Deleting Customer Data Stored in Vehicles Best Practice or Legal Requirement? BY DAVID ESTRADA, REGULATORY COMPLIANCE SPECIALIST, COMPLYAUTO As the deadline for compliance with the FTC’s revised Safeguards Rule has passed, some dealers may still have questions about implementing the FTC’s new requirements. From locking up deal jackets to installing multi-factor authentication, navigating the revised Safeguards Rule and understanding its legal requirements and practical demands has been challenging enough. In the past year, your inbox has likely been inundated with emails from vendors claiming that their product or service is “essential for Safeguards Rule compliance.” One of these emails in particular has caused many dealers concern, and it revolves around customer data stored in vehicles: “What about deleting customer data stored in vehicles? Is that required under the Safeguards Rule or any other law?” The short answer is no, but there is some important information to consider. INFORMATION IN VEHICLES AND THE FEDERAL SAFEGUARDS RULE In order to determine whether such data stored in vehicles is subject to the Safeguards Rule, we need to understand exactly what kind of data the Safeguards Rule directly affects and what it is attempting to protect. The Safeguards Rule is concerned with protecting non-public personal information (NPI), and under the GrammLeach-Bliley Act (GLBA), NPI is defined as “any record containing nonpublic personal information about a customer of a financial institution … that is handled or maintained by or on behalf of [the dealer] or [the dealer’s] affiliates.” This means that NPI includes: 1. Information a consumer provides in order to obtain a financial product or service 2. Information about a consumer resulting from any transaction involving a financial product or service 3. Any information obtained about a consumer in connection with providing a financial product or service The definition above focuses on “financial products or services,” and in the dealership context, this would mean that NPI is data that is directly derived from a finance or lease transaction. As you can imagine, this directly implicates information collected during the financial transaction: data such as customer social security numbers, dates of birth, and other credit-related information. NPI also includes more general types of customer information, such as the customer’s name and physical address. Most personal data that is stored in vehicles comes from people who are pairing their smartphones using USB cables or Bluetooth. As a whole, this data is generally limited to contact information, location information, text messages, and vehicle service history. Because the type of data typically stored in vehicles is not information derived directly from a financial transaction, it is considered a stretch to suggest that data typically stored in vehicles is NPI or is derived from a finance/lease transaction because the transaction has already concluded. In fact, at no point in their 145‑page document of the Safeguards Rule guidance does the FTC address the data stored in vehicles. 26 new jersey auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==