NADA Issues Dealer Data Guidance
September 06, 2013
McLEAN, Va. — The National Automobile Dealers Association (NADA)’s department of legal and regulatory affairs issued guidance on data protection last week. Officials said the 14-page memo, issued to members on Aug. 28, is part of an ongoing effort to promote compliance by the association, but it comes at a time when industry marketers are turning to transaction data to fuel vehicle sales.
Obtained by F&I and Showroom magazine, the memo acknowledged there are a “number of entities who wish to gain access” to transaction data stored in dealer management systems (DMS), and warned dealers that the “FTC [Federal Trade Commission] may consider any third-party ‘access’ to NPPI (non-public personal information) to be ‘sharing,’” even if the dealer’s vendor never actually accessed the data.
Nine days before it was distributed, the FTC delivered its own warning to big data collectors that it will use all tools at its disposal to protect consumer privacy. The FTC has partnered with the NADA in the past on the topic of data protection, but recent efforts are not related, officials said.
Speaking at the 2013 Aspen Forum on Aug. 19, FTC Chairwoman Edith Ramirez acknowledged the importance of “big data,” even noting that it’s the “FTC’s job to get out of the way of innovation.” But she also said it’s the FTC’s job to make sure consumer privacy is respected.
“Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt,” she said. “Addressing the privacy challenges of ‘big data’ is first and foremost the responsibility of those collecting and using consumer information. … It is the FTC’s responsibility to make sure that companies live up to their commitments.”
‘Big data’ is a term used to describe the massive amount of information created every day that can be analyzed by firms to deliver targeted marketing, among other things. According to Stamford, Conn.-based Gartner, spending on business-intelligence software is expected to reach $13.8 billion this year. The technology research and advisory firm predicted that spending will reach $17.1 billion by 2016.
In recent months, F&I and Showroom contributor Jim Ziegler has raised concerns about the DMS access some vendors — particularly vehicle information and listing sites — require of dealers, which he believes leaves them vulnerable and their information unprotected. The NADA’s President Peter Welch says he is aware of Ziegler’s crusade, but stressed that “our review of these things has been ongoing.”
“We've had frustrated calls from dealers, ranging from ‘Jeez, various factories are jamming clauses in there, take it or leave it,’ or click through agreements, and there seems to be somewhat of a feeling that they are losing the control of their own intellectual property,” Welch told F&I and Showroom.
The NADA’s memo included a checklist dealers can use to police vendors’ access to their data. It also warned members that they could run afoul of the Gramm-Leach-Bliley (GLB) Act’s Safeguards Rule and Privacy Rule if they provide NPPI to DMS providers, third-party vendors and even manufacturers without taking certain precautions. Such precautions include providing a Privacy Notice to customers and establishing contractual protections.
“This means that unless their Privacy Notices state otherwise, dealers may not provide access to NPPI to anyone, including their manufacturer,” the memo stated.
In June 2012, the FTC took its first action against an auto dealer for GLBA violations, charging Statesboro, Ga.-based Franklin’s Budget Car Sales Inc. with exposing the information of 95,000 customers after an employee downloaded consumer data files onto a flash drive and loaded them onto his home computer, which contained peer-to-peer file-sharing software. The FTC also charged the dealership with violating the FTC Act’s ban on deceptive acts and practices for failing to maintain adequate safeguards as promised in its Privacy Notice.
As part of its settlement with the agency, Franklin’s was required to establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years.
“The primary issue under these federal regulations generally arises because of a disconnect between the duties dealers have and the promises they may have made to their customers …,” stated the NADA’s memo.
Last month, a senior team from the NADA met with General Motors Co.’s board of directors in Detroit. Among the topics discussed were intellectual property and data security, something Welch said the association will soon discuss with other major players.
“We do have plans in the coming weeks to be meeting with the major DMS providers to have an open and frank discussion with them about what type of tools they offer for dealers to both monitor access and also control and or restrict access,” he said. “We will probably be meeting with auto manufacturers in the coming weeks or months to discuss these issues with them as well.”