The FTC Safeguards Rule and Your Marketing Vendors: What Every Dealer Must Ask Before Sharing Customer Data

Under the FTC Safeguards Rule, your dealership is legally responsible for protecting customer information — and that responsibility follows the data when you hand it to a marketing vendor. The FTC treats outside vendors as "service providers" the dealer must vet and oversee, which means a campaign company's security posture is effectively your liability. Before you export a DMS file to any agency, mail house, or data shop, you need to know how they protect that list, who can touch it, and whether they can prove it with documentation like a SOC 2 Type II report.

What is the FTC Safeguards Rule — and why does it apply to dealers?

The FTC Safeguards Rule requires "financial institutions" to develop, implement, and maintain a written information security program to protect customer information. That phrase sounds like it belongs to banks. It doesn't. The FTC's definition of a financial institution is broad, and it captures auto dealers because dealers routinely arrange financing and leasing. If you run credit, take applications, or facilitate loans, the FTC considers you a financial institution for this purpose — and the rule applies to you.

The practical version: your dealership collects a lot of sensitive personal information. Names, addresses, phone numbers, Social Security numbers, income, credit data, vehicle history. The Safeguards Rule says you have a legal duty to protect it. That duty doesn't evaporate when you copy a slice of that data into a spreadsheet and email it to a marketing company.

Why are your marketing vendors the FTC's business?

Here's the part dealers miss. The rule doesn't only govern what you do inside your walls. It governs the "service providers" you hand data to — and a marketing vendor that touches your customer list is squarely a service provider. The rule requires you to select providers capable of maintaining appropriate safeguards, to contractually require them to do so, and to oversee them on an ongoing basis.

Read that again: oversee them. Not "assume they're fine." Not "they've been around a while." The obligation to verify sits with you. If your campaign vendor stores your DMS export on an unsecured laptop and it walks out of a coffee shop, the customers whose data leaked are your customers, and the regulator asking questions is asking you.

A marketing vendor that touches your customers' personal information is part of your security perimeter. Their weakest control is your exposure.

This isn't theoretical paperwork. A typical dealer marketing campaign — equity mining, service win-back, conquest mail — runs on real customer records pulled from your DMS. The moment that file leaves your building, the question is no longer "is our store secure?" It's "is everyone we shared this with secure, and can we prove we checked?"

What did the FTC clarify in 2025?

In August 2025, the FTC published auto-dealer-specific Safeguards FAQs that closed several of the loopholes dealers had been leaning on. Three points matter most for anyone choosing a marketing partner.

OEM-mandated platforms are not exempt. A lot of dealers assumed that if the manufacturer required a system, oversight was the OEM's problem. The FTC said no — being required to use a platform doesn't remove your duty to confirm it safeguards customer data. The same logic extends to any tool or vendor in your stack.

Multi-factor authentication extends to service-provider access. MFA isn't just for your own staff logging into the DMS. Where service providers access customer information, the FAQs make clear MFA expectations follow that access. A marketing vendor logging into a portal full of your customer data should be using MFA, full stop.

Compliance is judged against the current threat environment. The FTC made clear that "we set this up a few years ago" is not a defense. Controls are evaluated against today's threats, which means a vendor's security has to be living and maintained — not a one-time checkbox.

That 30-day clock is exactly why a vendor's breach-notification process is your concern. If a marketing partner has a breach involving your customers and sits on it, your notification window can be burning while you don't even know there's a problem. You want a vendor contractually obligated to tell you fast.

What do SOC 2 Type II and HITRUST actually mean?

These two terms get thrown around as security buzzwords. Here's what they actually tell you about a vendor.

SOC 2 is a report produced by an independent auditor describing how a service organization protects data across areas like security, availability, and confidentiality. There are two flavors. A Type I report describes whether the controls were designed appropriately at a single point in time — a snapshot. A Type II report goes further: an auditor tests whether those controls actually operated effectively over a period of months. Type II is the one that matters, because it proves the security wasn't just set up for the exam and abandoned. SOC 2 reports are the standard due-diligence documentation you should expect any serious vendor to hand you under NDA.

HITRUST is a more rigorous certification framework. Rather than a single auditor's report, HITRUST is a structured certification that maps a vendor's controls against many recognized standards and regulations at once, with defined assurance levels. It's a higher bar and a harder thing to earn. The HITRUST e1 certification, for example, validates foundational cybersecurity practices through a formal, third-party-assessed process.

The simple way to think about it: SOC 2 Type II is the baseline you should require. HITRUST is the vendor going further than they had to.

Questions to ask your marketing vendor before sharing a DMS file

You don't need to be a security expert to vet a vendor. You need a short list of direct questions and the willingness to walk away if the answers are vague. Print this and keep it next to your desk before the next campaign kicks off.

• Encryption — at rest and in transit. Is my customer file encrypted while it's stored on your systems, and encrypted while it's being transferred? "We use a secure portal" is a start; "encrypted at rest and in transit" is the answer you want.
• Access — who can touch the list? Which employees and subcontractors can open my data, and is access limited to people who actually need it for the campaign? You're looking for least-privilege access, not "the whole team can see it."
• Retention and deletion. How long do you keep my data after the campaign, and how is it deleted? You want a defined retention window and a real deletion process — not your customer list living on a server forever.
• Multi-factor authentication. Do your staff use MFA to access systems that hold customer data? The FTC's 2025 FAQs make clear MFA expectations extend to service-provider access.
• SOC 2 report availability. Can you provide a current SOC 2 Type II report under NDA? A vendor that produces one quickly is used to scrutiny. A vendor that can't is telling you something.
• Breach-notification process. If you have an incident involving my data, how fast and through what process will you notify me? Remember your own 30-day clock with the FTC.
• Subcontractors. Do you send my data to any fourth parties — print partners, data appenders, list processors — and how are they vetted? Your data's security is only as strong as the last hands that touch it.

If a vendor gets defensive, hand-waves, or treats these as unreasonable, that is your answer. A partner that takes data security seriously will have crisp answers ready, because they've been asked before.

How does Marketing Box handle this?

We built Marketing Box knowing that the file you send us is the most sensitive thing your store owns. So we treat vendor-grade security as table stakes, not a brochure line.

We are SOC 2 Type II audited — independently tested controls over time, not a point-in-time snapshot — and our HITRUST e1 certification is arriving in Summer 2026. That means when you ask us the questions above, you get documentation, not a shrug. It also fits how we run campaigns: one accountable team handling your data end to end, rather than a chain of loosely connected vendors each holding a copy of your list. Fewer hands on your data is itself a security control.

It connects to the rest of how we work, too. Clean, well-governed data is the foundation of both good data hygiene and good security — and our 10-step data process exists partly so your file is handled deliberately at every step. If you want the bigger picture on where dealer marketing is heading, our 2026 trends breakdown covers the forces reshaping the channel, and if you're weighing whether mail still earns its keep, the 2026 data on direct mail for dealers makes the case.

Disclaimer: This article is general information for educational purposes and is not legal advice. The FTC Safeguards Rule and related requirements are complex and fact-specific. Consult qualified legal counsel and your compliance advisors about how these rules apply to your dealership.