What Should Dealerships Do Now That the CARS Rule Has Been Vacated?

On January 27, 2025, the U.S. Court of Appeals for the Fifth Circuit determined that the FTC did not follow proper procedure when it propagated the CARS Rule. When this announcement came out, dealers reached out and asked if they still needed to comply with the Safeguard rules. Even though the FTC is the regulatory body for both the Cars Rule and the FTC Safeguards rule, these are two unique and separate programs. The recent decision, just like the initial announcement of the CARS Rule, does not in any way impact a dealership requirement to protect private and personal customer data.

The Combating Auto Retail Scams (CARS) rule as described by the FTC was a simplification of laws already codified in the existing Unfair or Deceptive Acts or Practices (UDAP) law. Even though CARS was vacated, the parameters mandated to advertise dealership inventory and pricing fairly and accurately are still in effect. Dealerships should expect regulatory authorities at the federal and state level to continue to aggressively pursue actions against dealerships they believe are violating UDAP by misleading consumers and charging junk fees for features or services consumers are not aware of or have asked for.

The new administration’s commitment to easing the regulatory environment does not mean dealerships will not be held accountable for regulatory compliance. It may be quite the opposite. The FTC and State AGs could very well be more motivated to enforce long-standing regulations. Especially with year over year increases in cybercrimes and identity theft. Increased scrutiny of federal and state agencies may be motivation to increase actions that demonstrate the government’s commitment to protecting consumers and their decreasing purchasing power.

Now is a good time to readdress your cybersecurity, information security and privacy rights compliance programs and tools. Conduct detailed risk assessments and address any areas of vulnerability identified. Review your technical controls to ensure they address emerging threat capability, especially with the proliferation of cheap and accessible AI tools. Review your customer-facing websites and ensure they comply with your customer’s rights to control their data. Revisit your staff training on cyber and information security nest practices. Review how you are advertising your inventory and pricing and how your sales team is presenting additional services, add-on, and the like. Make sure that how you sell does not conflict with how you advertise.

Your customers expect you to protect their personal data, expect to be treated fairly and expect to pay for only what they have agreed to. Review and refine your operational policies and procedures, understand where your vulnerabilities are and train your team!