choosing compliance software:

1. Visibility and transparency
It’s important to have a compliance dashboard that monitors employee and deal activity in real-time from a single screen. Keeping a close eye on employee actions lets you step in to make corrections as needed, heading off non-compliance risk.

2. Integrated FTC and OFAC requirements
To meet FTC and OFAC requirements and reduce fraud risk, your workflow needs to include the proper checkpoints. The FTC Red Flags Rule is a requirement designed to help protect against identity theft.  The Office of Foreign Assets Control (OFAC) requires a check of names against its “Specially Designated Nationals” list (SDN) of people with whom you cannot legally do business. You should look for software that automatically pulls Red Flags, provides out-of-wallet knowledge-based authentication questions, and offers additional questions when a customer does not answer enough of the previous questions correctly.

3. Fully compliant menu selling
Consistent presentations and full disclosure should be built into the sales process to reduce your compliance risk. This is an important selling category to watch because many industry experts believe that the FTC will be zeroing in on aftermarket products in the near future with enforcement actions for possible unfair and deceptive practices.

4. Secure document management
To meet compliance regulations, you must store deal-related documents including credit applications, privacy notices, credit reports, pencils, contracts, menus and more. Secure electronic deal jackets make these documents easier to access as needed, protect them from misuse, and also reduce the need to store paper files at your dealership.

5. Ability to print risk-based pricing credit score disclosure notices and privacy notices
Every time you take a credit application, you need a Credit Score Disclosure Notice – and it’s a best practice to give each customer a privacy notice at the same time. Ideally, your software should give you the ability to print risk-based pricing credit score disclosure notices and privacy notices as part of the application submission process.

6. Adverse Action reports
Compliance technology should be able to immediately identify and give you insight into which customers might need an Adverse Action notice.

7. Integrated compliance checks and balances
Compliance should be an integral part of your software so that your employees immediately receive an on-screen notice if a step is overlooked. This information should also be displayed on a performance dashboard so that management can be aware of possible problem areas requiring intervention such as additional training.

To learn how your dealership can integrate compliance checkpoints into your workflow, visit our Compliance product page and schedule a live demo with a Dealertrack F&I sales representative. 

eContracting and Data Security

Posted on

Summary: Dealerships handle large amounts of sensitive customer data, and this post explains why eContracting is a critical safeguard against data‑security vulnerabilities. It highlights how paper documents pose significant breach risks and shows how secure digital contracting—powered by encryption, controlled access, eVault storage, and legally compliant processes—helps protect customer information both inside the dealership and throughout the contracting workflow.
 
____________________

Dealerships collect a significant amount of personally identifiable information (PII) about their customers in the process of selling them a vehicle and arranging financing. Information including the customer’s name, date of birth, place of residence, employment information, phone number, email address and social security number can all be at risk of misuse when not properly handled and secured.

The vulnerability of paper documents

Many people tend to associate data breaches with electronic transactions, but paper records can actually be much more vulnerable. Companies have been fined thousands and even millions of dollars for exposing printed customer information in ways that include:

  • Mailing letters with social security numbers visible through the envelope window.
  • Faxing sensitive information to an unauthorized individual.
  • Leaving customer files on public transport.

Paper document mismanagement isn’t always so dramatic. It can include letting paper records sit on a printer or copier or out on a desk where unauthorized people could view them, or putting files in a dumpster when they should be shredded. Even sending documents by mail or via a delivery service can increase the risk that a paper file may fall into the wrong hands.

eContracting security

Federal legislation that applies to eContracts, including the Electronic Signatures in Global and National Commerce (E-SIGN) Act, includes provisions that electronic transactions must be conducted through secure channels to protect sensitive information. The law requires that digital information be securely archived, indexed, and retrievable in a timely manner.

Access to a dealership’s eContracting solution is password protected and limited to authorized dealership personnel. The system encrypts all contract and customer data, and it flows securely and directly into a lender’s Loan Origination System (LOS).

