2020 Auto Dealer Compliance Hot Issues

It’s time to take out our annual crystal ball and see what are likely to be hot compliance issues for auto dealers in 2020.  Remember that 2020 is an election year.  Many state Attorneys General are running for re-election and a big splash enforcement action against an auto dealer is almost a regular campaign event to attract consumer support and consumer plaintiff attorneys’ campaign contributions.
 
 Safeguards and Data Security  -  The Federal Trade Commission (“FTC”) dived into the auto dealer safeguards world with its consent decree against DMS provider DealerBuilt in 2019.  The FTC found DealerBuilt to have inadequate safeguards procedures (and they didn’t even have a safeguards policy).   
The FTC ordered specific safeguards requirements for DealerBuilt as part of its 20-year enforcement consent decree.  These included encrypting personal data at rest and in motion; testing its system as well as monitoring and authenticating access permissions to customer data; performing vulnerability scans and penetration tests on its network several times per year; contractually requiring service providers to safeguard information; submitting to an annual third-party assessment of its security practices; and reporting to the FTC.
 
The FTC also issued proposed regulations to amend the Safeguards Rule.  The Rule, since it was passed in 2002, has required dealers and other covered persons to implement security procedures reasonably related to their risk assessment.  The Safeguards Rule does not require any specific security practices.
 
But the proposed amendment would, among other things, require all dealers to:
- designate a senior officer as the Chief Information Security Officer responsible for managing compliance with the dealer’s Safeguards Plan;
​
- encrypt customer non-public personal information at rest and in motion;
- create and periodically test an incident response plan to consist of a committee of internal officers and external professionals to respond to an actual or suspected security breach;
- place access controls on information systems, require two-factor authentication (a password and a biometric or one-time code), and permit access only to individuals who need consumer information to do their job;
- adopt audit controls of who accesses customer information and when;
- conduct annual penetration testing and biannual vulnerability assessments of your system;
- oversee service providers on information security and train employees at least once a year on best security practices; and
- develop secure procedures for destruction of information when no longer needed.
 
 Americans with Disabilities Act (“ADA”) Website Compliance  -  A number of courts have ruled that websites are “places of public accommodation” under Title 3 of the ADA.  This means dealers need to make their websites accessible to people with disabilities such as people who are sight-challenged or hard of hearing.  Lawyers have been holding dealers up with settlement demands where the dealer site is not ADA-compliant.  Attorneys have filed hundreds of ADA suits when they have been unable to extort settlements.  

There are no federal standards to clarify what compliance is but there are industry standards such as the Web Content Accessibility Guidelines (WCAG). WCAG 2.0 AA is frequently referenced by courts.
 
Your best action is to take affirmative steps to attempt to make your website accessible to disabled individuals.  You have flexibility in meeting the ADA and a good faith effort to do so may be enough to dissuade the lawyers from making you the next target.  Here are some elements you should include:
 
Start by adding alt text to every meaningful page on your site.  All video-only and audio-only content needs a text transcript. Transcripts should be clearly labeled and linked below the media.  All video with sound should contain accurate closed captioning.  Any live video presentations must have closed captions.  Audio descriptions of video and images should also be included.
Use proper markup techniques to structure your website’s content (e.g. use correct heading tags and HTML for ordered and unordered lists).  Present content in a meaningful order and sequence so that it reads properly.  When providing detailed instructions, make it so they aren’t reliant on a single sensory ability.

There must be a color contrast ratio of at least 4.5:1 between all text and background.  Text must be able to be resized up to 200% without negatively affecting the ability to read content or use functions.

All content and functions on a website must be accessible by keyboard only (i.e. no mouse).  Keyboard-only users must never get stuck on any part of the website; they must be able to navigate forwards and backwards. If there any time limits on a website or content that blinks, scrolls, or moves, users should have the ability to turn it off, pause it, stop it, adjust it, or extend it. 

Your website also must be predictable and understandable.  Sections 4 and 5 of WCAG v 2.0 A describe procedures to accomplish this as well.

3.     Criminal Prosecutions of Dealer Principals  -  The past two years have shown an increase in federal and state authorities seeking criminal convictions of dealer principals as well as sales and f & i employees for wrongful acts at the dealership.  The wrongful acts include payment packing, misrepresenting income and other fields on credit applications, misstating down payments on retail installment sales contracts and lease agreements, and other bad acts.

The Department of Justice (DOJ) has used laws against bank fraud and wire fraud as the lynchpins for these prosecutions.

Bank fraud covers any “scheme or artifice” intended to “defraud a financial institution,” or the use of deceptive means to obtain something of value that a financial institution owns or controls. A conviction under the federal law can result in up to 30 years in prison, a fine of up to $1 million, or a combination of the two. 

The essential elements of wire fraud are: (1) a scheme to defraud; and (2) the use of, or causing the use of, interstate wire communications to execute the scheme. 
 
So, dealer acts that misstate a customer’s income to obtain credit or that “front end” optional aftermarket products that result in a bank being undersecured or making an unsafe or unsound credit decision will qualify.  The DOJ has used both these parameters to seek and obtain criminal prosecutions against dealer principals and the sales and f & i managers who committed the wrongful acts.
 
State AGs are also using the criminal law against dealer principals.  AGs in Pennsylvania, Massachusetts, California, New York, and New Jersey have been particularly active.
 
Internet Advertising  -  The FTC has issued guidelines for Internet advertising and most of its advertising enforcement actions now address websites and social media.  Google “FTC Advertising and Marketing on the Internet: Rules of the Road”  

The same rules that apply to print and television advertising apply to Internet advertising.  Triggering terms require inclusion of triggered terms under Truth in Lending and the Consumer Leasing Act.  “Clear and conspicuous” disclosures must be placed close to the headline and not buried in scrolling text paragraphs.  Hyperlinks can be used but not for any disclosure that is “an integral part of the claim.”
 
Social media advertising generally involves many moving images and sounds.  This can distract from required disclosures especially if they are not located on the same page or require the customer to move around the page to find them.

The FTC’s requirements for clear and conspicuous disclosures on social media in particular require that ads considered as a whole be honest, straightforward, and disclosures be clear and conspicuous given consumer reading habits on the Web.  Consider your own reading habits of scrolling paragraphs and understand that the disclosures must be at the top and not buried in the middle of rambling text.  The FTC guidelines describe additional online advertising requirements such as making the disclosures clear and conspicuous in any device on which they can be seen and not using media that does not have capacity for necessary disclosures.
 
Military Lending Act  (“MLA”) -  Since December 2017, Department of Defense rules have effectively prohibited the sale of GAP and credit insurance to MLA covered persons.  Your credit bureau will typically identify whether a consumer is an MLA covered person when it provides you with a credit report.  Until the rule is repealed (hopefully some time in 2020), make sure you check a consumer’s status under the MLA before you sell them GAP, credit insurance, or give them an option of taking cash out of a financing.  

Other Issues  -  Other issues include the FTC’s field tests of dealers’ use of Used Car Buyers Guides on all used vehicles offered for sale; new federal laws prohibiting use of paid reviews on websites without disclosing the reviews are paid testimonials and prohibiting use of prohibitions against posting negative comments about the dealership online; FTC scrutiny of “spot deliveries” or “yo-yo financing” as the FTC has termed the practice in consent orders with dealers; Equal Credit Opportunity Commission (EEOC) actions against auto dealers for sexual harassment and sex discrimination; and battles with DMS providers and state laws as to who owns and can use dealer data.  

Other and new issues will also emerge.  Keep up with ongoing developments by reading publications, attending compliance programs, and working with your state dealer associations. 

​ And have a Happy New Year!