LotShield — Ad + Safeguards compliance cockpit for small US used-car dealers

1. One-liner

AI cockpit that keeps small US used-car dealers compliant with state CARS Acts and the FTC Safeguards Rule.

2. Trend signal — why now?

Three real shifts hit small independent and BHPH (Buy-Here-Pay-Here) lots in the last 12 months. Federal CARS Rule got vacated by the Fifth Circuit and formally withdrawn Feb 12, 2026 — but the states immediately filled the vacuum. California’s CARS Act (SB 766) takes effect October 1, 2026 with a 3-day right-to-cancel for used cars ≤$50K, strict price-and-add-on disclosure rules across every channel (website, Marketplace, AutoTrader, Cars.com, radio, in-store), and a two-year record-retention obligation on every ad and customer communication. Washington, NY, and IL are running parallel ad-disclosure regimes. A solo BHPH operator selling into 3 states now has to track 3 different ad rulebooks with no help.

Second: FTC Safeguards Rule is now in full-enforcement mode. The FTC sent warning letters to 97 dealerships on March 13, 2026 about deceptive ad pricing and is publicly inviting dealers to report each other. Safeguards Rule non-compliance is up to $11,000/day in civil penalty. The Rule still requires a Written Information Security Program (WISP), a named Qualified Individual, MFA, vendor risk, annual penetration test or risk assessment, and an annual board report — most BHPH lots have none of that on paper.

Third: the AI side. GPT-4-class vision can scan a dealer website + Marketplace listing photos and tell you within 10 seconds whether the offering price + add-ons + qualifying disclosures match what each state requires. That capability did not exist 18 months ago. ComplyAuto and KPA own franchise-dealer compliance ($300–600/mo, NADA-endorsed, 10K dealers), but both are sold high-touch into the ~15K franchise market. The ~60K active independents — including ~10K BHPH lots — get either a $5K/yr Tom-Kline-style consultant or nothing.

Provenance:

• Signal 1 (demand): Federal CARS Rule withdrawn Feb 12, 2026; California CARS Act (SB 766) signed Oct 6, 2025, effective Oct 1, 2026 — patchwork explicitly forming — Federal Register withdrawal + California CARS Act analysis (Madison Law) — 2025-10 / 2026-02
• Signal 2 (economic / enforcement): FTC sent warning letters to 97 dealerships March 13, 2026 about deceptive ad pricing; Safeguards Rule non-compliance up to $11K/day — FTC warning letters (CW Attorneys) + Safeguards penalty math (itsasap) — 2026-03
• Signal 3 (feasibility / customer voice): DealerRefresh forum threads showing small independents trying to DIY compliance because ComplyAuto/KPA fees don’t pencil; NIADA UCIR shows 9.8M independent used sales in 2025 — DealerRefresh thread: “Need help with Compliance” + NIADA UCIR 2025 — 2025 Category: Regulatory arbitrage

3. The opportunity

The compliance vendors built their pricing and sales motions for franchise dealers (Toyota of Wherever, with a GM, finance director, GM’s nephew running IT). ComplyAuto charges what a franchise dealer treats as a rounding error. The independent / BHPH lot — 5 staff, owner answers the phone, listings posted by the lot manager from his phone — can’t afford $500/mo and won’t sit through a 45-minute onboarding call. So they either (a) sign with a generalist IT MSP who slaps “WISP” on a Word doc, (b) hire Tom Kline at $5K/yr for an audit, or (c) ignore the rule and hope the FTC keeps focusing on franchises.

The wedge: a product-led, self-serve compliance cockpit that an independent dealer signs up to in 12 minutes, gets value from in week one (auto-scanned listings flagged red/yellow/green), and auto-generates a defensible Safeguards paper trail. Price low enough that it’s a no-brainer ($199–$399/mo). When the FTC starts walking down the dealer count list — and the first independent consent decree headlines hit — every uncovered lot owner becomes a warm lead.

