For years, dealership compliance rested on a comfortable shortcut: “We follow the Gramm-Leach-Bliley Act, so state consumer privacy laws do not apply to us.” Most early state privacy laws included a broad GLBA exemption, and that shortcut mostly held. In 2026 it stops holding. Several states are narrowing or removing the exemption, and one has removed it outright for dealers with a hard deadline that has already arrived.
If your only privacy program is the FTC Safeguards Rule, you now have a gap. This post explains what changed, why it hits dealers specifically, and the short list of things to put in place.
The exemption was never as wide as dealers thought
The GLBA exemption in state privacy laws comes in two flavors, and the difference is everything.
An entity-level exemption says: if you are a financial institution covered by GLBA, the whole state law does not apply to you. That is the version dealers were counting on.
A data-level exemption says: only the data already covered by GLBA is exempt. Everything else you collect, from website analytics and marketing lists to service-lane data and employee information, still falls under the state law.
Most states have been shifting from the first version to the second, or removing the GLBA carve-out for dealers entirely. Once that happens, “we are GLBA-covered” no longer answers the question.
Connecticut removed the exemption, effective July 1, 2026
Connecticut is the clearest example. Amendments to the Connecticut Data Privacy Act eliminate the entity-level GLBA exemption that dealers had relied on, and every dealership operating in Connecticut must comply with the CTDPA as of July 1, 2026 (ComplyAuto).
That deadline is not coming. It is here. If you sell or service vehicles in Connecticut and have not built a consumer-rights process, you are already behind.
Four more states came online January 1, 2026
Connecticut is not the only date on the calendar. On January 1, 2026, new comprehensive consumer privacy laws took effect in Kentucky, Indiana, and Rhode Island, along with amendments to Oregon’s existing privacy law (ComplyAuto). Each has its own thresholds, consumer rights, and enforcement approach, and the count of states with comprehensive privacy laws keeps climbing.
For a single-state dealer, that means one new rulebook. For a group operating across state lines, it means a patchwork, and the patchwork is the point: what satisfies one state may not satisfy the next.
What a state privacy law actually asks of you
The FTC Safeguards Rule is about protecting data. State privacy laws are about giving consumers control over it. They are related, but they are not the same program, and the second one is the part most dealers have never built. In broad strokes, a state privacy law expects you to:
- Map your data. Know what personal information you collect, where it lives, who you share it with, and why.
- Honor consumer rights. Let people access, correct, delete, and opt out of the sale or sharing of their information, and stand up a way to actually process those requests within the state’s deadline.
- Post an accurate privacy notice. Not a template from 2019. One that reflects what your stores really do with data.
- Recognize opt-out signals and limit sensitive data. Several laws treat data like driver’s license numbers and precise geolocation as sensitive, with extra rules attached.
None of that is optional once the law applies, and none of it is covered by your WISP.
The trap for multi-rooftop groups
If you run stores in more than one state, the easy mistake is to assume your home-state program travels. It does not. A group with rooftops in Connecticut plus a January-2026 state is now subject to two privacy regimes on top of the federal Safeguards Rule, with different rights, different timelines, and different definitions of who counts as a consumer.
The workable answer is to build to the strictest standard you are subject to, then apply it everywhere. One consumer-rights intake, one honest privacy notice, one data map that covers every rooftop. That is cheaper to run than a different process per state, and it is far cheaper than explaining to a state attorney general why one store ignored a deletion request.
What to do in the next 30 days
You do not need to boil the ocean. You need to close the gap between “we follow Safeguards” and “we can answer a consumer-rights request and prove it.”
- Confirm which laws apply to you. List every state you operate in and check the current status of its privacy law, including any GLBA-exemption changes. Connecticut and the January-2026 states are the urgent ones.
- Map your customer data. You likely started this for your Safeguards risk assessment. Extend it to cover marketing, website, and service data, not just financing files.
- Stand up a consumer-rights process. Decide who receives requests, how you verify identity, and how you meet each state’s response deadline. Write it down.
- Refresh your privacy notice. Make it match reality across every rooftop.
The GLBA shortcut is closing. The dealers who get ahead of it will treat privacy and security as one connected program, run to the strictest standard they face, and keep the evidence to prove it.
Want help mapping where the Safeguards Rule ends and state privacy law begins for your stores? A free gap assessment is the fastest way to see it clearly.