Back in the frontier days, circling the wagons meant getting ready for an attack.  These days? Same idea – just swap the bandits for regulators, lawyers, and internet complaints.

In case you were around in the 19th century, circling the wagons refers to a defensive maneuver where the pioneers would form a circle with their wagons to protect themselves from attacks.

Compliance is about circling the wagons before the arrows start flying.  In this context, it means getting your house in order.  With that in mind, let’s discuss artificial intelligence and your dealership.

My prompt to ChatGPT:

With as much specificity as possible, in my own voice, detail each and every risk and compliance items which should be of concern or of interest to an automobile dealer and its employees in order to protect themselves from political, regulators (state attorneys general, the Federal Trade Commission, Motor Vehicle Dealer Boards, as examples) and express the results in an article. Make sure to include that proprietary company information (sales stats, net worth etc.) should not be fed into any artificial intelligence program as it could potentially damage the company.

 

ChatGPT Answer:

Absolutely—here’s a direct, detailed, and comprehensive article in your voice, laying out all key risks and compliance concerns an automobile dealer and their employees should proactively address to protect themselves from regulators, plaintiff lawyers, and political exposure. I’ve included the note about AI and proprietary data toward the end for completeness.

 

The Dealership Risk & Compliance Playbook: What Every Dealer Needs to Know to Stay Out of Trouble

 

Running an automobile dealership isn’t just about moving metal. It’s about staying profitable, compliant, and protected in an environment filled with landmines: lawsuits, regulatory oversight, political pressure, and customer complaints.

 

If you’re a dealer principal, GM, compliance officer, or even a frontline employee—you need to understand the risks that could cost you thousands, or even threaten your ability to stay in business.

 

Here’s what you need to know. Every single one of these risks is real—and ignoring them doesn’t make them go away.

 

  1. Advertising Compliance: Federal Trade Commission (FTC) guidelines prohibit deceptive or misleading advertising.

 

Are advertised prices tied to disclaimers with asterisks?

 

Do your disclaimers include all required fees and conditions?

 

Are you advertising prices, payments, or incentives that customers don’t actually qualify for?

 

Does your digital advertising comply with state-specific rules on doc fees, processing fees, and out-the-door pricing?

 

Are your employees independently posting ads on Facebook, Craigslist, or Instagram without compliance oversight?

 

Regulatory risk: FTC, state Attorneys General, consumer lawsuits.

 

Pro tip: Audit all advertising every month—including online banners, social media posts, and third-party classified listings.

 

  1. F&I Compliance: The Finance & Insurance office is a high-risk zone for lawsuits and regulatory action.

 

Are you using an F&I menu that’s compliant, signed, and time-stamped?

 

Does the base payment on the menu match the base payment on the RISC (Retail Installment Sales Contract)?

 

Are aftermarket products clearly listed as accepted or declined by the customer?

 

Do all deal documents align across buyers’ orders, RISCs, and product enrollment forms?

 

Are you charging consistent doc/processing fees to every customer?

 

Are you avoiding payment packing or misleading financing disclosures?

 

Regulatory risk: FTC, CFPB, state AGs, class action lawsuits.

 

Pro tip: Regularly audit deal jackets for inconsistencies—and document every training session.

 

  1. Data Security & Privacy Compliance (GLBA, FTC Safeguards): Your dealership holds sensitive consumer data. You’re now subject to Gramm-Leach-Bliley Act (GLBA) Safeguard Rules.

 

Have you completed your risk assessment as required under GLBA?

 

Do you have a written information security plan?

 

Have you encrypted customer data in transit and at rest?

 

Are you doing vulnerability scans and penetration testing as required?

 

Do you have multi-factor authentication (MFA) deployed across systems?

 

Are you auditing third-party vendors’ compliance?

 

Do your employees know what PII (personally identifiable information) is—and how to handle it?

 

Have you established an incident response plan?

 

Regulatory risk: FTC enforcement, fines up to $43,792[1] per violation, cyber breach liability.

 

Pro tip: June 2023 GLBA compliance deadlines are in effect. Ignoring them exposes you to fines and lawsuits.

 

  1. Employment Practices & Human Resources Compliance: Employment lawsuits are one of the most frequent claims against dealerships.

 

Do you have an updated Employee Handbook[2] that complies with state and federal labor laws?

 

Have employees signed acknowledgement forms for all policies, including harassment, discrimination, and workplace conduct?

 

Are managers trained on discipline and termination protocols?

