Skip to Content

Franchise Law Manual, Third Edition

The Third Edition of CNCDA’s Franchise Law Manual covers important topics that impact dealership/manufacturer relations. Topics include investment protections, facility requirements, limitations on OEM policies impacting dealership operations, warranty reimbursement, and protests at the New Motor Vehicle Board.

Complying with the Revised FTC Safeguards Rule

On October 27, 2021, the Federal Trade Commission (FTC) finalized revisions to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (“Revised Rule”) for the first time since the rule was issued in 2002. The Revised Rule is extensive and imposes a series of new technical and administrative requirements on dealers. This includes, but is not limited to, internal penetration testing, vulnerability assessments, use of multi-factor authentication, data encryption, security awareness training, and the performance of written risk assessments.

This Compliance Manual will cover the portions of the Revised Rule that are applicable to dealers and provide practical tips on how to achieve compliance.

Originally published on December 27, 2021, the “Complying with the Revised FTC Safeguards Rule” manual was developed by ComplyAuto for CNCDA members to provide a comprehensive resource on this important topic.

Updated May 2, 2024 – Added Chapter 15, updated template documents, separated incident response plan to its own chapter, Chapter 5 amended to add paragraph on encrypted messaging, Chapter 9 updated to add a new Technology Tip concerning “continuous” monitoring.

Click on the “Download PDF” button at the top of the page to download a PDF copy of the compliance manual. The following documents below are available in Microsoft Word format to more easily customize for your dealership.

Dealer Guide to Online Tracking & Cookie Consent Management

Employment Law Manual

CNCDA’s 2024 Employment Law Manual was developed by the attorneys at the Littler Mendelson law firm. It covers key topics involving California employment law that impact franchised new car dealers. Topics include:

  • Hiring
  • Recordkeeping Obligations
  • Wage & Hour
  • Laws Prohibiting Discrimination, Harassment, and Retaliation
  • Leaves of Absence and Workplace Safety
  • Privacy Rights
  • End of Employment

You can download a PDF copy of the manual by clicking on the link above.

Update History

April 8, 2024 – Recommend retention period for wage records changed from three to four years. (Pages 30, 66)

Appendix D – Sample Third Party Agreement

Appendix C – Sample Service Provider Contract Agreement

Privacy Management Software

Software Options

Given the numerous and complex requirements of the CCPA and CPRA, dealers should seriously consider adopting privacy management software to help them navigate and maintain compliance with these regulations. Privacy management software can simplify the process of addressing regulatory requirements, reduce the risks of non-compliance, and save valuable time and resources for the dealer so they can rededicate those efforts to selling and servicing motor vehicles.

ComplyAuto is a leading choice in privacy management software among dealers and is currently licensed by the CNCDA and endorsed by the National Automobile Dealers Association (NADA), currently representing over 60% of dealerships in California and over 8,000 dealers across the country. By choosing ComplyAuto, dealers benefit from a proven solution that automates the complexities of privacy compliance, including performing data mapping, building a systems inventory, creating a comprehensive privacy policy and Notice at Collection, installing a compliant and effective cookie consent banner, managing vendor contracts and addendums, and automating the many types of consumer privacy requests and navigating their requirements.


Please do not hesitate to contact ComplyAuto at if you have any questions about this compliance manual.

Appendix B – Sample Compliance Checklist

Appendix A – Sample Privacy Policy


No doubt dealers have seen some kind of communication sent from their automakers alerting them to the CCPA. Specifically, this notice comes in the form of an updated data sharing agreement that automakers have encouraged dealers to sign, but what does it all mean? Given that there are multiple versions of these data sharing agreements sent to dealers depending on their data collection practices, we cannot capture every single variation or clause within the agreements here, but we can speak to why the automakers are sending them to you. Dealers who require further clarification or advice should reach out to their in-house counsel or attorneys for more information.

Automaker as a Third Party

Under the definitions of the CCPA, automakers generally qualify as Third Parties. As noted earlier, Third Parties are those vendors who (a) collect consumers’ personal information and (b) are not Service Providers. Because Service Providers are defined in the negative in the CCPA, i.e. what they are not allowed to do with the consumer’s personal information that they collect, Third Parties are essentially vendors who perform these prohibited acts. Meaning, Third Parties can do any of the following things:

  1. Sell or share the personal information;
  2. Retain, use, or disclose the personal information for any purpose;
  3. Retain, use, or disclose the personal information outside of their business relationship with the dealer; or
  4. Combine the personal information it receives with any other information it collects from other vendors.

Automakers and Third-Party Contracts

The new regulations introduce a new requirement in that Third Parties must sign a contract with the dealer that has very specific requirements and prohibitions. Without this contract, the Third Party cannot collect, use, process, retain, sell, or share the personal information that the dealer has made available to the Third Party.

As discussed in a previous chapter, this contract between the dealer and automakers may contain language that does each of the following:

  • Identifying the limited and specific purpose(s) for which the personal information is made available to the Third Party;
  • Stating that the personal information is made available only for the limited and specific purpose(s) set forth within this contract;
  • Requiring the Third Party to comply with all applicable sections of the CCPA by providing the same level of privacy protection as required by the dealer;
  • Granting the dealer the right to take reasonable and appropriate steps to ensure that the Third Party uses it in a manner that is consistent with the dealer’s obligations under the CCPA and its accompanying regulations;
  • Upon receiving written notice from the dealer, taking appropriate steps to stop and remediate unauthorized use of personal information made available to the Third Party; and
  • Notifying the dealer as soon as practicable after the Third Party determines that it can no longer meet its obligations under the CCPA or its accompanying regulations.

These clauses are probably included in the data processing agreement that was discussed earlier in this chapter. Dealers who require further clarification or advice should reach out to their in-house counsel or attorneys for more information.

Back to top