Compliance with FTC’s Safeguard Rule vs local privacy laws

Published on


The Federal Trade Commission (“FTC”) amended their Standards for Safeguarding Customer Information (16 CFR Part 314) (“Safeguard Rule”) that requires compliance by December 9, 2022. The Safeguard Rule was designed to protect the security of customer information and the recent amendments were for the purpose of keeping up with technology. Specifically, the latest version of the Safeguard Rule requires financial institutions (which includes motor vehicle dealers) to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The FTC published detailed guidelines to maintain compliance with the Safeguard Rule.

Businesses must keep in mind that even if they are in full compliance with the FTC Safeguard Rule, there are additional steps to maintain compliance with various privacy laws. For example, the FTC’s Privacy Rule (16 CFR Part 313), requires financial institutions (which also applies to auto vehicle dealers) to provide particular notices and to comply with certain limitations on disclosure of nonpublic personal information. On the local level, states such as California passed the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) which require similar disclosures in addition to the right to amend and delete personal information.

While most of these laws have some overlap, including the Safeguard Rule and CCPA require safeguarding collected personal information, specific guidelines not found in each act, are required to maintain compliance. Therefore, it is important for your business to contact a privacy professional to update your privacy programs to avoid fines, penalties and/or lawsuits. Scali Rasmussen has privacy professionals available to assist you with state and federal compliance.