Current Issue


Technology ADAPT Reports

Your Guide to Protecting Customer Data

Order Reprints

Sept, 25, 2020—Your shop likely has a lot of customer and employee information digitally stored. Those files can be helpful for essential things like bookkeeping and keeping track of return customers. They can also help shops pinpoint marketing campaigns.

To stay within the law and retain customer trust, you want to make sure that you’re the only entity accessing and using that data. Follow this guide to make sure you’re handling sensitive information with care.


5-Step Plan

The Federal Trade Commission has a five-point plan for business owners to assess their data security. 



The first step is to take stock in all the devices and people who have access to sensitive information. Make sure to be thorough—if a service writer at an auto shop links his or her phone to information on a work computer, that’s worth taking note. 


Run Lean

The second step is to keep a lid on how much information you collect and retain. Keep a lean data operation.

“If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary,” the FTC says.

Additionally, only give employees access to the information that they need to do the job. Nothing more.


Lock it Down

Third is the security step. This applies to physical files as well, but the electronic security is where many owners might have blind spots. The FTC says that owners need to be fully aware of how employees use computers. Certain websites, email attachments or downloaded programs can all be potential points of vulnerability. Train employees on best practices for web and email use.

Shops should also be aware of how guests connect to a wifi network and whether or not this provides a potential pathway to sensitive data. The same goes for contractors who might temporarily have access to a computer or network.


Proper Disposal

Much of the disposal rules cover the proper destruction of physical files. But shops also have to make sure that their hardware doesn’t contain any personal information upon disposal. If your shop is getting new computers, make sure the old units have been properly wiped of data. This requires more than just the desktop recycle bin.

“Deleting files using the keyboard or mouse commands usually isn’t sufficient because the files may continue to exist on the computer’s hard drive and could be retrieved easily,” according to the FTC.


Incident Plan

If a breach does happen, you’ll be in a better position to remedy the situation if there’s a plan in place. Designate a senior staff member to coordinate the response plan on the ground, and be prepared to call the proper authorities if necessary.


How to Create a Privacy Policy

According to the American Bar Association, the federal government “urges” commercial website operators to outline their information collection practices in a privacy policy. This includes things like web “cookies” as well as information solicited from web users.

California state law goes further to require privacy policies on commercial websites that collect information from California users.

There are other federal laws that require privacy policies in some cases. The Children’s Online Privacy Protection Act is one that requires parent permission before collecting data on children 12 and under.

The ABA provides this template for creating a website privacy policy:

  • How you collect information

    • Include both your offline and online practices for managing information

    • If you collect information from sources other than your customers, describe this

    • If you collect personal information through web technologies like cookies or web beacons, describe this

  • The kind of information you collect

    • Be reasonably specific

    • List categories of information you collect from online customers and visitors (i.e., contact information, billing information, etc.)

    • Provide examples of the categories of information your company collects (i.e., contact information such as your name and e-mail address)

  • How you use and share the information

    • Describe your use of customer information beyond what is necessary for fulfilling a customer transaction

    • Explain how you share information with other entities

    • List the different types of companies with which you share customer information

    • If you share information with companies that have a direct link or live feed of customer information through a web site, be sure to include this

  • Give customers choices on how their information is used or disclosed

    • Give your customers a simple, effective way to consent to or opt out of sharing their information with other companies

    • Allow an adequate length of time for customers to exercise their option – somewhere between 1 week and 60 days is sufficient, 30 days is frequently used

    • Explain how customers can opt out of information sharing

    • Provide multiple methods of opting in or out. In addition to internet-based methods like e-mail or hyper-text links, offer a toll-free telephone number and/or a physical mail address

    • Explain the extent of a customer’s option to limit sharing of personal information

    • Notify customers when their option out of information sharing will take effect

    • Provide confirmation to the customer of their consent or opt out

  • How you will notify customers of changes to your policy

    • The policy on your website should be the current version

    • Provide an additional way of telling your customers that there are changes to your policy

    • Provide customers opportunities to opt in or opt out of modified terms

  • Your policy’s effective date

    • Clearly identify the date the policy will begin to be in effect

Related Articles

Your Guide to Protecting Customer Data

Your Guide to the EV Battery Landscape

Your Guide to HEV Protective Equipment

You must login or register in order to post a comment.