fully aware of what is happening, you are protected by contract, and you are managing your risks appropriately. LITIGATION RISK: UDAP AND WIRETAPPING THEORIES Perhaps the greatest current threat in this area is the risk of litigation. Plaintiffs’ firms are actively sending thousands of demand letters, and increasingly filing class actions alleging that websites deploy tracking technologies without proper consent — or that the consent does not function as described. These claims vary, but the basic claim is that by deploying tracking technologies without obtaining adequate consent from the consumer, you are violating a number of state and federal laws. One recurring allegation involves misleading cookie banners where a site represents that certain types of cookies will not load until consent is given, but tracking begins immediately upon page visit or those cookies are not properly categorized or blocked. Another popular plaintiffs’ theory focuses on the practical impossibility of reversing data collection once information has already been transmitted to third parties. Once external platforms build consumer profiles, later opt-out efforts may not effectively unwind the prior sharing. In addition, plaintiffs have invoked federal and state wiretapping laws, arguing that certain third-party tracking tools intercept electronic communications without adequate consent. Technologies such as session replay software, chat monitoring tools and certain analytics scripts have been targeted. Some state statutes require two-party consent, and courts have allowed cases to proceed even where the dealership is located outside the plaintiff’s state. While the legal landscape remains unsettled, obtaining clear, informed consent before activating nonessential tracking and analytics technologies remains the most effective practical safeguard. Remember, these litigation risks are generally unrelated to state privacy laws and are not limited to any state. Dealers in all 50 states are seeing increasing numbers of these claims nationwide. STATE PRIVACY LAWS AND TARGETED ADVERTISING Comprehensive state privacy laws1 are now in effect in numerous jurisdictions, including Texas, and these create additional potential risks for dealers. While several state privacy laws, including Texas, exempt “financial institutions,” issues for dealers under these laws may remain.2 For example, a central feature of many of these laws is the consumer’s right to opt out of the “sale” of personal information and the use of personal data for targeted advertising. In several states, including Texas, the definition of a “sale”3 extends beyond an exchange of money. Sharing personal information with a third party in exchange for analytics insights, ad optimization or other business benefits may constitute a sale under those statutes. Similarly, enabling cross-site advertising through common ad network pixels (e.g., Google, Meta) may qualify as targeted advertising, triggering disclosure and opt-out obligations. Dealers may be subject to these laws even if they are not physically located in the state, provided they collect personal information from residents of those jurisdictions and meet any other applicability requirements. Failure to implement meaningful opt-out mechanisms or to clearly disclose data-sharing practices can result in regulatory risk under the state privacy law directly. GOVERNANCE AND ONGOING OVERSIGHT Dealers should understand what technologies are deployed on their websites, what data is collected and with whom it is shared. Consent mechanisms must function as described, and privacy policies must accurately reflect actual data practices rather than generic template language. Vendor relationships should be reviewed to ensure contractual alignment with GLBA obligations and applicable state privacy laws. In this ever-evolving legal landscape, website technology tools must be governed with the same rigor applied to other compliance-sensitive areas of the business. ComplyAuto is an industry-leading software provider specializing in automated compliance solutions for dealerships navigating complex state and federal privacy laws and website cookie consent requirements. With extensive experience addressing complex regulations such as the Texas Data Privacy And Security Act (TDPSA), ComplyAuto offers integrated solutions designed to simplify compliance and protect dealerships nationwide. Backed by decades of combined legal expertise and strong partnerships with numerous state dealer associations (including TADA), ComplyAuto ensures dealers remain compliant in today’s evolving regulatory environment. To learn more, visit complyauto.com. NOTES 1. There are related concerns raised under federal law that are outside the scope of this article, but are important. For example, the FTC has made it clear that persistent identifiers such as cookies and device IDs may qualify as personal information when they identify individuals or can reasonably be linked to them. If a dealership’s website states that certain tracking technologies will not activate until a user provides consent, but those trackers load regardless, regulators may view the discrepancy as an unfair or deceptive act under Section 5 of the FTC Act. In short, cookie banners and privacy disclosures must accurately reflect what is happening technically behind the scenes. 2. This is a complicated issue, but while these exemptions offer a strong defense in enforcement or litigation, there is a growing consensus that these exemptions may not cover all of dealership operations, or all situations depending on the corporate structure of the dealership and other factors. Even if the exemption applies, all dealers need to protect against the litigation threats, and there are a number of independent reasons why dealers still may want to comply with state privacy laws. 3. “‘Sale of personal data’ means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” Tex. Bus. & Com. Code § 541.001(28) (emphasis added). DEALERS’ CHOICE 20
RkJQdWJsaXNoZXIy MTg3NDExNQ==