By David Estrada and Hao Nguyen
Attention all dealers: if you have not adjusted your website tools and dealership practices for consumer privacy issues, you need to do it now. Recently, a car dealership in New Jersey received a notice of a class action lawsuit brought by a California-based law firm representing California residents. This is the start of a litigation pattern in the automotive industry over privacy concerns related to chat modules, session replay tools, and tracking cookies. If you don’t have the proper processes in place, the next letter may be coming to you.
In this article:
- Legal Threat to Dealerships: A California law firm is targeting a New Jersey dealership, alleging unauthorized recording and sharing of customer communications without consent, violating the California Invasion of Privacy Act (CIPA).
- Wider Legal Concerns: The notice to the New Jersey dealership warns of potential legal actions in other states with similar wiretapping laws. About 14 states require consent from all parties in communication before recording, indicating a broader legal landscape.
- Protective Measures: Dealerships are urged to implement robust cookie consent banners and comprehensive privacy policies to inform consumers and secure consent.
What’s Happening?
Numerous states have established laws to safeguard against the unauthorized recording of electronic communications. For instance, The California Invasion of Privacy Act (CIPA) mandates obtaining consent from all involved parties before recording any communication. This requirement ensures that all parties are aware of and agree to the recording beforehand. More commonly known as “wiretapping,” any person who wilfully records, or even reads, a communication without the consent of all parties may be liable in a private action for $5,000 per person.
We recently learned that a California-based law firm, claiming to represent a class of California residents, is preparing to file a class action lawsuit against a dealership for allegedly recording their clients’ communications after they interacted with the dealership’s website chat module, sharing these communications with third parties without the clients’ prior consent and, therefore, violating CIPA in the process. Said in another way, the dealership’s website has tools that record the consumer’s interactions and shares it with other vendors without receiving the consumer’s permission.
The catch? Though the plaintiffs are in California, the dealership is not – it is located in New Jersey.
Why is this Happening Now?
Over the last two years, plaintiff attorneys have been suing businesses for privacy violations under the theory that online tracking tools (whether it be cookies, session replay tools, or chat modules) constitute illegal “wiretapping” or recording of consumer activities and communications without consent. It was only a matter of time before dealers were the next target.
State laws like the CIPA protect residents and place requirements on parties who want to record communications. Whether it is audio or text-based, all parties to the recorded communication need to provide consent if at least one of them is from California no matter where the other parties are located. As online shopping becomes more ubiquitous, the simple fact that a California resident can visit a New Jersey-based dealership is not far-fetched, so the dealership needs to receive the consumer’s consent to record any of their communications. One effective way for this out-of-state dealer to properly receive the consumer’s consent is to have a properly designed cookie consent banner and privacy policy with specific disclosures.
A Harbinger of Things to Come: Other States’ Wiretapping Laws
This notice by the California-based law firm to an out-of-state dealership is the proverbial “canary in the coal mine”. CIPA provides wiretapping protections for California residents and the law firm uses this fact as the crux of their accusation. Expanding this law firm’s strategy to include other states with similar wiretapping laws reveals a potentially complex scenario. In about 14 states, laws require all parties in a communication to consent before recording. Should law firms in these states emulate the approach taken by this California firm, it could lead to a significant increase in privacy-related legal actions and a heightened emphasis on compliance with wiretapping laws across various industries.
Wiretapping Lawsuits Not Limited to Online Chat Tools
These kinds of lawsuits that target dealers are not limited to communications over chat modules. Tracking cookies placed and monitored without consumer consent also play a significant role. As you well know, dealerships collect a significant amount of personal data from consumers when they visit their websites.
In addition to collecting consumer data such as IP addresses, geolocation data, and other information for cross-contextual behavior advertising, tools used by dealerships and their website providers often have the ability to record and recreate a consumer’s entire visit to the dealership’s website. From logging keystrokes and tracking cursor movements to recording clicks and other interactions, these tools are known as session replay tools. Furthermore, chat module providers have the ability to capture the content of any chat module communication and recreate and share it at will, which was the main cause of action in the letter.
As noted in a prior article we published, “Session Replay Tools: Data Analytics Gold or Privacy Pitfall?”, at the core of various state and federal personal data laws is consumer knowledge and consent. Dealerships do this by having a robust consumer cookie consent banner and a comprehensive privacy policy that tells the consumer exactly what kinds of information is being collected and shared.
