Skip to content
Compliance 6 min readApril 23, 2026· Updated April 27, 2026

Customer Data Your Shop Keeps. And the Law

Names, VINs, phone numbers, service history, credit card receipts. What you're required to keep, what you should delete, and how the rules changed in 2026.

AM
Founder, Pitlane

The records question most shops get wrong

Every auto shop accumulates customer data. Names, phone numbers, email addresses, VINs, service history, sometimes photos of the inside of cars, sometimes stored credit card numbers. Most shops treat it casually. Data stays in the system until the system is replaced, at which point it gets migrated or lost.

That casual approach was fine 10 years ago. It's not fine today. Several US states now regulate consumer data, and the rules matter for independent auto shops. Not just for big tech.

Here's a practical guide to what you actually have to worry about.

What you're legally required to keep

Federal and state requirements vary, but for most US shops:

  • Transaction records — 3-7 years depending on state, for tax/audit purposes.
  • Employee records — typically 4 years for tax purposes, longer for specific safety-related records.
  • Vehicle inspection records — if you do state inspections, requirements vary but typically 1-3 years.
  • Repair orders with customer signatures — most states require you keep these 1-2 years minimum for consumer protection compliance.

Beyond those, there's no specific federal requirement to retain customer data.

What's changing in 2026

Several states passed or updated consumer privacy laws that affect small businesses:

  • California (CCPA/CPRA): Consumers have the right to know what data you have, request deletion, and opt out of data sales. Applies if your shop has $25M+ revenue OR handles data on 100k+ consumers OR derives 50%+ revenue from selling data. Most single-location shops are exempt by revenue. But if you're a regional multi-shop, you may fall into scope. Full thresholds and obligations at the California Attorney General CCPA page.
  • Virginia, Colorado, Connecticut, Utah, Texas: Similar consumer rights laws with varying thresholds. Most single-shop auto repair operations are below the revenue thresholds that trigger full compliance. The IAPP US State Privacy Legislation Tracker keeps an up-to-date map of who's covered where.
  • FTC Safeguards Rule: This one applies broadly. Any business that handles "customer information" (names + financial data, like credit card numbers) has obligations around information security. This captures most auto shops that accept credit card payments. See the FTC's Safeguards Rule compliance guidance for what's actually required.

Your practical exposure as a single-shop operator is usually:

  1. FTC Safeguards — you have to maintain reasonable security around customer data, especially payment data.
  2. State-level data breach notification laws — you have to notify customers if their data is breached.
  3. Contractual obligations — if you accept credit cards, Stripe/Visa/MC have rules you must follow (PCI-DSS).

The practical playbook

1. Don't store credit card numbers. Seriously. Don't. Use Stripe, Square, or whatever your processor is, and let them store the card data. Your system should only have the last 4 digits and a token. If you're writing credit card numbers on paper repair orders, stop immediately.

2. Keep customer records only as long as useful. For active customers (visited in last 3 years), keep everything. It helps retention. For inactive customers (5+ years no visit), you can safely purge all but basic transaction records for tax purposes.

3. Limit who has access. Techs don't need access to credit card data. Your service writer doesn't need access to payroll info. Role-based access isn't just good practice; it's a safeguards requirement if you're under FTC rules.

4. Have a data breach plan. If a laptop gets stolen or your email gets compromised, you need to know:

  • Who to call (usually: local police, your insurance carrier, state AG office if regulated)
  • Who to notify (usually: affected customers, within specific timeframes)
  • What to do (usually: reset credentials, notify, document)

Write this down. Keep it accessible. Review annually.

5. Know what data you're collecting from DVIs. Digital vehicle inspections often collect photos. Some of those photos accidentally include license plates, personal items in cars, or reflections of people. Train techs to frame shots that show the vehicle part, not the interior of the car. Delete incidental personal info.

What customer rights to actually expect

Even if you're below the threshold of state privacy laws, customers occasionally ask:

  • "Can you delete my data?" — Say yes. Delete their customer record (or anonymize it if you need transaction history for tax purposes). It's usually 5 minutes of work and it's good customer service.
  • "What data do you have on me?" — Send a summary: contact info, visit dates, vehicles, service history. Don't include detailed payment data; refer to their own records for that.
  • "Don't text/email me anymore." — Honor the request within 10 days. This is TCPA and CAN-SPAM required regardless of state law.

Common mistakes to avoid

  • Keeping credit card numbers on paper ROs in a filing cabinet. This is a data breach waiting to happen. Shred old paper ROs that have credit card data.
  • Sharing customer lists with "partners." If someone offers you a referral deal in exchange for customer data, think hard. In most states this is now regulated.
  • Storing data indefinitely. A 10-year-old inactive customer record has no value to you and is a liability. Purge.
  • Using customer data for non-service marketing. If you want to market to customers beyond service reminders, you need clear consent. CAN-SPAM and TCPA both regulate this.

