Privacy commissioners across the country are paying more attention to how dealerships handle credit information than at any point in the last decade. If you're using a soft-pull workflow on your VDP — and you should be — there are three things worth re-checking this quarter.
1) Consent capture. The shopper must affirmatively check a box, not pre-checked, with a clear-and-plain-language disclosure of what's about to happen and which bureau will be queried. We default to TransUnion + Equifax dual-bureau, with the lender list visible inline.
2) Audit log. Every consent event needs a timestamped, IP-stamped, hash-signed record. DealerMatrix writes this to an immutable log table that sales staff cannot edit. If you're using anything that lets staff back-edit consent events, you have a finding waiting to happen.
3) Retention. You must delete unsuccessful applications inside the dealer-defined retention window (we default to 24 months). Closed deals get rolled into the main customer record. We surface a quarterly retention report for owners.
None of this is new in 2026, but the bar moved on enforcement. If you're a DealerMatrix customer, this is wired in already. If you're not — call the privacy commissioner's office, or, you know, us.