Notably, the primary claims in the Briskin case were brought under the California state wiretapping law — CIPA — that allows for statutory damages related to cookies and other tracking technologies loaded onto a website without adequate consumer consent. The same jurisdictional theories, however, could apply to state privacy laws like the CCPA and other state privacy laws. Not all states have restrictive privacy laws like California, but there are now 19 states with state privacy laws, including Maryland. The MODPA, signed into law on May 9, 2024, took effect on Oct. 1, 2025, and it grants Maryland residents broad privacy rights in the usage and collection of their personal data while imposing obligations and restrictions on businesses that conduct business in Maryland or target the residents of Maryland. Businesses, like dealerships, must conform to specific standards regarding the control and processing of Maryland consumers’ personal data. WHAT ARE DATA PRIVACY LAWS? Numerous states have passed data privacy laws that could impact your dealership. Living in the digital age, most of you have traveled to a website recently where you had to click on whether to allow cookies or reject them. Such banners are used, in part, to comply with data privacy laws. Some states have much stricter laws than others, but dealers need to be aware of the laws that impact their dealership. Compliance companies, like ComplyAuto, assist in making sure your dealership is compliant. In Maryland, the MODPA, which is applicable to persons and legal entities conducting business in Maryland or providing products/services targeted to the residents of Maryland AND during the previous year, either (1) controlled or processed at least 35,000 consumers’ personal data (excluding personal data controlled or processed for the purpose of completing a payment transaction) OR (2) controlled or processed the personal data of at least 10,000 consumers and over 20% of the entity’s gross revenue is attributable to the sale of personal data. Note that most dealers will meet this customer data threshold. Under MODPA, consumers are granted the right to: 1. Confirm whether a controller, which is a business/individual determining the purpose and means of processing personal data, is processing their personal data, and consumers have the right to access it. 2. Correct inaccuracies in their personal data. 3. Require the controller to delete personal data unless retention of the data is required by law. 4. Obtain a copy of their personal data from a controller processing their personal data in a readily usable format allowing the consumer to easily transmit the data to another controller. 5. Obtain a list of the categories of third parties to which the controller disclosed the consumer’s personal data. 6. Opt-out of the processing of personal data for the purpose of targeted advertising, the sale of personal data or profiling. Dealers subject to MODPA will be “controllers” and must establish a secure and reliable method for consumers to exercise the rights previously listed. Controllers must comply with consumer requests to exercise one of the above rights, responding no later than 45 days after they receive a request (plus a 45-day extension if it is reasonably necessary to complete the request due to complexity and number of requests). Controllers can reject a consumer’s request by informing the consumer no later than 45 days after the initial request, with justification for declining, as well as providing instructions for how to appeal the decision to decline. The MODPA provides a non-exhaustive list of requirements that dealerships must meet to adhere to the law, including but not limited to: 1. Limit the collection of personal data of a consumer to what is reasonably necessary and proportionate to provide a specific product or service requested by the consumer. 2. Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect personal data confidentiality, integrity and accessibility. 3. Provide an effective mechanism for consumers to revoke their consent that is as easy as the mechanism by which the consumer provided consent initially. (The controller must then stop processing the consumer’s personal data no later than 30 days after receiving the request to revoke consent.) 4. Not sell sensitive data, process personal data in violation of state and federal laws prohibiting unlawful discrimination, and unless the consumer consents, a controller must not process personal data for a purpose that isn’t reasonably necessary to/ compatible with the disclosed purpose for which the personal data is processed. PENALTIES FOR VIOLATIONS Most privacy laws have penalties for violations, which can be very steep. For example, violations of MODPA are considered an unfair, abusive or deceptive trade practice, falling under the authority of Maryland’s Consumer Protection Act. Maryland has discretion in whether to initiate an action immediately or issue a notice of violation to the controller/processor if they determine that a cure is possible (if notice is issued, the controller/processor has at least 60 days to cure). MODPA violations can provide relief not limited to injunctive relief, civil penalties and attorneys’ fees. MODPA violators are subject to civil penalties not exceeding $10,000 for each violation. Repeat violators will be subject to fines not exceeding $25,000 for each subsequent violation. HOW DO DATA PRIVACY LAWS IMPACT DEALERSHIPS? Dealerships need to know the data privacy laws in the states they operate — but that is not all. First, many dealerships are located close to borders; for example, dealers in Virginia that often sell to Maryland consumers may also meet the requirements of MODPA. In addition, cases like Briskin and overbroad laws like the MODPA, which applies to businesses “providing products/services targeted to the residents of Maryland,” dealerships that do not operate in certain states could receive threatening letters from consumers or zealous attorney generals. Dealers must begin addressing any potential issues they have with collecting personal data through their websites and advertisements. Dealers should consult experts like ComplyAuto to ensure compliance with data privacy laws. vada.com 7
RkJQdWJsaXNoZXIy MTg3NDExNQ==