Dealership law expert: The most costly mistakes dealers are making

Welcome to another episode of the Car Dealership Guy Podcast.

On today’s edition, Brad Miller, Chief Compliance and Regulatory Officer at ComplyAuto, joins the show to share his insights into automotive cybersecurity, pending regulations affecting the car industry and the biggest financial risks threatening dealers. ComplyAuto is a software company that helps dealers meet their compliance obligations in critical areas such as privacy and data protection, safety, workforce, F&I, and more.

You can stream the full episode now on YouTube, Spotify, or Apple.

1. A look back.

The last few months have been chaotic for the retail auto sector. From the CDK Global cyberattack to the Crowdstrike outage, dealers have had plenty of reasons to rethink their regulatory compliance. Brad has more than a decade of experience in the subject working at NADA for 16 years as a lawyer and dealer advocate. He believes that dealers are now at a point where they understand the challenges facing them but not necessarily enough to know how to respond.

2. Why compliance is so difficult.

Brad explains that dealerships are one of the most heavily regulated types of small businesses in the U.S. While he hopes for the best outcome, he warns that the CDK outage is a wake-up call that dealers will need to take seriously. He explains that it’s possible that going to a dealership could soon evolve into a similar experience as going to a bank, where institutions follow closely regulated and standardized processes to keep information confidential.

3. Updates on the CDK situation.

Within the last week, Brad reports that CDK has made a few critical announcements. One of the most important ones is that, while the investigation is continuing, no personally identifiable information (PII) was leaked as a result of the cybersecurity incident to their knowledge. Brad explains that this is important for dealers to be aware of, as the breach of PII would alter their regulatory obligations. CDK has also confirmed that they will notify the FTC on behalf of all dealers, (notification is required from the affected parties), and have agreed to handle state obligations in the same way.

4. Keeping your dealership safe from bad actors.

The best way to keep your dealership safe from government action over cybersecurity is to follow the FTC Safeguards rule, Brad explains. While he notes that most dealers are doing a fantastic job following the policy, there are still many who fail to meet their basic obligations. While the rule is 25 years old, it requires businesses to take certain steps to protect the data they receive. The FTC recently implemented tighter standards under the policy that affect dealerships, since they are classified as financial institutions by the government. These new standards are more complicated to follow: one of the most difficult challenges they introduce is the requirement to ensure dealer vendors are taking steps to protect their data. Brad notes that the average dealer works with somewhere between 35 and 40 different third-party software providers. Each of those vendors have to follow the same data security steps that dealers follow. Unfortunately, dealers have less power than other financial institutions to tell their vendors what to do.

OPENLANE - The world’s best online dealer marketplace for used cars, bringing you exclusive inventory, simple transactions, and better outcomes. New to OPENLANE? Sign up now and receive a $350 buy fee credit. Learn more at www.openlane.com.

Car Dealership Guy News - The #1 source for concise and unbiased car industry news. Stay informed with the most relevant and interesting stories by visiting /news.dealershipguy.com.

ComplyAuto - Your ultimate partner in automotive compliance solutions. Ensure your dealership stays compliant with privacy laws, cybersecurity measures, and more through our innovative software and expert guidance. Learn more at complyauto.com.

5. Final thoughts on CDK.

Whether they use CDK or not, dealers should prepare for another major cyberattack that interrupts their way of doing business. Brad notes that some of Comply Auto’s clients actually saw little to no impact from the CDK Global outage since they had backup plans in place. “Redundancy is the key,” he remarks. Dealers should also push to have more autonomy over their systems, taking control back from vendors.

6. The FTC’s role.

At the federal level, multiple government bodies have some form of regulatory oversight over dealers, although the main one is the Federal Trade Commission (FTC). Brad explains that the FTC functions as the consumer protection watchdog for Washington D.C., functioning under broad authority to tackle issues they believe are hurting citizens. Their power has fluctuated heavily over the last few decades, as Congress has given them more or less control. The last four to five years, however, have seen the FTC approach things more aggressively.

