Ensuring that vendors are protecting data is Chris Cleveland’s “No. 1 priority” as compliance director at Galpin Motors in California, particularly when negotiating contracts.

But the subject is not always top of mind for dealerships, he told me. They often do not ask their vendors how they use, process or share dealerships’ customer data, or how they implement safeguards. He says they should.

“I don’t think dealers have traditionally monitored or forced their vendors to be as compliant in the space of privacy and security as they need to be,” said Cleveland, also CEO of ComplyAuto, a company that uses software to help retailers comply with data privacy regulations. Going forward, he said, “I think that is going to be something dealerships should take very seriously.”

This year, I wrote about how dealerships should consider vetting vendors’ security practices when negotiating or signing new contracts, particularly in the wake of high-profile data breaches involving dealership software providers.

Compliance and privacy experts say the topic will become even more important for dealerships as more states consider enacting data privacy laws, following a comprehensive statute in California several years ago. California’s law also stands to become more stringent by 2023 after voters approved a ballot initiative last year that builds on the existing law.

“Companies will need to devote a lot of attention to vendor management, and I would think that that will be of big interest to the automotive industry, as well,” says Caitlin Fennessy, chief knowledge officer at the International Association of Privacy Professionals, a membership association that tracks state legislation.

Consumer data frequently flows from companies to vendors, some of which might not be located in a state that is covered by a privacy law but handle data for a company that is, Fennessy told me. As that data flows down the chain, she added, making sure it’s protected following California requirements has the effect of making California’s statute “more than a state-specific law, and to some extent de facto national standard.”