Deleting Customer Data Stored in Vehicles: Best Practice or a Legal Requirement?

As the deadline for compliance with the FTC’s revised Safeguards Rule draws near, some dealers may find themselves scrambling to implement the FTC’s new requirements before June 9th. (Not ComplyAuto dealers of course – we’ve been ready since December 9th of last year!) From locking up deal jackets to installing multi-factor authentication, navigating the nebulous world that is the revised Safeguards Rule and understanding its legal requirements, along with its practical demands, is challenging enough. Similarly, in the past year, your inbox has likely been inundated with emails from vendors proclaiming that their product or service is “essential for Safeguards Rule compliance.” One of these emails in particular has caused many dealers concern and it revolves around customer data stored in vehicles: “What about deleting customer data stored in vehicles; is that required under the Safeguards Rule or any other law?” The short answer is no, but let’s elaborate. 

Information in Vehicles and the federal Safeguards Rule 

In order to determine whether such data stored in vehicles is subject to the Safeguards Rule, we need to understand exactly what kind of data the Safeguards Rule directly affects and what it is attempting to protect. The Safeguards Rule is concerned with protecting non-public personal information, or “NPI” for short. Under the Gramm-Leach-Bliley Act (“GLBA”), NPI is defined as “any record containing nonpublic personal information about a customer of a financial institution…that is handled or maintained by or on behalf of [the dealer] or [the dealer’s] affiliates.” This includes: 

1. Information a consumer provides in order to obtain a financial product or service;

2. Information about a consumer resulting from any transaction involving a financial product or service; or 

3. Any information obtained about a consumer in connection with providing a financial product or service. 

You can see that the definition above focuses on “financial products or services.” In the dealership context, this would mean that NPI is data that is directly derived from a finance or lease transaction. As you can imagine, this directly implicates information collected during the financial transaction like customer social security numbers, dates of birth, and other credit-related information as well as the more general types of customer information like the customer’s name and physical address. Said in another way, the

customer’s name and physical address is considered NPI in the limited scope that the customer is in finance and is not wholly considered NPI after that. Most personal data stored in vehicles comes from us connecting or pairing smartphones using USB cables or Bluetooth. As you probably already know, this data is usually limited to contact information, location information, text messages, and vehicle service history. Because the type of data that is typically stored in vehicles is not information derived directly from a financial transaction, it would be quite a stretch to suggest that the data typically stored in vehicles is NPI or derived from a finance or lease transaction because the transaction has already concluded. In fact, at no point in their 145-page document of Safeguards Rule guidance does the FTC contemplate the data stored in vehicles. Even if we take the alternative view that the information stored in vehicles is in fact NPI, dealers would be required to provide every loaner or rental customer with a GLBA model Privacy Notice (that two page document you give every credit applicant) prior to delivering the vehicle, which is certainly not a common practice nor even contemplated by any federal publications or guidance. 

Information in Vehicles and the Dealer’s Liability 

Some might argue that there is the possibility that failing to delete customer data stored in vehicles could expose the dealership to legal liability under invasion of privacy or general negligence theories. A 2020 U.S. District Court case explains otherwise. In this case, Avis Rental Cars (“Avis”) collected renters’ private data (i.e, device identifier, web browsing data, GPS history of past locations, call log, and text messages) when the renter paired their phone with the vehicle’s on-board infotainment system. The Plaintiff, a repeated user of Avis’s services, sued Avis because Avis allegedly refused to conduct routine deletion of the Plaintiff’s private data when the vehicle was returned and did not adequately disclose that the infotainment system collected and stored such private data. 

In determining whether Avis violated the Plaintiff’s right to privacy after failing to delete the Plaintiff’s private data stored in one of their rental vehicles, the Court dismissed the Plaintiff’s lawsuit because “[the law] does not recognize [Avis’s] conduct as violative of Plaintiff’s right of privacy.” Furthermore, the Court found that “[t]o the extent that Avis has lawfully obtained confidential information, and does not further disclose or use that information…the common law does not recognize such conduct as an invasion of Plaintiff’s right to privacy. Nor does the common law recognize a parallel right which requires Defendant to delete lawfully obtained information where Defendant has not disclosed that information to others.” In short, the Court stated that so long as the customer’s information is (1) lawfully obtained and (2) not used or disclosed to others, there is no violation of substantive privacy rights. Therefore, the Plaintiff did not have standing to bring a privacy claim. See Greenley v. Avis Budget Grp., Case No: 19-CV-00421-GPC-AHG (S.D. Cal. Sep. 2, 2020). 