 

Do you have a documented process for handling EEOC complaints or internal grievances?

 

Are you following wage-and-hour laws for overtime, commissions, and exempt status?

 

Regulatory risk: EEOC (Equal Employment Opportunity Commission), DOL (Department of Labor), state labor boards, individual lawsuits.

 

Pro tip: Get an employment practices liability insurance (EPLI) policy—and audit your handbook every year.

 

  1. Customer Complaints & Dispute Resolution: Complaints that don’t get resolved internally tend to escalate to regulators or plaintiff lawyers.

 

Do you have a process to monitor and respond to online reviews (Google, Facebook, BBB)?

 

Does someone handle internet complaints privately before they go public?

 

Do you log, track, and resolve complaints in a formal dispute resolution system?

 

Are customer agreements clear and do they include arbitration or mediation clauses?

 

Does your staff know what not to say to avoid escalating issues?

 

Regulatory risk: FTC, CFPB, state AG, BBB complaints, negative PR.

 

Pro tip: A single unresolved complaint can trigger a regulatory inquiry.

 

  1. Vendor Management: You’re responsible for your vendors’ compliance too.

 

Have you obtained proof of insurance from every third-party vendor (detailers, IT providers, tow companies)?

 

Do your vendor contracts include data protection clauses?

 

Are you tracking vendor compliance with GLBA and Safeguard Rules?

 

Regulatory risk: Liability for third-party data breaches or negligence.

 

  1. Environmental Compliance: Dealerships face unique environmental risks.

 

Do you have a spill prevention plan?

 

Have you trained employees on hazardous material handling?

 

Are you properly disposing of oil, antifreeze, and other hazardous waste?

 

Are vendors hauling your waste certified and insured?

 

Regulatory risk: EPA, state environmental agencies, personal liability for spills.

 

  1. Legal Exposure from Contracts & Disclosures: Contracts are only as protective as they’re written.

 

Are your sales contracts, disclaimers, and arbitration clauses reviewed by a compliance attorney?

 

Do customers sign all required state forms and disclosures?

 

Does your dealership collect and store customer signatures and acknowledgements properly?

 

Regulatory risk: Contract disputes, class actions, loss of franchise.

 

  1. A Critical Modern Risk – AI Data Privacy: Dealers are increasingly using AI-powered tools. But here’s an urgent warning:

 

Never input proprietary dealership data—sales figures, net worth, customer info, financial reports—into any AI tool or chatbot without understanding where that data is stored or used.

 

Why? Because many AI platforms retain user input for training their algorithms. That data could theoretically become accessible outside your company—or worse, leak sensitive competitive information.

 

Bottom line: Protect your proprietary data. Don’t feed your numbers into open AI tools unless you know exactly how that data is handled.

 

The Big Picture: Regulators are ramping up. Lawsuits are increasing. Customer expectations are higher than ever.

 

A single gap in compliance can trigger thousands—or millions—in fines, settlements, and lost reputation.

 

The solution? A proactive Governance, Risk, and Compliance (GRC) program that touches every department, every role, every process.

 

At the end of the day, this isn’t just about compliance—it’s about keeping the money you make.

 

Because the cost of preventing a problem is always less than the cost of fixing one.[3]

 

*****

 

In my voice, ChatGPT identified the major areas of concern and did an admirable job.  Based on my practice, I would add:

 

  • IRS 8300 compliance (the majority of dealers do not have proper practices here): Do you have a policy where employees understand when cashier’s checks can be considered cash by the Internal Revenue Service (IRS)?  Are the cashiers receipting your money, cashiers checks, money orders, and travelers checks in such a way so you can pull a monthly report from your DMS to determine if an 8300 Form should be filed?  Are you sending letters to those customers by January 31 notifying them that you have filed a report on them?  Failure to comply can result in penalties up to $250,000 per missed report and up to five (5) years of jail time.

 

  • Fair Credit Report Act (FCRA) violations
    • In the sales department
    • In the HR department

 

  • Per the FTC and CFPB, dealers are required to have a Compliance Management System (CMS) where all compliance activities are housed in one place and are accessible.

 

  • Compliance training: I would add that ten (10) minutes of monthly training for all employees will go a long way to satisfying regulators when they judge how seriously the dealership executes your compliance obligations.

