Pub. 11 2022-2023 Issue 3

the country engage in similar behavior. We will briefly discuss these cases below. For more information about these and other FTC enforcement actions, please visit their library at https://www.ftc.gov/ legal-library/browse/cases-proceedings. The FTC lawsuit against GoodRx alleges that the company integrated third-party tracking tools from Meta (Facebook), Google and other advertisers and shared user health data with them for advertising purposes without the user’s consent (also known as “retargeted advertising” as defined below). Additionally, GoodRx used the personal health information to target users with advertisements itself and failed to limit third-party use of their information. According to the FTC, this violated Section 5. “Retargeted advertising” allows businesses to display advertisements to users who have previously interacted with their website or have shown interest in their products or services. This is a widely used marketing tool because it increases the touch points with that user and makes the user more likely to convert into a sale. BetterHelp met the same fate at the hands of the FTC for performing similar acts. Brushing aside the more obvious concerns of making false claims and deceptive marketing (BetterHelp said it was “HIPPA Certified” and had seals implying its purported compliance with HIPPA, but no government agency or third party ever reviewed its practices for compliance), we are going to focus on the retargeted advertising aspect of the complaint. BetterHelp had a banner at the bottom of every page on its website, which stated: “We use cookies to help the site function properly, analyze usage, and measure the effectiveness of our ads. We never sell or rent any information you share with us. Read our Privacy Policy to learn more.” BetterHelp then went through two significant changes in this banner, but neither one of them informed visitors that it would use and disclose their health information for advertising or that third parties would be able to use the visitors’ information for their own purposes. BetterHelp used and disclosed this information through various means, including “web beacons” (specifically pixels) placed on various pages on its website. Information was shared with third parties such as Facebook, Snapchat, Criteo and Pinterest to carry out this advertising. Like GoodRx and BetterHelp, dealerships often use cookies for retargeted advertising with companies such as Google and Meta through one of the many digital advertising vendors. The lesson here — dealerships should implement comprehensive privacy policy disclosures and a well-designed cookie consent banner to avoid the FTC’s scrutiny. For dealerships that want to avoid becoming the FTC’s next example, they must begin obtaining proper consent for the use and sharing of cookies that collect and track a prospective finance or lease customer’s online information and browsing history (and for those of you wondering, yes, the federal Gramm-Leach Bliley Act defines non-public personal information to include cookies and similar technologies). To state the obvious, this is an action based on federal law, so dealerships in all states (even those without comprehensive privacy laws) must prioritize protecting user data by updating their privacy policies with comprehensive disclosures, a cookie use policy, and a compliant cookie consent banner. For example, a well-designed cookie banner is a crucial tool for dealerships to obtain users’ informed consent for the use of online tracking in connection with retargeted advertising. However, poorly designed cookie banners can do more harm than good if they are implemented to confuse or trick consumers into consenting to online tracking (often referred to by regulators as “dark patterns”). Unfortunately, many vendors offer cookie banners that don’t actually work and may inadvertently allow cookies and other tracking technologies to deploy before the user has a chance to consent. In short, online privacy disclosures and cookie consent management should be a top priority for any risk-averse dealership. Updating privacy policies with comprehensive disclosures and implementing a compliant cookie consent banner can help defeat claims, similar to those brought against GoodRx and BetterHelp, and protect the dealership from other novel privacy allegations like we have seen with the recent uptick of state and federal wiretapping lawsuits stemming from online tracking activities. If you do not currently have a solution that provides you either of these things, ComplyAuto will be happy to assist you build a privacy policy that is unique to your dealership and a cookie consent banner that fulfills all state and federal requirements in our Privacy Rights Management system. If you would like to learn more, contact us at info@complyauto.com. This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it. ComplyAuto, LLC is a RegTech company offering cloud-based software that helps dealerships enhance their compliance capabilities while becoming more efficient and cost-effective. ComplyAuto uses data analytics and AI to provide real-time automated compliance decisions, performing tasks that would normally require manually-intensive processes and human intelligence. NCDA.COM 7

RkJQdWJsaXNoZXIy MTg3NDExNQ==