In today’s digital age, data privacy and security have become paramount concerns for businesses across all industries, including automotive dealerships. As dealerships collect and handle various types of sensitive consumer data, such as personally identifiable information (PII) and nonpublic personal information (NPI), it is crucial to understand the differences between these data types and the obligations of handling them. With the increasing focus on data privacy regulations, like the California Consumer Data Privacy Act (CCPA) and the Federal Trade Commission’s (FTC) updated Safeguards Rule, which requires financial institutions to report notification events and comply with the Commission’s regulations to protect sensitive customer information against external threats, dealerships must prioritize the protection of consumer data to avoid legal consequences and maintain customer trust.
In this comprehensive guide, we will explore the different types of consumer data, including PII, NPI, and sensitive personal information (SPI), and provide actionable insights on how dealerships can effectively safeguard this information using QoreAI’s advanced identity verification and data protection solutions.
PII refers to any data that can be used to identify a specific individual, either on its own or when combined with other personal or identifying information. This definition, as stipulated by the General Services Administration (GSA), encompasses a wide range of data points, such as:
Personal names
Home addresses
Email addresses
Telephone numbers
Dates of birth
Passport numbers
Driver's license numbers
Social security numbers
Credit or debit card numbers
Dealerships often collect PII during the customer onboarding process, credit applications, or when establishing initial Identity Verification with the shoppers drivers license. It is essential for dealerships to recognize the sensitivity of this information and implement robust security measures to prevent data breaches, identity theft, and financial fraud.
NPI is a subset of PII that is specifically defined in the Gramm-Leach-Bliley Act (GLBA). This type of data refers to the PII that automotive dealerships collect when performing a financial service on behalf of a customer. NPI excludes information that is publicly accessible through federal, state, or local records, as well as information previously disclosed by the media.
Dealerships must be particularly cautious when handling NPI, as the misuse or unauthorized access to this data can result in significant financial losses and legal consequences. The primary regulatory control for NPI in the United States is the FTC’s Safeguards Rule, which requires covered financial institutions, including dealerships, to implement and maintain a comprehensive information security program to protect customer information. The unique customer information landscape of financial institutions necessitates stringent measures, and the Safeguards Rule impacts different types of financial institutions by mandating specific elements and updates to their security protocols.
While SPI does not have a specific definition or regulation under U.S. law, it is a term commonly used in cybersecurity and information security. The European Union’s General Data Privacy Regulation (GDPR) distinguishes SPI from personal information, defining it as a subset of data that may expose an individual to adverse treatment by others. Examples of SPI include:
Political opinions or affiliations
Ethnic or racial origins
Religious or philosophical beliefs
Trade union memberships
Genetic or biometric data
Although dealerships in the U.S. may not be directly subject to the GDPR, it is still essential to be aware of SPI and take steps to protect it. Dealerships should ensure that SPI, along with sensitive customer information, is stored separately from other types of personal information to minimize the risk of data breaches and potential discrimination against customers. This will become increasingly important as AI and biometric facial scanning matching become the common practice in Identity Verification of automotive shoppers.
In a recent study it stated that over 52% of dealerships are still employing practices that put sensitive consumer data at risk. Non-banking financial institutions regulated by the FTC, such as mortgage brokers, are also subject to these regulations. One common issue is the photocopying of customer driver’s licenses, which can easily be lost or exposed since they are not stored digitally. This practice not only increases the risk of data breaches but also fails to comply with the latest data privacy regulations.
It is crucial for automotive dealerships to promptly report any security event involving unauthorized acquisition of unencrypted customer information. This ensures that any potential harm to consumers is mitigated and regulatory requirements are met.
Another concerning trend is salespeople requesting customers who are not present to text a picture of their driver’s license. This practice results in customer PII being stored on individual salespeople’s phones, which is in direct violation of the 2022 FTC Safeguard rules. Not only does this expose sensitive data to potential theft or misuse, but it also makes it nearly impossible for dealerships to maintain control over consumer data.
At QoreAI, we understand the challenges dealerships face in protecting sensitive consumer data while maintaining efficient operations. Our advanced identity verification and data protection solutions are designed to help dealerships automate their processes, enhance security, and ensure compliance with evolving data privacy regulations, including protecting personally identifiable financial information by enabling consumers to complete their own verification without exposing sensitive data to dealership employees.
QoreVerify, our multi-signaling identity verification solution, leverages cutting-edge technology to accurately and securely verify customer identities. By incorporating QoreID, a device-based authentication feature, dealerships can automatically verify customer identities using their phone’s SIM card. This reduces friction in the verification process and enables dealerships to capture more consumer data faster, without relying on manual data entry by sales teams, while instantly putting all the information into the CRM automatically.
The best solution for dealerships is to use technology to remove salespeople from any exposure to customer PII. QoreVerify automates the onboarding process, enabling customers to input their information securely. This approach minimizes the risk of data breaches caused by human error and ensures that sensitive data is stored in a centralized, protected system rather than on individual salespeople’s devices.
In addition to enhancing data security, QoreVerify’s automation capabilities also reduce the need for extensive staff training, which can be particularly challenging given the high turnover rates in dealership sales teams. By simplifying the onboarding process and minimizing the handling of sensitive data by salespeople, dealerships can maintain a high level of data protection even as their staff changes over time.
QoreAI’s solutions also prioritize data security and privacy. Our platform employs state-of-the-art encryption techniques, secure data storage practices, and granular access controls to ensure that sensitive consumer data remains always protected. By partnering with QoreAI, dealerships can demonstrate their commitment to data privacy and build trust with their customers.
In addition to leveraging QoreAI’s advanced solutions, automotive dealerships can implement the following best practices to further enhance the protection of consumer data in line with the FTC's amended Safeguards Rule and its standards for safeguarding customer information:
Conduct regular employee training on data privacy and security best practices to create a culture of awareness and vigilance.
Implement strict access controls and permissions to ensure that only authorized personnel can access sensitive consumer data on a need-to-know basis.
Regularly update and patch software and systems to address potential vulnerabilities and reduce the risk of data breaches.
Develop a comprehensive incident response plan and implement safeguards to detect, investigate, and mitigate data security incidents promptly. This includes ongoing monitoring, testing, training staff, and keeping the information security program current.
Collaborate with trusted partners, like QoreAI, who prioritize data privacy and security to ensure the highest level of protection for consumer data.
As data privacy regulations continue to evolve and consumer awareness of data protection grows, dealerships must prioritize safeguarding sensitive consumer data. By understanding the differences between PII, NPI, and SPI and implementing robust security measures, dealerships can mitigate the risks of data breaches, maintain customer trust, and avoid costly legal consequences.
QoreAI's advanced identity verification and data protection solutions, including QoreVerify and QoreID, empower dealerships to streamline their processes, enhance security, and ensure compliance with data privacy regulations. By automating the onboarding process and minimizing the exposure of salespeople to sensitive data, dealerships can significantly reduce the risk of data breaches caused by human error and high staff turnover.
By partnering with QoreAI and adopting best practices for data protection, dealerships can confidently navigate the complex landscape of consumer data privacy and build long-lasting, trust-based relationships with their customers.