While the data stored in vehicles might not be regulated or legally protected, it still might be considered a best practice to completely wipe vehicles clean of any prior owner’s data, especially on rentals and service loaners. The simple and most cost-effective way of doing so is to establish internal procedures at the dealership during the intake of trade-ins, lease returns, and other used vehicles purchased for resale. First and foremost, dealers can wipe any prior owner data during the reconditioning process before the vehicle is advertised for sale. Most dealerships use some type of reconditioning checklist that outlines the reconditioning process. Simply adding this step as part of the reconditioning process would ensure that a subsequent purchaser would not see any prior owner’s data. Additionally, the instructions on how to wipe data and reset infotainment settings is typically found in the vehicle’s owner’s manual. 

Dealers may further limit any potential liability by adding language to their trade-in disclosure forms in which the prior owner warrants that they’ve deleted their data off their vehicle prior to trading it in. Similarly, dealers may also want to consider adding similar language to their loaner/rental forms; however, in this case, the customers would be warranting that they deleted any personal data off the vehicle prior to returning it to the dealership. This is extremely important considering that rentals and loaner vehicles are typically under the direct control of and owned by dealers, meaning there may be increased liability for customer data stored in such vehicles (and we know from the case above that at least one rental agency has been sued — albeit unsuccessfully, for this). 

Ultimately, adopting these simple and cost-effective internal processes and form changes represents a conservative approach to this privacy issue. Nevertheless, any individual or vendor suggesting that deleting data from vehicles is a definitive legal requirement or is explicitly mandated under the FTC Safeguards Rule is likely misinformed.

Leave a Reply

All Cookies are Not Created Equal: FTC Cracks Down on Targeted Advertising Without User Consent
ComplyAuto and Fisher Phillips Unite Tech Innovation and World-Class Legal Talent to Simplify Compliance

We want to enroll our employees in preventative training to prevent BAR citations and fines.

We received a citation or disciplinary action and need to take remedial training.

Mock OSHA Assessment


  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite


    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification


      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals


      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging


        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite


          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Remedial Training and Attorney General Disciplinary Order - $299/student

            The Bureau of Automotive Repair (BAR) has allowed violating automotive repair dealers to take a remedial training program in lieu of having their information posted on a public website. Additionally, automotive repair dealers are required to take a training course as part of the California Attorney General’s disciplinary order. 

            This course fulfills both of these requirements.

            Created by California attorneys with over 35 years of combined experience in the automotive repair industry, this course is the only course on the market that is taught by instructors who are certified by the BAR.


            • Comprehensive online course about the Automotive Repair Act
            • Instruction by providers certified by the BAR
            • Access to training materials anytime (24/7/365)
            • Comprehensive manual that is a companion to the course
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion
            • Automated notification to the Bureau of Automotive Repair, if applicable


            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            With new regulations giving the Bureau of Automotive Repair (BAR) more authority to find violations and enforce citations upon repair facilities, it is now more important than ever to make sure your staff is knowledgeable about the Automotive Repair Act. Protect your repair facility from BAR scrutiny by enrolling into EduTech’s Automotive Repair Act Certification Training. This is the only training in California that is approved by BAR. 

            “Evidence of voluntary participation in retraining [of]…employees” as a mitigating factor. – Guidelines for Disciplinary Orders and Terms of Probation, BAR

            BAR has allowed retraining to be a “factor in mitigation” when investigating a repair facility. Therefore, as a preventative measure, it is strongly recommended that all technicians and service writers enroll into this course to show the BAR that you acknowledge and understand these rules before any investigation ever occurs. 

            All students enrolled in this product will be eligible for our “EduTech Guarantee” which financially protects repair facilities from enforcement by the Bureau of Automotive Repair. For more information, please visit our Terms of Service.


            • Online training course about the Automotive Repair Act
            • Only training course that is approved by BAR
            • Access to training materials anytime (24/7/365)
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion


            • Lower risk of BAR scrutiny by standardizing correct practices
            • Increased customer satisfaction
            • Establishes good faith efforts and may avoid BAR citation and fine
            • Professional development for service writers and technicians
            • Eligibility for the EduTech Guarantee

            Students enrolled in this product will also have complimentary access to HR training materials and policy builders. Topics include:

            • Sexual harassment (supervisory and non-supervisory)
            • Active shooter
            • Workplace violence
            • Social media use
            • Biometric data (timekeeper or key lockbox)

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security


                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement