Key Takeaways
- FTC expectations around GLBA and Safeguards Rule compliance remain active, even as advertising enforcement increases.
- The FTC’s 2025 dealer FAQs clarified that dealerships should already have written, operational data security controls in place.
- Common compliance gaps include missing MFA, weak access controls, lack of encryption, and inadequate vendor oversight.
- Dealers are expected to demonstrate that their data security program is documented, functioning, and actively monitored.
FTC Enforcement of GLBA Safeguards
FTC enforcement around dealer advertising has been getting a lot of attention lately, and for good reason. It is visible, customer-facing, and directly tied to sales practices. But as dealers focus on advertising compliance, there is a risk of losing sight of another area the FTC has already addressed in detail: data security.
Less than a year ago, in June 2025, the FTC issued dealer-specific FAQs explaining how the GLBA Safeguards Rule applies to motor vehicle dealers. That guidance did not create new obligations. It clarified what regulators expect to already be in place.
That timing matters. The guidance is recent enough that it should still be top of mind, but long enough ago that regulators are unlikely to view it as something dealers are still “working toward.” The expectation now is that these requirements are implemented and operating.
Where Dealers Still Struggle
Many data security failures come down to basic control gaps rather than complex cyberattacks.
Common issues include:
- Customer information stored or transmitted without encryption
- Weak or inconsistent access controls
- Lack of multi-factor authentication
- Gaps in vulnerability scanning or penetration testing
- Limited or ineffective employee training
- No formal, written information security program
- Delayed awareness of exposed data, often identified by someone outside the organization
These are not technical edge cases. They are core elements of the Safeguards Rule. When they are missing, regulators tend to view it as a breakdown in management and oversight. For dealerships, the point is straightforward. Customer information should be treated with the same level of care as financial data, because that is exactly what it is.
What Regulators Expect to See in Place At Your Dealership
A dealership’s GLBA compliance starts with a written information security program that reflects how the business actually operates. It should be tied to a risk assessment, assign clear responsibility to a qualified individual, and include regular reporting to ownership or senior leadership. Beyond that, regulators expect to see controls that are both documented and working. That includes:
- Access controls that limit who can view or use customer data
- Encryption for information at rest and in transit
- Multi-factor authentication for system access
- Logging and monitoring
- Ongoing security awareness training
- A defined incident response plan
These are not aspirational goals. They are established expectations. The same is true for system testing and monitoring. Whether a dealership relies on continuous monitoring or periodic testing, the key question is whether those controls are effective in practice. Regulators are increasingly focused on evidence, not just policy. Vendor oversight is another area that deserves attention. Many dealers rely heavily on third-party systems, but that does not shift responsibility. Dealers are expected to vet service providers, require safeguards by contract, and periodically assess whether those safeguards are actually in place. If a vendor has access to dealership systems, multi-factor authentication should be required. If they store customer data, encryption should be part of the requirement.
Why This Still Matters Right Now
It is easy to prioritize what regulators are talking about most in the moment. Right now, that is advertising. But enforcement does not happen in only one area
at a time. The updated FTC’s Safeguards Rule requirements have been in effect for multiple years, and the 2025 FAQs made the expectations even clearer for dealerships. Less than a year later, the question is no longer whether dealers are aware of those expectations. It is whether they can demonstrate that their controls are in
place and working. There is also increasing pressure from outside the FTC. Lenders, insurers, OEMs, and business partners are asking more questions about data security as part of normal business relationships. In many cases, dealers are expected to show proof, not just provide assurances.
Staying Ahead of the Issue
Dealers that take a proactive approach to GLBA compliance tend to be in a much stronger position. They can respond more quickly when issues arise, manage vendor relationships more effectively, and demonstrate that data security is being handled deliberately. This does not have to become a manual or reactive process. With the right structure, tools, and workflows, compliance can be part of day-to-day operations rather than something that only surfaces during an audit or investigation. At KPA, the message is simple. The FTC has already made its expectations clear. Even with attention on advertising, dealers should not lose sight of data security requirements that were clarified less than a year ago and are very much in effect today.