Contract packages are stored in a secure eVault with multiple backup systems to protect the data and keep it accessible when needed. In cases where paper is required later, authorized representatives of the lender or dealer can easily export the eContract documents and print them without requiring the customer to re-sign.

The system also ensures that only one “authoritative copy” of the eContract can exist at any time. This security measure prevents fraud and potential misuse that can come from multiple contracts for the same deal.

Your dealership’s compliance protocols should include practices that encourage secure handling of customer data regardless of whether it’s on paper or stored digitally. The security features built into eContracting can help keep that data safe within the dealership, in transit to lenders, and after the deal is completed.

Find out more about how Dealertrack Digital Contracting helps secure and streamline your contracting processes. To learn more about regulations around data security, download the 2026 Dealertrack Compliance Guide.

Don’t Play “Hot Potato” With Adverse Action Notices

Posted on
Summary: Adverse action notices are a critical—yet often misunderstood—compliance requirement for dealerships. This post explains why dealers, not lenders, are responsible for issuing these notices, outlines the detailed disclosures required under ECOA and FCRA, and clarifies when notices must be sent to protect both consumers and the dealership from regulatory risk.
___________

As much as your dealership would like to be able to sell to every customer, sometimes it doesn’t work out. Maybe a customer was credit-challenged, so you decided not to send their application to any financing sources – or you did send their application for financing but couldn’t get acceptable terms. Perhaps you had a spot delivery deal in place that you needed to unwind or re-contract.

In any of these instances, consumer protection laws, including the Equal Credit Opportunity Act (ECOA) and the Fair Credit Reporting Act (FCRA), require that the consumer be presented with an adverse action notice within a mandated timeframe.

This is where it gets tricky. There’s a common misconception among dealers that lenders handle sending adverse action notices. It’s true that a finance source may present their own adverse action notice to a consumer, but that’s not enough to protect a dealership from liability if the notice doesn’t contain certain dealer-specific disclosures.

According to consumer protection laws1, an adverse action notice must tell the customer:

  • What the adverse action was
  • Up to four reasons for the adverse action (or provide the dealership’s contact information so they can find out within 60 days)
  • The names of the credit reporting agencies that provided the information to the dealership
  • Their credit score and information about it
  • Four or five “key factors” that adversely affected their credit score

These are detailed requirements and the dealership is in a better position to provide this information than any given lender, which is one of the reasons the dealer bears the responsibility for compliance.

So, it’s important be alert to situations that require your dealership to provide consumers with an adverse action notice.

Not sure exactly what to include? The 2026 Dealertrack Compliance Guide includes a sample of one type of adverse action notice form that’s appropriate for use in certain circumstances. Always consult your legal counsel for advice on developing an adverse action notice template for your dealership and knowing when to send an adverse action notice.

To learn more about adverse action notices and see the form sample, download the 2026 Dealertrack Compliance Guide.

1Please check with your attorney for verification and further details.

 

3 Things to Know About Risk-Based Pricing Notices

Posted on
Summary: Risk‑based pricing notices play a key role in dealership compliance by informing customers when their credit terms are less favorable due to their credit report. This post breaks down when these notices are required, how Credit Score Disclosure (CSD) exception notices can be used instead, and how integrated compliance tools help ensure dealerships deliver the right documentation at the right time.
________________________________

Many of your dealership’s compliance responsibilities are designed to inform and protect consumers as they make financial decisions. That is definitely the case for the Federal Trade Commission’s Risk-Based Pricing Rule of the Fair Credit Reporting Act, which may apply to dealerships that use credit reports to help them make lending decisions.

When should you provide a Risk-Based Pricing Notice?

Under the Risk-Based Pricing Rule, a customer must be informed if they’re being offered worse credit terms than other consumers because of information in their credit report.

The threshold that determines when a consumer should receive a Risk-Based Pricing Notice is when they’re offered credit on less favorable terms than what a “substantial proportion” of other customers receive. In most cases, “less favorable terms” refers to customers being offered a higher annual percentage rate than other car buyers.

