On June 16, 2025, the Federal Trade Commission (FTC) issued FAQs that directly affect many automobile dealers, clarifying how its Safeguards Rule (the Rule), part of the FTC’s implementation of the Gramm-Leach-Bliley Act (GLBA), applies to the automotive sector. The Rule requires non-banking financial institutions to implement measures to protect customer information—and the FTC is making it clear that many car dealerships fall within that definition.

While “financial institution” might traditionally bring to mind banks or lenders, the Rule defines the term much more broadly. It includes businesses significantly engaged in financial activities or closely related services. That means mortgage brokers, finance companies, financial advisors, credit counselors—and yes, car dealers who either finance or lease vehicles to consumers.

According to the FAQs, if a car dealership helps customers secure auto loans or directly provides financing, it qualifies as a financial institution under the Rule. The same goes for dealerships that lease vehicles for over 90 days, since leasing is also considered a financial activity.

The FAQs also clarify what counts as “customer information” protected by the Rule. Customer information includes a dealer’s documents like approved financing or leasing applications, spreadsheets containing customer names and financial data, and other information that could be linked to a customer’s financial profile. However, general sales reports that don’t relate to a consumer’s financing or leasing aren’t covered.

The Rule requires covered financial institutions to maintain an information security program that outlines all of the ways dealers collect and store customer information, how this information is shared with other companies, and how dealers delete such information when it is no longer needed. Though there is no one-size-fits-all approach regarding what constitutes a sufficient information security program, the FAQs advise that these programs should contain administrative, technical, and physical safeguards appropriate for a dealer’s size, complexity, type of activities, and sensitivity of the customer information involved.

The FAQs list ten key requirements for an information security program, which include a written risk assessment of reasonably foreseeable risks, oversight of service providers, a written incident response plan, and notifying the FTC of certain security breaches.

The FAQs further address various other issues and scenarios specific to automobile dealers. But the key takeaway? If your dealership is involved in financing or long-term leasing, the FTC Safeguards Rule applies—and if you are a car dealer, now is the time to evaluate whether your current data security practices meet the FTC’s expectations. With the agency signaling that it’s watching this sector, it’s best not to steer off course.