MCLEAN, Va. — During its annual convention last week, the National Automobile Dealers Association issued an addendum to the dealer data guidance it released this past August. It includes a sample agreement dealers can issue to their technology vendors, particularly those that require access to the dealership’s data.
“The issue today is dealers have all this sensitive data, but to do business, they really have to share it or allow folks to have access to it in some way or form,” said Bradley Miller, associate director of NADA legal and regulatory affairs. “By necessity, it’s going a lot of places. The problem is the very complicated set of rules with respect to how you can share this information and it’s not easy to do.”
The NADA is encouraging dealers to review the new materials, and, “if applicable, to present the addendum to service provider vendors for signature.”
“What it says is the vendor can’t take any more [data] than they need, they can’t do anything else with it except provide the service,” Miller explained. “To an extent, folks felt a little more free rein in the past with respect to this data. The hope is that will change.”
Miller clarified that the message to vendors is not that dealers should not share data with service providers. “[Dealers] love your services; they want to get them, but you have to make sure the contracts reflect what the regulations require and what you’re doing,” he said.
Although Miller did not name any specific companies, he admitted that a major driver of the association’s increased focus on data access is that vendors, in many cases, were “exceeding what the dealer realized was happening” in terms of extracting data.
“It’s just easier to get more than take the time and figure out what you need to get less,” Miller reasoned. “As a result, I think it’s just the path of least resistance. I don’t think in most cases people are trying to do something nefarious.”
This past summer, the NADA issued a14-page memo to its 17,000 members on vendor access to data. The guidance acknowledged there are a “number of entities who wish to gain access” to transaction data stored in dealer management systems (DMS), and warned dealers that the “FTC [Federal Trade Commission] may consider any third-party ‘access’ to NPPI (non-public personal information) to be ‘sharing,’” even if the dealer’s vendor never actually accessed the data.
The NADA’s guidance comes at a time when regulators and businesses alike are placing a heightened focus on data security.
Yesterday, the Federal Trade Commission testified on data security before a U.S. Senate Banking subcommittee, providing an update on the agency’s efforts. “Data security is of critical importance to consumers,” said Jessica Rich, director of the Bureau of Consumer Protection. “If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm.”
Rich reminded businesses that the FTC enforces various statutes and rules that are applicable to those that collect and maintain consumer data. The FTC recognized its 50th data security settlement last week when it settled charges against a medical transcription company that executed ‘unreasonable data security measures.’