New Data Privacy Rule: How Auto Dealerships Can Protect Sensitive Data

The new year sees more states trying to clamp down on the rising trend in data theft and cybersecurity crimes. Connecticut is among several states that recently passed new measures to tighten security and data privacy protections.

A string of high-profile cyber incidents involving car dealerships has made auto dealership cybersecurity a hot topic of late.

Still fresh in everyone’s mind is the CDK Global cyberattack from last June that impacted more than 15,000 North American auto dealerships and resulted in over $1 billion in combined losses.

Related Article: The CDK Global Cyberattack And How To Protect Your Dealership

While the immediate fallout may be over, the CDK cyberattack impact on the auto dealership industry is likely to be felt for some time to come, especially when it comes to consumer trust and future purchasing decisions. 

Some 84 percent of customers wouldn’t buy another vehicle from a dealership where their data had been exposed, according to a report.

So, how do you make sure you’re in compliance and protecting sensitive customer information from falling into the wrong hands?

In this article, we’ll examine the issue of data privacy and offer eight tips to help you comply with the new regulation and protect private consumer information. 

After reading this article, you’ll have a better understanding of why data privacy protections are critical to your auto dealership and how you can safeguard your customers’ private information.

What Is The New Data Security Mandate in Connecticut?

Connecticut's new data privacy provision, which went into effect Jan. 1, requires auto dealerships to stop using or selling consumers’ personal data for targeted advertising if they opt out of such advertising through their internet browser settings.

The mandate becomes part of an existing state privacy law known as the Connecticut Data Privacy Act (CTDPA), which took effect July 1, 2023.

Under the newly adopted legislation, Connecticut residents can automatically indicate through a single click that they don’t want their personal data sold or shared without their consent.

Auto dealerships and other affected businesses must honor the opt-out preference signals (OOPS) they receive through browser settings like the global privacy control (GPC).

What Does The New Privacy Requirement Mean For Auto Dealers?

The new data privacy rule applies to auto dealerships and other businesses that provide goods and services to Connecticut consumers and meet certain parameters.

It should be noted that the new data privacy requirement also applies to all Connecticut healthcare providers, regardless of size, as well as to third-party vendors that provide services to any covered business.

Personal data is considered to be any information that can reveal the identity of a specific individual.

This includes information such as:

• home address
• driver’s license
• passport information
• payment information
• employment and income
• location tracking
• biometric identifiers 

Related Article: Personally Identifiable Information: 10 Steps To Ensure Data Privacy

Keep in mind that the CTDPA law works alongside existing state and federal data privacy laws for auto dealers. These laws are intended to protect consumers, and to mitigate the chances of their data being stolen or sold by bad actors.

Those laws include the Gramm-Leach-Bailey (GLBA) “Safeguards Rule,” which was updated last May.

Under the Safeguards Rule, auto dealers and other covered financial organizations must establish specific security controls to protect consumers’ personally identifiable information (PII). They must also report data breaches to the Federal Trade Commission (FTC) within 30 days.

What Security Measures Can My Auto Dealership Adopt To Safeguard Private Consumer Data?

In the course of doing business, your organization processes vast amounts of data—including a treasure trove of private consumer information.

The digital information found in connected cars has been a virtual gold mine for cybercriminals.

For example, upwards of 90 percent of the trade-ins and leased vehicles handled by auto dealers includes the previous owners’ personal information, according to a report by Privacy4Cars, a company that creates privacy and compliance solutions for vehicles.

Related Article: Why Cybersecurity Will Remain Critical For Car Dealerships in 2025

The company also reported some other notable consumer beliefs around data privacy, including that a third of Americans say they’d be willing to spend more money with companies that prioritize data privacy.

It also found that consumers consider businesses that don’t offer data privacy to be untrustworthy (59 percent) or unethical (44 percent).

On top of these consumer concerns, dealerships that fail to comply with state and federal data privacy requirements could face fines of up to $40,000, plus legal fees.

So, how can you protect the confidential customer information you process every day?