4. Target market

• Primary customer: Owner-operator of US independent / BHPH used-car dealership, 50–500 retail units/year, 1–15 staff, $1–25M annual revenue. Multi-state operators get extra value but single-state CA dealers are the urgent first cohort (Oct 1, 2026 deadline).
• Why they buy: They’ve read the NIADA newsletter, they’ve seen the 97-dealer warning letters, the state association is sending them CARS Act emails weekly, their MSP shrugged when asked about Safeguards. They want a “yes you’re covered” answer for $300/mo, not a $5K consultant.
• Rough TAM reasoning: NIADA estimates roughly 25K–35K “active” independent used-car dealers in the US (UCIR 2026). ~10K of those are BHPH. Target 5–10% of the broader 60K licensee universe = 3K–6K accounts. At $300/mo blended, that’s $11M–$22M ARR ceiling on this segment alone. $1M ARR = ~280 dealers — very reachable.
• Why now for them: California Oct 1 deadline is concrete and dated. FTC enforcement is visibly hot (97-letter blast, snitch hotline). State AGs (NY, WA, IL) actively writing parallel rules. Insurance carriers and floorplan lenders now ask for proof of Safeguards compliance at renewal.

5. Product sketch (MVP)

• Ad scanner: dealer connects their website (or pastes URL), Facebook Marketplace seller profile, Cars.com / AutoTrader / CarGurus inventory feed. AI vision + LLM scans every listing daily and flags state-specific violations: missing offering price, advertised add-ons not flagged as optional, “no haggle” language, available-vehicle stock mismatch, missing Buyers Guide for unit on lot, doc fee disclosed wrong.
• State playbook: lights up rules per state where the dealer ships/advertises (CA SB 766, WA dealer-ad WAC, NY AG guidelines, FTC Used Car Rule baseline). New rules added monthly; dealer sees a “what changed this month” digest.
• Safeguards auto-doc: generates and maintains the WISP, Qualified Individual designation, vendor risk register, MFA attestation log, annual risk assessment, incident response plan, and the annual board report — all populated from a 20-minute intake quiz and ongoing checkbox prompts.
• Quarterly tasks queue: sends owner/Qualified Individual a 5-minute monthly to-do (review user access, attest backups, confirm vendor list). One-click sign-off creates the audit trail.
• Right-to-cancel tracker (CA): auto-generates the 3-day cancellation paperwork, tracks the 250-/400-mile rule, flags overdue cancellation responses.
• Audit-ready binder: one-click PDF binder of every artifact, ready for the FTC/state AG/insurance carrier/floorplan lender ask.
• Snitch-defense alert: scans the FTC’s public press releases + state AG dockets daily; alerts if a peer dealer in the same state gets cited (signal that enforcement is on your radius).

6. AI angle — what’s load-bearing

Three places AI does the work:

1. Listing scan. Multimodal LLM reads every listing photo + ad text + price block and applies a per-state rulebook. Without AI, this is a paralegal at $50/hr × hundreds of listings/month — economically dead for a $300/mo product. With AI it’s pennies per scan.
2. WISP/SOC-doc generation. LLM ingests dealer’s 20-minute intake (what DMS, what F&I tool, what’s the email host, who has admin) and produces a defensible, dealer-specific WISP that reads like a competent IT consultant wrote it. Then keeps it updated as the dealer answers monthly prompts.
3. State-rule diffing. Parses new bills and AG guidance, diffs against the existing rulebook, surfaces “what changed” plain-English summaries. State association newsletters do this manually and ship monthly — AI does it nightly.

Remove the AI and you’re back to ComplyAuto’s price point ($600/mo with humans in the loop). The price gap and the speed-to-value are AI-load-bearing.

7. Localization angle (if any)

This is the localization play — US state patchwork is the wedge. The wedge is US-only by design. Within the US, each state’s rulebook is a localization layer; expansion = each new state rule unlocks a new revenue cohort. After CA (Oct 2026), Washington/NY/IL are the next obvious modules. Federal Safeguards Rule is the always-on baseline.

Not a global play. Different regulatory frame in EU/India/SEA. Stay focused.

8. Business model — path to $1M–$5M ARR

• Pricing: $199/mo Solo Lot (≤50 units/yr, single state), $399/mo Growth (≤300 units/yr, up to 3 states), $799/mo Multi-Lot (≤5 rooftops). Annual prepay = 2 months free.
• ACV: ~$3,600 blended (most accounts land on Growth).
• $1M ARR math: 280 dealers on Growth tier × $399 × 12. With ~30K active independents in the US, that’s <1% penetration.
• $5M ARR math: 1,400 dealers. Requires a state association endorsement deal (NIADA or 2–3 state associations) + a parallel BHPH-specific motion. NIADA has affinity programs (ComplyAuto already has the franchise NADA tie-up; the independent side is open).
• Expansion path: start with ad+Safeguards module → add CFPB compliance (BHPH lenders are CFPB targets), Red Flags Rule, OFAC checks, e-titling, dealer-license renewal calendar. ACV climbs from $4K → $8K within 18 months.