The SMS piece

If you text customers, TCPA and A2P 10DLC carrier rules apply. Specifically:

  • Get affirmative consent before texting for marketing.
  • Honor STOP requests within 24 hours.
  • Include opt-out language in marketing messages.
  • Use a carrier-registered number (A2P 10DLC).

Fines are $500-$1,500 per unauthorized message. A shop that texts 500 customers with a promotional blast and ignores 10 STOP requests could face $5k-$15k in fines.

See the full SMS compliance guide for specifics.

What to do this week

  1. Audit where credit card data lives. Stop storing it anywhere manual.
  2. Set up role-based access in your shop software. Techs shouldn't see payment data.
  3. Write a one-page data breach plan. Save it where you'll find it.
  4. Set a calendar reminder to annually review customer data retention. Delete truly inactive records.
  5. Make sure your text messaging is A2P 10DLC registered.

That's the 80/20. Do those five things and you're ahead of most independent shops on data handling.

How Pitlane helps

Pitlane handles PCI-compliant payment tokenization (we never store card numbers), role-based access, TCPA-compliant SMS with carrier registration, and one-click customer data deletion. One system, the compliance pieces handled.

See how the data model works →

Frequently asked

How long does an auto shop have to keep customer records?

Federal and state requirements vary, but for most US shops the floors are: transaction records 3–7 years (state-dependent, for tax/audit), employee records 4 years for tax purposes, repair orders with customer signatures 1–2 years for consumer protection compliance, and state inspection records 1–3 years where applicable. Beyond those legal minimums, there's no federal requirement to retain customer data. Active customers (visited in the last 3 years) are worth keeping in full because the data helps retention. For inactive customers (5+ years no visit), purge everything except basic transaction records you need for tax purposes.

Can my auto shop store customer credit card numbers?

No. Don't. Use Stripe, Square, or whatever processor you're on, and let them store the card data. Your system should only ever have the last 4 digits and a tokenized reference. If you're writing credit card numbers on paper repair orders, stop immediately and shred the existing ones. That's a data breach waiting to happen and a PCI-DSS violation if you're processing cards. Modern payment platforms handle tokenization automatically. The only 'card data' that should ever live in your shop is the receipt with the last 4 visible.

Do consumer privacy laws like CCPA apply to my single-location auto shop?

Usually no, by revenue threshold. CCPA/CPRA applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data. Most single-location independent shops are exempt by revenue. Virginia, Colorado, Connecticut, Utah, and Texas have similar consumer rights laws with similar thresholds, and most single-shop operations fall below them. Two regulations apply broadly though: the FTC Safeguards Rule (any business handling customer payment data has security obligations) and state-level data breach notification laws (you have to notify customers if their data is breached). Plan for those, not for full CCPA compliance.

What should I do if a customer asks me to delete their data?

Say yes and do it. Even if you're below the threshold of state privacy laws that legally require it, deleting (or anonymizing for tax-record purposes) takes about 5 minutes of work and it's good customer service. Same goes for 'what data do you have on me?' Send a summary of contact info, visit dates, vehicles, and service history. And 'don't text or email me anymore' needs to be honored within 10 days regardless of state law because TCPA and CAN-SPAM both require it. Treat these requests as routine customer service, not legal compliance.

What data privacy steps should every auto shop take this year?

Five concrete actions cover the 80/20. One: audit where credit card data lives and stop storing it anywhere manual. Two: set up role-based access in your shop software (techs don't need to see payment data, advisors don't need payroll). Three: write a one-page data breach plan listing who to call, who to notify, what to do, and save it where you'll find it. Four: set an annual calendar reminder to review customer data retention and delete truly inactive records. Five: confirm your text messaging is A2P 10DLC registered. Do those five things and you're ahead of most independent shops on data handling.

Every system in this post runs automatically in Pitlane.

Reviews, follow-ups, win-backs, digital inspections, card payments — set it up once, it runs forever. Under 10 minutes to get started.

Start 30-day free trial See a live demo

Keep reading

All articles
Compliance

SMS Compliance for Auto Shops: TCPA, A2P 10DLC, and What You Must Know Before You Text

A plain-English guide to the laws and carrier rules that govern texting customers. What's required, what's recommended, what gets you fined.

9 minApril 19, 2026
Customer retention

Should Your Auto Shop Run a Loyalty Program? A Cost-Benefit for Independent Repair Shops

Loyalty programs sound great in theory and quietly flop at most shops. When a loyalty program makes sense, when it doesn't, and how to run one.

7 minMay 10, 2026
Payments

Stripe for Auto Shops: The Shop Owner's Guide to Accepting Card Payments (Without the 3% Fee)

Card processing fees can eat $10k+ a year at a busy shop. How to connect your own Stripe, keep 100% of revenue, and skip platform fees.

6 minMay 8, 2026
All articles