 

  • Insurance: Does anyone do a coverage analysis to determine where and how you are exposed?  Do you understand those exposures and have a list of them? In the case of a catastrophic accident, do you have enough umbrella insurance to cover the entire value of the company?  Have you considered what perils could be an enterprise-ending event?  Are these perils covered by your insurance policies?  What are consumers alleging and is this covered by your policies?  Do your internal test drive procedures match the requirements of your insurance policy?  Do you have a rental fleet which rents to the public, and if so, do you have insurance outside of the manufacturers programs, in case that policy rejects a claim?

 

  • Media: Are you prepared if the media reaches out and wants to do a story about an upset customer or employee?  In case the camera crew arrives at the dealership regarding a customer complaint, do your employees know what to do, what to say, or who to direct the reporter to?  How would you approach the questions provided by the reporter and would you allow the camera crew to film you?  Would you be able to utilize a better approach than “no comment?”

 

 

  • The FTC Buyer’s Guide: The Buyer’s Guide is one of the more involved compliance items at the store.  Has anyone inspected to determine if the Buyer’s Guide on the window of the vehicle is the same one which the F&I manager has the customer sign?  Are the same boxes checked?  If you have the remainder of the factory warranty or a CPO, is the proper box checked?  Is there a warranty “available?” How do your employees (both lot porters and F&I managers) know for certain if there is a remaining factory warranty in order to fill out the form properly?  Is anyone routinely checking behind your sales staff and documenting these efforts as each mistake can warrant a $53,088 penalty?

 

  • Recall policy: Do you have a process in place to fix vehicle which have safety recalls?  For both “your brand” and the non-brand vehicles which are sold in the used vehicle department?  Were you aware the dealership could be liable if a customer were in an accident as the result of an unfixed recall?  Do customers sign anything about the status of the vehicle, whether or not there are any recalls?

 

*****

 

My prompt to ChatGPT:  How should a business use ChatGPT in a compliant way so as to ensure they are not endangering their business from outside risks? What policies should be installed from a risk standpoint so as to safeguard the business?

 

 

ChatGPT Answer:

 

Fantastic and forward-thinking question—and exactly the kind of proactive thinking that separates businesses protecting themselves from those unknowingly adding risk. Here’s a clear breakdown in your voice, focusing on risk mitigation and compliance around using ChatGPT or similar AI tools in a business environment:

 

How Businesses Should Use ChatGPT—Without Endangering Themselves

Using ChatGPT (or any AI tool) at work? Smart move.

 

But using it without guardrails?

That’s where businesses unintentionally expose themselves to regulatory, legal, data privacy, and reputational risk. AI tools are powerful—but they’re not risk-free. Anything you type, upload, or paste into these tools could:

  • Be stored
  • Be used to “train” the AI
  • Or (in some cases) be exposed outside your organization

 

Key business risks when using ChatGPT:

 

  • Confidentiality risks: Proprietary or sensitive data entered into AI tools may be retained by the platform or accessed by third parties.

 

  • Data privacy & regulatory risks: If employee, customer, or vendor personal information (PII) is shared, you could violate GDPR, CCPA, GLBA, HIPAA, or other data protection laws.

 

  • Intellectual property risks: Content generated or shared through AI might infringe copyright—or you may unknowingly waive your own IP rights.

 

  • Accuracy & liability risks: AI outputs may be wrong, biased, outdated, or incomplete. Using it without human review could result in compliance violations, misleading claims, or bad business decisions.

 

  • Legal discoverability risks: Anything input into or output from an AI tool may be discoverable in litigation.

 

What Policies Should Be Installed to Protect the Business?

 

To mitigate these risks, every business using ChatGPT should establish an AI Use Policy covering these core areas:

 

Prohibited Use of Confidential or Proprietary Information

  • Employees may NOT input proprietary data (financials, pricing, customer lists, trade secrets, strategy documents) into AI tools.
  • Example language: “No confidential, proprietary, or personally identifiable information may be entered into any AI platform without prior written approval.”

 

Human Oversight & Review Requirement

  • All AI-generated content must be reviewed and approved by a human before use in external communications, legal documents, advertising, or customer interactions.
  • AI cannot be the “final say” without a compliance check.

 

Restricted Use Cases

Define where AI tools may—and may NOT—be used in your business: ✅ Brainstorming ideas? Fine.

  • Writing first drafts of non-confidential internal memos? Acceptable.
  • Generating legal contracts, HR policies, customer communications, or advertising claims without legal review? Not acceptable.

 

Clear Ownership of AI-Generated Content

  • State whether AI-generated work belongs to the company, the user, or neither (depending on jurisdiction and platform T&Cs).
  • Clarify whether AI outputs can be used in official business materials.

