You have probably noticed those (somewhat irritating) “cookie banners” that have begun appearing on websites of all kinds — what are they and why are they popping up everywhere?
The bottom line is that there is a cottage industry of plaintiff lawyers, along with a growing consensus of state and federal regulators, who are concerned about cookies and other tracking technologies on websites and are determined to address them with regulatory action and litigation. For dealers (as with other businesses), you need a banner, and you need one that not only is designed in a compliant manner and includes the required information, but it MUST WORK as stated, and that is no small task.
Is the risk real? Unfortunately, the answer is yes. Somewhat akin to the ADA website issue from a few years ago, a sizable contingent of plaintiffs’ lawyers is targeting businesses of all kinds, including dealers, and the risks are real if you don’t get this right.
All dealer websites load a large number of cookies, scripts and other tools that are intended to track visitors on your site (analytics), and across the internet (retargeting). Dealers, marketing companies and OEMs increasingly rely on website cookies and related tracking technologies to generate leads, measure advertising effectiveness and personalize the customer experience. And sometimes these third parties load, use, disguise or obtain these tools on the dealers’ websites — with or without the knowledge of the dealer.
These tools are powerful and often essential to modern digital retailing. They also create legal and compliance exposure that now demands attention at the executive level. The legal impacts are not confined to one state or region; they now apply across the country and extend to all dealers who collect data online.
What Is Actually Running on Your Website?
The sad truth is that many dealers don’t know what is actually happening on their websites — and that can raise not only compliance and litigation risks, but practical business concerns as well. Your website is your digital storefront, your data and your customers, and these tools allow third parties to extract, use and share that data. If you don’t know what’s happening, it’s likely that some third party is taking data that you aren’t even aware of.
We won’t get too technical here, but while “cookies” is the common shorthand, most dealership websites use a broader ecosystem of tracking technologies. These include traditional browser cookies, tracking pixels that transmit user activity to third parties, JavaScript tags and tag managers that dynamically load external scripts, analytics platforms, chat tools, session replay software, search tools and advertising integrations.
These technologies can collect or transmit IP addresses, device identifiers, browsing activity, vehicle interest and form interactions. In some cases, they may also capture finance-related information such as payment estimator inputs, lease-versus-loan selections, income ranges or credit score approximations. Many of these tools are implemented directly by website providers, digital marketing vendors, OEM programs or advertising platforms. As a result, dealerships may be sharing consumer data externally without fully understanding the scope of what is being collected or where it is being sent.
As with any data sharing, there may be good reasons to engage in practices that use these tools — as long as you are fully aware of what is happening, you are protected by contract, and you are managing your risks appropriately.
Litigation Risk: UDAP and Wiretapping Theories
Perhaps the greatest current threat in this area is the risk of litigation. Plaintiffs’ firms are actively sending thousands of demand letters, and increasingly filing class actions alleging that websites deploy tracking technologies without proper consent — or that the consent does not function as described. These claims vary, but the basic claim is that by deploying tracking technologies without obtaining adequate consent from the consumer, you are violating a number of state and federal laws.
One recurring allegation involves misleading cookie banners where a site represents that certain types of cookies will not load until consent is given, but tracking begins immediately upon page visit or those cookies are not properly categorized or blocked. Another popular plaintiffs’ theory focuses on the practical impossibility of reversing data collection once information has already been transmitted to third parties. Once external platforms build consumer profiles, later opt-out efforts may not effectively unwind the prior sharing.
In addition, plaintiffs have invoked federal and state wiretapping laws, arguing that certain third-party tracking tools intercept electronic communications without adequate consent. Technologies such as session replay software, chat monitoring tools and certain analytics scripts have been targeted. Some state statutes require two-party consent, and courts have allowed cases to proceed even where the dealership is located outside the plaintiff’s state. While the legal landscape remains unsettled, obtaining clear, informed consent before activating nonessential tracking and analytics technologies remains the most effective practical safeguard.
Remember, these litigation risks are generally unrelated to state privacy laws and are not limited to any state. Dealers in all 50 states are seeing increasing numbers of these claims nationwide.
State Privacy Laws and Targeted Advertising
Comprehensive state privacy laws1 are now in effect in numerous jurisdictions, including Texas, and these create additional potential risks for dealers. While several state privacy laws, including Texas, exempt “financial institutions,” issues for dealers under these laws may remain.2 For example, a central feature of many of these laws is the consumer’s right to opt out of the “sale” of personal information and the use of personal data for targeted advertising.
In several states, including Texas, the definition of a “sale”3 extends beyond an exchange of money. Sharing personal information with a third party in exchange for analytics insights, ad optimization or other business benefits may constitute a sale under those statutes. Similarly, enabling cross-site advertising through common ad network pixels (e.g., Google, Meta) may qualify as targeted advertising, triggering disclosure and opt-out obligations. Dealers may be subject to these laws even if they are not physically located in the state, provided they collect personal information from residents of those jurisdictions and meet any other applicability requirements.
Failure to implement meaningful opt-out mechanisms or to clearly disclose data-sharing practices can result in regulatory risk under the state privacy law directly.
Governance and Ongoing Oversight
Dealers should understand what technologies are deployed on their websites, what data is collected and with whom it is shared. Consent mechanisms must function as described, and privacy policies must accurately reflect actual data practices rather than generic template language. Vendor relationships should be reviewed to ensure contractual alignment with GLBA obligations and applicable state privacy laws. In this ever-evolving legal landscape, website technology tools must be governed with the same rigor applied to other compliance-sensitive areas of the business.
ComplyAuto is an industry-leading software provider specializing in automated compliance solutions for dealerships navigating complex state and federal privacy laws and website cookie consent requirements. With extensive experience addressing complex regulations such as the Texas Data Privacy And Security Act (TDPSA), ComplyAuto offers integrated solutions designed to simplify compliance and protect dealerships nationwide. Backed by decades of combined legal expertise and strong partnerships with numerous state dealer associations (including TADA), ComplyAuto ensures dealers remain compliant in today’s evolving regulatory environment. To learn more, visit complyauto.com.
NOTES
- There are related concerns raised under federal law that are outside the scope of this article, but are important. For example, the FTC has made it clear that persistent identifiers such as cookies and device IDs may qualify as personal information when they identify individuals or can reasonably be linked to them. If a dealership’s website states that certain tracking technologies will not activate until a user provides consent, but those trackers load regardless, regulators may view the discrepancy as an unfair or deceptive act under Section 5 of the FTC Act. In short, cookie banners and privacy disclosures must accurately reflect what is happening technically behind the scenes.
- This is a complicated issue, but while these exemptions offer a strong defense in enforcement or litigation, there is a growing consensus that these exemptions may not cover all of dealership operations, or all situations depending on the corporate structure of the dealership and other factors. Even if the exemption applies, all dealers need to protect against the litigation threats, and there are a number of independent reasons why dealers still may want to comply with state privacy laws.
- “‘Sale of personal data’ means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” Tex. Bus. & Com. Code § 541.001(28) (emphasis added).
