Published May 19, 2026

The FTC Just Answered Dealers' Biggest Safeguards Questions

Since the revised FTC Safeguards Rule took full effect, dealers have been asking the same questions. Does the rule really apply to my store? What counts as customer information? Am I responsible when a vendor or the OEM handles the data? For a long time the honest answer was “the rule does not spell that out for dealers specifically.”

In June 2025 that changed. The FTC published a set of Frequently Asked Questions written specifically for automobile dealers, its first dealer-focused guidance since the amended rule landed (FTC; ComplyAuto). If you have been guessing at how the rule applies to your store, the guesswork is over. Here is what the FAQs make clear.

Yes, the rule applies to your dealership

The first thing the guidance settles is the question dealers most want to wish away. If your dealership arranges financing or leasing for customers, you are a “financial institution” under the Gramm-Leach-Bliley Act, and the Safeguards Rule applies to you. Size does not get you out of it. A single-rooftop store that helps customers get financed is covered the same way a large group is.

The FTC has been consistent on this point, and the dealer FAQs remove the last bit of ambiguity: this is not a rule for banks that happens to mention dealers. It is a rule that treats your store as a financial institution because, when you arrange financing, that is what you are.

Customer information is broader than the deal jacket

Dealers often picture “customer information” as the financing file and stop there. The rule is broader. It covers nonpublic personal information about anyone who obtains a financial product or service from you, in whatever form you hold it: the credit application, the copy of a driver’s license, the data in your CRM, the records your service department keeps.

The practical takeaway is that protecting the deal jacket is not enough. If a system in your store holds customer financial information, it is in scope, and it needs the same safeguards as the F&I office.

The OEM and your vendors do not absolve you

This is the section dealers should read twice. The FAQs address dealer relationships with OEMs and other third-party vendors, and the message is that handing data to someone else does not hand off your responsibility. You remain accountable for overseeing the service providers that touch your customers’ information.

That lines up with what the rule already requires: select providers that can protect the data, require those protections by contract, and monitor the providers over time. If a captive finance arm, a DMS, or a marketing vendor holds your customers’ data, “they handle security” is not a compliance answer. Their security is now part of your program, and you are expected to verify it.

The nine elements are still the backbone

The FAQs do not replace the core of the rule. They point back to the same information security program every covered dealer has to build, anchored by a written program and a named owner. In practice that means:

  • A designated Qualified Individual responsible for the program.
  • A written risk assessment that drives the safeguards you choose.
  • Core technical controls, including multi-factor authentication for anyone accessing customer information and encryption of customer data at rest and in transit.
  • Service provider oversight, the piece the FAQs emphasize for dealers.
  • Testing, training, an incident response plan, and an annual report to leadership.

If those elements are not written down, dated, and provable, the FAQs are a warning shot: the FTC has now told dealers, in dealer-specific language, exactly what it expects.

Do not forget the breach clock

The guidance sits on top of a requirement that has been live since May 13, 2024. Covered dealerships must notify the FTC as soon as possible, and no later than 30 days after discovering a security event involving the unauthorized acquisition of unencrypted customer information affecting 500 or more consumers (ComplyAuto). That notice goes to the FTC electronically, and it effectively creates a public record of the breach.

Pair that with the civil penalty exposure, which the FTC set at up to $53,088 per violation for 2025 (Orrick InfoBytes), and the message is clear. The FTC has removed the excuses. It told dealers the rule applies, told them what data is covered, told them their vendors are their responsibility, and gave them a deadline to report failures.

What to do with the FAQs

Treat the dealer FAQs as a checklist, not light reading.

  1. Read them against your program. Go element by element and mark what you can prove today.
  2. Pressure-test the vendor question. For every provider that touches customer data, ask whether you could show the FTC how you select, contract with, and monitor them.
  3. Close the gaps in writing. A control you cannot document is a control the FTC will treat as missing.

The FTC just told dealers exactly what it wants. The stores that come out ahead are the ones that take the hint and can prove their program is real.

Want to see how your store measures up against the nine requirements the FAQs point to? A free gap assessment gives you a written report of exactly where you stand.

Ready to see where your dealership stands?

A free gap assessment maps your store against all nine FTC Safeguards requirements, with a written report of every gap.

Get your free gap assessment