7. CARS Rule overview.

The Combatting Auto Retail Scams (CARS) rule is a product of this more ambitious FTC, one which encompasses many of the enforcement actions the agency has attempted to bring against dealers. Having this rule in place would give the commission broad authority to hold dealerships and dealer principles accountable for failing to inform buyers of hidden fees.

8. When will the rule go into effect?

The effective date of the CARS rule was postponed after the NADA and Texas Auto Dealers Association introduced a legal challenge. Brad doesn’t expect anything to change for the next six months since oral arguments aren’t due until October. Regardless of what happens, Brad urges dealers to expect some form of regulation in this area, noting that even if the NADA’s challenge succeeds, dealers would then be required to adhere to the Junk Fees rule, a separate regulation that hasn’t applied to the industry since it was assumed the CARS rule would cover it.

9. Understanding CARS.

If the judges side with the FTC, dealers will have a series of new obligations to follow. One of the biggest changes is that dealers would be required to disclose more price information to consumers. “What they don’t like is the dealers saying ‘this car is $35,000, and then you go into the dealership and even without taxes and anything else it’s 38,000 because of a fee that wasn’t disclosed–a mandatory fee that wasn’t disclosed in the advertised price.” There are some exceptions and distinctions, but at the end of the day, dealers must offer customers the same price they advertise.

10. Risks facing dealers pt. 1.

One of the biggest potential risks for dealers is identity verification. Brad explains that not only are dealerships required to verify the identities of customers for credit/lending purposes, but it also helps them avoid losing cars to identity thieves. Noticing and reacting to red flags can help dealers follow regulations and protect their business from criminal activity. Dealers must also be sure to honor customers who opt out of marketing communications since failure to do so can result in them paying potentially thousands of dollars per infraction.

11. Risks facing dealers pt. 2.

Wiretapping lawsuits are another costly issue for dealers. Effectively, wiretapping lawsuits are levied against companies that fail to obtain consent for monitoring user activity online through tools like cookies. Judges in some states have ruled that this constitutes a violation of consumer privacy, resulting in a rapid increase in these cases especially in the automotive space. This is easy to resolve, Brad notes, since obtaining consent for cookies and other data sharing is a straightforward process, but dealers have to take the issue seriously or risk putting their business at risk of litigation.

12. A.I. and the law.

Chatbots with artificial intelligence are seeing increased use by dealers, many of whom have benefitted from lower marketing costs and more lead generation. However, Brad warns that the FTC is has started to show interest in regulating the use of A.I. chatbots, particularly in the area of informed consent. The commission believes that consumers should know whether they are speaking with a real human, which could pose problems for platforms that don’t properly identify themselves as A.I. While no rules have been revealed as of yet, Brad urges dealers to make preparations.

13. Data privacy.

State data privacy rules are starting to evolve. Many states are looking to adopt a variation of the California Consumer Privacy Act (CCPA), a broad-reaching regulatory framework that can be extremely difficult for businesses to comply with, especially without external help. So far, Oregon and Texas have already enacted their own versions of the CCPA, with Montana expected to follow suit in October. Dealers should stay up to date on their state’s plans to adopt CCPA-style rules.

14. Final thoughts.

Brad thinks that dealers will always rise to the occasion, no matter how complicated regulations become. Whether through technology or innovative strategies, he believes that the car industry will learn to overcome its current challenges, navigate restrictions and make the business more pleasing for the consumer. “I have learned in 20-plus years in this business that I will never underestimate dealers’ ability to take lemons and turn them into lemonade,” he concludes.

Become an automotive insider in just 5 minutes.

Get the weekly email that delivers transparent insights into the car market.

Join 73,000 others now, it's free:

Interested in advertising with Car Dealership Guy? Drop us a line here.

Want to be considered as a guest on the podcast? Add your name here.