9. Go-to-market wedge — first 100 customers

1. CA Oct 1 deadline ambush. Pull California Department of Motor Vehicles (DMV) Occupational Licensing list — public, ~7,500 licensed used-car dealers. Filter for non-franchise. Send a personalized Loom video showing live screen-cap of their current website ad with the SB 766 violations flagged red. Convert at 2–3% = 150 leads, 50 paid.
2. NIADA + state association partnership. California IADA, Texas IADA, BHPH Forum — pay sponsorship + show up at the spring/fall conferences. ComplyAuto did this with NADA franchise side. Independents have weaker but cheaper association infrastructure to plug into. State assoc emails get opened.
3. DealerRefresh + BHPH United + Auto Remarketing. Active forums where compliance threads run hot. Publish 4 longform pieces (“What CA SB 766 actually means for your Marketplace listings”, “The 5-page WISP that satisfies the FTC for an independent lot”). Ungated downloads → email capture → 14-day trial.
4. The 97-letter list. FTC published recipient list. Open public records request to states with AG actions, build the named-target list. Cold outreach: “you’ve already been on the radar — here’s a 14-day pilot.”
5. Insurance + floorplan partnerships. Floorplan lenders (Westlake, NextGear) and dealer E&O carriers want their books to be compliant. Negotiate a co-marketed pilot — they email LotShield to 500 customers in exchange for a premium rebate.

10. Build complexity — justification

Medium. Off-the-shelf: listing scrape (apify/Bright Data + custom), multimodal LLM for ad scan, LLM + template engine for WISP, Stripe for billing, simple Next.js dashboard. Custom: the state-rulebook engine (one-time research load + monthly update process) and the listing-feed adapters per source (AutoTrader/Cars.com/Marketplace each have their own scrape friction). Solo or pair builder ships v1 in 10–14 weeks; first paid pilot inside 60 days of code start.

11. Gating checklist

Gate	Pass?	Note
Legal in target market	✅	We help dealers comply; we don’t practice law. Carry E&O.
Ethical — no harm / dark patterns	✅	Pro-consumer alignment — preventing deceptive ads.
Market exists (evidence above)	✅	97-dealer FTC blast, CA SB 766, NIADA UCIR.
1–5 person team can build this	✅	LLM-heavy, no novel infra.
Launchable with <$50K / ₹40L	✅	LLM tokens + scrape + Stripe. Founder time is the cost.

12. Feasibility score

Axis	Weight	Score	Notes
Problem intensity	20	17/20	$11K/day fine + state AG snitch culture + state deadline = hair on fire for the Oct 2026 wave. Loses 3 points because BHPH-owner risk tolerance is high — many will roll the dice.
Demand evidence	15	13/15	97-letter FTC blast, SB 766 passed, ComplyAuto’s 10K-dealer franchise base proves WTP. Direct independent-side evidence still needs validation interviews.
Build feasibility	15	12/15	LLM + scrape + doc-gen is standard 2026 stack. Listing-feed adapters and the state-rulebook content are the real work.
Distribution clarity	15	12/15	DMV lists are public, NIADA + state IADAs exist, DealerRefresh forum has the audience. Loses 3 for cold-DM conversion uncertainty on a non-tech buyer.
Revenue mechanics	15	13/15	$300–400/mo is dead-center for a small-lot tool. Existing comparables ($600 KPA) validate ceiling.
Time to first revenue	10	8/10	Pre-sell 10 CA dealers off the SB 766 deadline before code is finished. Paid pilot in 4–8 weeks of code-start, full revenue ramp once Oct deadline approaches.
Defensibility	10	5/10	Soft moats only: state-rulebook content (compounds), association endorsements (each one is hard-won), dealer workflow lock-in. ComplyAuto can drop down-market — that’s the main competitive risk.
Total	100	80/100

13. Qualitative modifiers

Founder-fit tags

domain-expertise-required (someone has to read the bills and be willing to talk to dealers), sales-heavy (independents won’t self-serve cold — needs phone follow-up).