Here are 8 strategies:

1. Conduct a risk assessment

• Conduct a risk assessment of your IT environment to discover any hidden security gaps within your organization.
  
  
• Perform periodic vulnerability scans and penetration tests as part of your risk assessment to test your existing security measures against potential threats.

2. Evaluate your existing privacy policies and practices

• Closely examine how you store, process, transmit, and discard your customers’ private information to ensure regulatory compliance.
  
  
• Limit and monitor your employees’ access to sensitive customer information.
  
  
• Develop and implement a comprehensive incident response plan.
  
  
• Ensure you have a business continuity and disaster recovery plan in case an emergency happens.

3. Install compliance software

• If you haven’t done so already, install integrated compliance software to help ensure that your practices are in line with state and federal privacy regulations to avoid potential fines or other penalties.
  
  
• Such software gives dealerships a centralized hub that allows you to monitor every facet of your dealership including data privacy, sales, finance, and advertising.

4. Employ strong data encryption

• Data encryption ensures that if hackers somehow manage to compromise or steal your PII data, it will be unreadable and effectively useless to them.
  
  
• Data encryption can also protect internet traffic travelling across your network through a secure tunnel or virtual private network (VPN).
  
  
• Car dealerships often have unsecured wireless networks, which is a welcome convenience to customers waiting to purchase a car or to have their vehicle serviced. Yet, this can open the door to hackers gaining access to customers’ private information.
  
  
• You can replace your unsecured wireless network with an encrypted guest network through a VPN.

5. Implement microsegmentation

• Microsegmentation is the practice of dividing your network into smaller sections, each with its own secure entry point.
  
  
• A cornerstone of Zero Trust, microsegmentation allows you to restrict assess to stored information by limiting access to only authorized users within each designated segment.

Related Article: Why Are Businesses Moving To Zero Trust? Your Roadmap To A ZT Strategy

• In practical terms, you can use microsegmentation to set up a separate portal just for customers to enter or retrieve information.

6. Educate your employees on your data privacy practices

• Train employees on all of your data privacy policies and practices for accessing, storing, sharing, or discarding sensitive customer information.
  
  
• Provide regular employee security awareness training to educate your staff about new and emerging phishing scams and other cybersecurity threats so they know how to spot and avoid them.

Related Article: Deepfakes And AI Scams: How To Spot Them And Protect Your Business

7. Use secure servers

• Store sensitive customer information on secure servers.
  
  
• Consider switching to a cloud or hybrid cloud server environment to take advantage of advanced security protections imbedded in identity and access management (IAM) software.
  
  
• An IAM can include end-to-end encryption, multi-factor authentication (MFA), continuous network monitoring, and threat detection.

8. Ensure transparency

• Review and update your privacy disclosure policy.
  
  
• Inform customers and/or prospective customers about how you intend to collect, use, or share their information by sending a privacy notice
  
  
• Establish a way for consumers to easily access and correct or remove any personal information stored within your systems.

The Bottom Line With Safeguarding Private Customer Information

While you can’t control whether or not customers choose to allow their personal information to be used or shared, you can develop trust among customers by establishing and communicating clear privacy policies and practices.

After reading this article, you now understand the importance of safeguarding the sensitive customer data you handle to meet regulatory requirements, reduce the chances of a data breach, and build customer loyalty.

Data privacy laws are getting stricter. Failing to comply can lead to hefty fines and lost customer trust, especially since car dealerships handle vast amounts of sensitive customer data.

At Kelser Corporation, we help auto dealerships throughout the state of Connecticut protect their sensitive customer data and stay compliant.

We know that managed IT services is not the right solution for every company, however. We provide informative articles on relevant IT topics like this so that you can make informed IT decisions for your organization.

If you’re unsure if your dealership is properly safeguarding sensitive customer data or meeting compliance requirements, click the link and give us your contact details.

We’ll respond quickly, and schedule a 15-minute call to learn more about your issues and see if we might be a good fit to work with.