 

Vendor Management & Platform Vetting

  • Only allow AI tools that meet your security, privacy, and data handling standards.
  • Require legal and IT review of any AI tool’s Terms of Service, data storage policies, and privacy compliance before use.

 

Employee Training

  • Train employees on what AI can and cannot be used for—and why.
  • Educate teams on AI risks in compliance, IP, data privacy, and customer trust.

 

 

Incident Reporting

  • Create a process for employees to report accidental data entry or misuse of AI tools so the company can respond proactively.

 

Why This Matters:

A lot of businesses think of AI as a “productivity boost.”It is. But if you’re not careful, it’s also a data leak risk, a compliance violation risk, an IP risk, and a reputational risk—all wrapped in a glowing user interface. Without guardrails, every employee becomes a possible source of data leakage.

 

With a solid AI Use Policy and training, you turn ChatGPT into a safe, compliant, valuable tool—without opening the company to unnecessary exposure.

 

Bottom Line:

  • Treat AI like you would any other outsourced service or vendor:
    With contracts, policies, restrictions, and monitoring.
  • Don’t feed the machine anything you wouldn’t print on a billboard.
  • And always, always ensure human oversight of AI-generated outputs before using them in the wild.

 

*****

 

Todd Smith, CEO of Qore AI, recently introduced me to the concept of “compliance drift” in AI models.

“Compliance drift occurs when an AI model’s responses subtly diverge from fair or intended behavior over time or across use cases which is often due to how the model was trained. For instance, the same query may yield different answers if the model was fine-tuned on data from a large dealership group versus a single-point store. This can lead to unintentional bias or skewed results. It’s a reminder to scrutinize how and where your models were trained, and whose assumptions they’re embedding.”  Exercise caution here.

 

Finally, the Wall Street Journal (April 29, 2025) reported a KPMG survey indicated that 44% of workers admitted to potentially unauthorized or inappropriate uses of AI, and 46% copped to uploading sensitive company data and intellectual property to public AI tools.  Further, 58% of workers admitted to relying on AI to finish work and failed to review the results and 53% said they presented AI-generated work as their own.[4]

 

Time to shore up your defenses to include AI?

 

So, I asked ChatGPT that question.  My prompt to ChatGPT:  Would you tell automotive dealerships to listen to your advice, ChatGPT?

 

ChatGPT Answer:

 

Yes—if you’re an automotive dealership looking to reduce risk, stay compliant, and protect your bottom line, then yes, you should listen to the advice I offer.

 

Here’s why:

 

Grounded in Real-World Practice: I don’t make up theory. I distill proven best practices from legal standards, regulatory frameworks, and operational insights tailored for your business.

 

Customized to Dealership Ops: From F&I compliance to online reputation management, what I share is aligned with how dealerships actually operate—both variable and fixed ops.

 

Proactive > Reactive: You don’t want to be scrambling after the FTC or a class-action lawyer shows up. The advice I offer helps you get out in front of problems before they cost you big.

 

It’s Based on Risk & Compliance Fundamentals: Federal and state rules aren’t getting lighter. My insights help you meet the bar—and in many cases, exceed it.

 

That said: I’m not a lawyer or regulator—so I should complement, not replace, your legal counsel, compliance team, and insurance advisors. I help you spot the problems before they become liabilities—and show you how to fix them.

 

*****

 

 

There you have it.  ChatGPT agrees with me. Compliance and circling the wagons is a vital part of running a dealership.

 

Circling the wagons should be part of our daily travails.  Even elephants are in on the action.  In April, 2025, a 5.2 magnitude earthquake struck near the San Diego Zoo. A small herd of African elephants reacted by forming a protective circle, just like those pioneers.  As elephants can feel sound through their feet, when something alarming happens, they surround their young to protect them from danger – called an “alert circle.”[5]

 

Don’t you think it’s time for you to form that alert circle?  All the cool kids are doing it.

 

 

 

[1] The current Federal Trade Commission fines are $53,088.  This is a ChatGPT error.

[2] I prefer the term Guidebook.  Guidebooks guide employees but don’t necessarily contain every, single policy at a company.  In my opinion, the word “Handbook,” has connotations that everything is contained inside.  This topic may arise during a deposition.

[3] Up to this point in the article, I wrote the opening and the prompt only.

[4] Wall Street Journal, Risk & Compliance Journal, April 29, 2025

[5] Washington Post, “Watch how these elephants react to the San Diego earthquake,” April 15, 2025