Key assumptions to validate (3–5)

1. Assumption: CA independent dealers will pay $300–400/mo for self-serve compliance vs. $5K/yr Tom-Kline consultant. How to test: 30 phone interviews with CA used-car owners drawn from DMV license list — show them a 2-min Loom of their own ad scanned, ask “would you pay $399/mo for this?” Need ≥10 “yes if it works.”
2. Assumption: Listing-feed scraping (Marketplace, AutoTrader, Cars.com) is technically reliable enough at sub-$5/mo per dealer cost to keep margins healthy. How to test: Build the scrape adapters for 50 sample dealers in week 1–2; measure error rate, cost per scan, and how quickly the source sites push back.
3. Assumption: NIADA or a state IADA will partner / endorse (or at least not block) once we have 25 paying dealers. How to test: Direct outreach to NIADA + 3 state IADAs at month 3, with paying-dealer reference list. Need 1 yes within 6 months.
4. Assumption: Safeguards-only is enough to keep a dealer on the platform after the SB 766 ad-scan wedge cools off. How to test: Track 90-day retention of pilot cohort. Need ≥85% retention.

Risk flags

1. Regulatory whiplash: federal CARS Rule got vacated once; states could too (industry lobbying is real). If multiple state CARS Acts get struck down before Oct 2026, the urgency wedge collapses. Safeguards Rule is more durable but less immediate.
2. ComplyAuto down-market push: they have NADA, $1M warranties, 10K dealers and venture capital. They could ship an “Independent” SKU at $299/mo. Mitigation: speed, BHPH-specific add-ons (CFPB, OFAC, in-house lending paperwork) they don’t prioritize.
3. Listing-source TOS friction: Marketplace / AutoTrader could rate-limit or block scraping. Mitigation: dealer-side OAuth where available; offer paste-in / email-in fallback; partner with the listing aggregators directly long-term.
4. Buyer apathy: BHPH owners are famously risk-tolerant (“they’ll fine me, I’ll pay, I’ll keep selling cars”). First wave of independent FTC consent decrees is the marketing event; without it, growth is slower.

14. Structured verdict

Score:                  80/100
Verdict:                STRONG GO
Confidence:             Medium
Best-fit builder:       Operator with auto-retail or compliance/legal background + one strong full-stack engineer. Bonus if either founder has sold to NIADA-member dealers before.
Time to revenue:        4–8 weeks (pre-sold CA pilots), full ramp at California Oct 1, 2026 deadline.
Capital to launch:      $25K–$40K (founder time + LLM tokens + state-rule content licensing + conference sponsorship).
Top 3 assumptions to validate first:
  1. Independent dealers will pay $300–400/mo self-serve (30 phone interviews from CA DMV list)
  2. Listing-feed scraping economically scalable to $5/mo/dealer cost (50-dealer technical pilot, week 1–2)
  3. At least one state IADA will partner or co-market by month 6 (direct outreach with paying-dealer references)
Kill criteria:
  - Abandon if <10% of 50 CA outreach calls show intent to pay $300+/mo within 8 weeks
  - Abandon if California CARS Act (SB 766) gets enjoined or substantially delayed before Oct 1, 2026
  - Abandon if ComplyAuto launches a sub-$300/mo independent SKU with NIADA endorsement before our first 100 paying customers

15. Next step — 1-week validation sprint

• Day 1–2: Pull California DMV used-car dealer license list. Filter to non-franchise. Hand-build a 200-row spreadsheet with website URL, owner name, phone, ad listings.
• Day 2–3: Build a one-off LLM script: feed each dealer’s homepage + 5 inventory listings into GPT-4 vision, output a 1-page “your CA SB 766 risk report” PDF flagging missing offering price, add-on disclosure, doc-fee transparency.
• Day 3–5: Cold-call 30 dealers from the list. Pitch: “we ran a free CA SB 766 risk check on your lot — want to see it? If you like it we’ll keep doing it monthly for $399.” Send the PDF live on the call.
• Day 5: Decide go / no-go.
  • Go signal: ≥5 dealers verbally commit to a paid pilot, ≥3 give a credit card.
  • No-go signal: <3 verbal commits, or >50% say “I’ll just wait and see what the state does.”

The result is falsifiable: either real dealers swipe a card within 7 days of being shown their own violation list, or they don’t.