What are CSD Notices?

As an alternative to providing a Risk-Based Pricing Notice to these selected consumers, some dealerships choose to provide a credit score disclosure (CSD) exception notice to every credit applicant.

CSD Notices include an applicant’s credit score and other information such as the national distribution of credit scores among consumers under the credit scoring model used and various disclosures about credit scores in general.

Consumer reporting agencies will provide CSD Notices upon request. Your dealership should give them to each credit applicant after you get their credit score but before you complete the vehicle sale transaction.

How can I make the process easier at my dealership?

A compliance technology solution integrated with your F&I process can help your dealership provide the required notices to consumers at the appropriate time based on their credit reporting and terms.

As with any compliance issue, we recommend that you address questions you may have with your own qualified legal counsel.

To learn more about the Risk-Based Pricing Rule and other compliance topics, download the 2026 Dealertrack Compliance Guide.

The 5 Ws of Privacy Notice Compliance for Dealerships

Posted on

Summary:

Privacy notices are a crucial part of dealership compliance, outlining how customer data is collected, used, and shared. This post explains why these notices are legally required, what information they must include, who must receive them, and when they should be delivered—helping dealerships stay aligned with FCRA, GLB, FTC rules, DPPA requirements, and emerging state‑level privacy laws.

______________________

Your dealership’s privacy notice may seem like just another piece of paperwork, but it’s a vital part of your compliance plan. The federal and state consumer protection regulations that require privacy notices address a wide range of your dealership’s data handling and storage practices. Let’s go over the basics you need to know about them.

Why Are Privacy Notices Necessary?

Numerous laws and regulations require that dealers create and present a notice to inform consumers of their practices for collecting, using and sharing non-public personally identifiable information.

Privacy notices are generally based on the combined requirements of Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLB). However, dealerships should also take into account federal laws including the FTC Privacy Rule, FTC Affiliate Marketing Rule and the Driver’s Privacy Protection Act (DPPA) when creating their privacy notices.

States are stepping up to provide consumers with additional privacy protections, so it’s important for your privacy policy to address the state regulations that apply where your dealership does business.

Remember, always consult with your legal counsel to ensure compliance with all privacy policy requirements for your dealership.

What Should Privacy Notices Include?

The recommend best practice is to create your FCRA-GLB Privacy Notice using the FTC’s Model Consumer Privacy Online Form Builder. Your dealership’s privacy policy should explain what personal information you collect, how you collect and use the personal information, and what third parties (if any) can access the information. An important key is that your privacy notice should accurately describe the actual way you collect and share information every day, which means you need walk the talk!

Who Should Get a Privacy Notice?

You should give a privacy notice to every consumer who gives your dealership personal information, regardless of whether they end up purchasing a product or service.

When Should a Consumer Get Their Privacy Notice?

As the previous item implies, your dealership should be prepared to present privacy notices to potential customers before they become customers. That means consumers should receive a privacy notice before the dealer plans to collect, use or share their information. The timing can be tricky depending on how the consumer first begins interacting with your dealership but be prepared to provide a privacy notice when someone first gives you their personal information, or as soon as possible after that. An integrated compliance software solution should provide you with a disclosure alert to ensure that you provide the privacy notice to the consumer at the proper time.

Where Have Privacy Notice Requirements Gotten Broader?

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. This law gives California consumers the right to know what personal information is collected about them, know how their personal information is being used, access a copy of their personal information, request that a business delete the personal information that was collected from them, and say no to having their personal information sold to third parties. There are also related online privacy requirements. The law applies to dealerships doing business in California that meet certain requirements, so consult with your legal counsel to determine your status and ensure that your privacy policy is compliant.

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Nebraska, New Hampshire, New Jersey, New York, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia—have enacted data privacy and data security laws, some which become effective in 2025 or early 2026. Several other states are considering legislation to enact similar laws.

Want to learn more about complying with privacy and customer information sharing regulations? Check out the 2026 Dealertrack Compliance Guide