Customer information is a core part of selling and financing vehicles—and it is also one of a dealership’s biggest compliance risks. This auto dealer data privacy checklist (GLBA) is built for California dealers who handle credit applications, driver’s license data, bank information, and other nonpublic personal information (NPI). Use it to confirm you deliver the right privacy notices, honor opt-outs, train staff, secure records, and store required dealer documents properly.
What counts as “nonpublic personal information” (NPI) in a dealership?
In day-to-day operations, NPI commonly includes information collected from a consumer in connection with a finance or credit transaction—such as a driver’s license number, Social Security number, home address, phone number, and credit-related data. Dealer Educator training emphasizes treating customer personal information (for example, SSNs and credit data) as confidential and limiting internal and external access to only what is needed to do the job.
GLBA privacy notices: initial notice, annual notice, and what to include
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to respect customer information and protect it with appropriate safeguards. Congress states the policy that each financial institution has an “affirmative and continuing obligation” to respect customer privacy and protect the security and confidentiality of customer information. (15 U.S.C. § 6801: https://www.law.cornell.edu/uscode/text/15/6801)
Dealer Educator course guidance highlights a practical rule for dealers who establish a customer relationship through a credit application: provide privacy notices when the relationship is started and yearly afterward. Build your process so it is repeatable, documented, and easy to audit.
Checklist: privacy notice workflow
- Trigger an initial privacy notice when you start a customer relationship (commonly at credit application / financing).
- Provide an annual privacy notice for continuing relationships (set a calendar-driven process and keep proof of delivery).
- Use consistent versions of the notice; archive prior versions so you can show what a customer received at the time.
- Train staff on when the notice must be delivered and where the “proof” is stored in the deal jacket.
Opt-out requirements: limit sharing with nonaffiliated third parties
Dealer Educator training explains the real-world impact of an opt-out: if a customer opts out of your policy, you generally cannot share that customer’s nonpublic personal information with nonaffiliated third parties such as market research firms or other outside organizations the dealer has agreements with. Make sure your staff understands the difference between (1) sharing within the dealership for permitted business purposes and (2) sharing with nonaffiliated third parties for other purposes.
Checklist: opt-out control points
- Capture opt-out status in your CRM/DMS or a dedicated log that finance, sales, and BDC can access.
- Stop outbound sharing to nonaffiliated third parties where an opt-out applies.
- Control vendor access: confirm which vendors receive customer data, why they receive it, and whether they are affiliates or nonaffiliates.
- Audit samples monthly: pick a small set of deals and confirm the opt-out flag matches the customer file and actual sharing.
Safeguards program: administrative, technical, and physical controls
GLBA’s policy statement focuses on protecting the security and confidentiality of customer information. (15 U.S.C. § 6801: https://www.law.cornell.edu/uscode/text/15/6801) Dealer Educator training translates this into dealership operations: implement reasonable controls, keep passwords private, protect against illegal access to computer equipment, and keep paper records containing personally identifiable data in a safe area.
Administrative safeguards (people + process)
- Written policy & procedures covering who can access NPI, when it can be shared, and how it must be stored.
- Role-based access to systems and deal files (sales, F&I, titling, accounting) based on job need.
- Staff training at onboarding and refreshers: how to handle credit apps, copies of IDs, and lender stipulations.
- Incident response basics: who to call, how to contain access, and how to document steps taken.
Technical safeguards (systems)
- Password control: keep passwords private; prohibit sharing logins; remove access promptly when employees leave.
- Access protection: protect against illegal access to dealership computer equipment (lock screens, limit admin privileges, secure Wi‑Fi).
- Secure electronic storage for scanned deal jackets and credit docs; restrict download and printing where possible.
Physical safeguards (paper + facility)
- Secure paper files (locked cabinets/rooms) for any records with SSNs, driver’s license numbers, credit reports, or bank data.
- Clean-desk habits in F&I and titling: no credit apps left on printers or counters.
- Visitor control in back-office areas where deal jackets and DMV supplies are handled.
Secure disposal: what California expects for documents with personal information
California requires a business to take “reasonable steps” to dispose of customer records containing personal information by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable through any means. (California Civil Code § 1798.81.5: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.81.5&lawCode=CIV)
Checklist: secure disposal steps
- Designate disposal bins for “customer personal information only” documents.
- Use shredding or secure document destruction (in-house cross-cut or a contracted service with locked consoles).
- Dispose of electronic media securely (erase/wipe devices before reuse or disposal; document the method used).
- Document the routine: who is responsible, how often destruction occurs, and how exceptions are handled.
Dealer record retention and offsite storage (California basics)
Beyond privacy, California dealers must keep transaction records in a way that supports DMV inspections and consumer protection. Dealer Educator materials teach these operational expectations for dealer records:
- Keep hard-copy transaction records onsite for 90 days.
- After 90 days, store records offsite inside California (or with a third-party vendor) for the remainder of the required retention period.
- Be able to retrieve records within three days after a notice/request.
These requirements align with California dealer record rules in Title 13 of the California Code of Regulations, including provisions governing dealer records and offsite storage. (13 CCR §§ 272.00–272.02: https://govt.westlaw.com/calregs/Document/I35F07020D48411DEBC02831C6D6C108E)
Quick table: privacy + recordkeeping controls to verify
| Area | What to verify | Where dealers usually fail |
| Privacy notices | Initial and annual notice workflow + proof in file | Notice not delivered consistently; no archived version |
| Opt-out | Opt-out captured, visible, and honored in sharing | Vendor lists not reviewed; opt-out not communicated to staff |
| System access | Unique logins, password controls, prompt termination | Shared passwords; former employee access left active |
| Paper security | Locked storage + clean-desk habits | Printers/trays holding credit apps and IDs |
| Secure disposal | Shredding/erasing process that makes PI unreadable | Throwing deal documents into regular trash |
| Record retention | 90 days onsite; offsite in-state; 3-day retrieval | Offsite out-of-state; retrieval takes longer than allowed |
Audit-prep: what to keep so you can prove compliance
When a regulator, auditor, or business partner asks “show me,” your best defense is documentation. Create a simple compliance binder (physical or electronic) that can be produced quickly.
- Current privacy notice + archive of prior versions used.
- Proof of notice delivery for sampled deals (signed acknowledgement, delivery log, or system record).
- Opt-out log and evidence you stopped nonaffiliated sharing when applicable.
- Training records (dates, attendees, topics) for privacy and record handling.
- Vendor list showing who receives customer data and why.
- Record storage map: onsite location, offsite location, and the 3-day retrieval process.
- Destruction log documenting shredding/erasure routines under California’s secure disposal standard.
Put the checklist to work
Pick one day per quarter to run this checklist and correct gaps while they are small. Dealer Educator coursework stresses that consistent processes—privacy notices, opt-out handling, secure storage, and proper record retention—reduce consumer harm and help protect your license.