Expanding to State Personal Data Laws?
These kinds of lawsuits may not be limited to just wiretapping laws. Rather, any state laws that provide rights and protections to its own state residents could be used as a launching pad for these types of claims if they are violated by out-of-state parties. A prime example would be state personal data laws.
Take, for example, the California Privacy Rights Act (CPRA). The CPRA provides significant rights to consumers who are residents of California and places many disclosure and process requirements on businesses to fulfill those consumers’ rights. Based on this reason alone, the gist of the legal action against the New Jersey dealer tells us that regardless of where your dealership is located, any California resident who visits your website can potentially be a “legal liability time bomb” if you do not have the proper processes in place to fulfill the CPRA.
Applying this idea to the other eleven (and counting) personal data laws in the United States, and coupled with the mass adoption of online shopping, dealerships across the country must prepare for this new reality. The litigious environment we live in, added to the hyper-sensitivity around consumer data in various states, will encourage these plaintiff’s attorneys and allow these types of lawsuits to proliferate.
As highlighted earlier, the foremost strategy for protecting your dealership from claims of illegal wiretapping and violations of state personal data laws is through a well-crafted, fully operational cookie consent banner, coupled with a comprehensive, dealership-specific privacy policy. An essential component of this approach is incorporating consumer privacy consent options, such as Data Subject Access Requests (DSARs), to ensure robust compliance and respect for consumer rights. While the process entails complexities, further insights can be gained from our previously published articles which delve deeper into these critical aspects of data privacy and protection.
The New Reality: Cookie Consent Banners and Privacy Policies
The name of the game is “knowledge and consent.” It’s crucial that consumers are clearly informed about the types of activities that will occur when they use the website, or specific tools on it, and they must have the option to consent to these activities. This ensures transparency and respects the user’s choice in their online interactions.
A compliant cookie consent banner prevents specific cookies and tracking pixels from loading until a consumer consents to it by clicking “accept.” The banner also plays a crucial role in the “knowledge” element by offering an upfront notice, facilitating an agreement to consent, and providing a direct link to the privacy policy. This approach ensures that users not only consent but are also well-informed about the specifics of data collection and usage outlined in the privacy policy. However, the aspect of “knowledge” extends beyond what a banner alone can provide. Additional language must be included in the privacy policy regarding not only the chat module but any other website tools that collect and share information, detailing exactly what categories of information are collected and who they are shared with.
Working together, a well-designed cookie consent banner and a comprehensive privacy policy should help prevent these kinds of lawsuits from occurring in the first place if implemented correctly. The emphasis is on “correctly” because this fairly straightforward concept becomes increasingly complex when it is applied to the automotive industry. We know because we built it.
ComplyAuto: We Did the Work (Years Ago) So You Don’t Have To
We alluded to the importance of a robust cookie consent banner and a comprehensive privacy policy in an article that we published over a year ago, “All Cookies Are Not Created Equal: FTC Cracks Down On Targeted Advertising Without User Consent”, where the FTC brought an action against an online pharmaceutical company under its broad UDAP authority. The advent of state personal data laws being enforced on dealerships not even located in the respective state makes these online tools even more important.
Since then, our online tools have evolved to keep lockstep with the evolving playing field. Most critical to the issue at hand are the chat module and session replay tool disclosures we have incorporated into our dealers’ privacy policies. Both of these disclosures provide notice to consumers that their interactions and any information provided may be captured by either tool, defending against any potential allegation that website users had no prior knowledge of the use of these tools.
Additionally, our cookie consent banner has been updated to consider new cookies and pixels from digital advertising agencies and website providers as they become more creative in their service offerings. Furthermore, our vendor management library has become more comprehensive as new vendors enter the market and is constantly updated to precisely identify the specific type of consumer information it collects based on the vendors’ products and services. All of this information is used to build out a privacy policy that is unique to your dealership and is automatically updated as you add (or remove) vendors.
Disclaimer in the Chat Tool
To further protect your dealership from these types of lawsuits, we recommend adding disclaimers directly to chat modules in addition to those in the cookie consent banners and updated privacy policies. An effective disclosure would notify users that any interactions and information provided with the chat module may be captured and retained by the dealer. These disclaimers can either be in close proximity to the chat box field or within the field itself. For example, the text can state “By interacting with this chat module, you acknowledge and consent to the recording and sharing of these communications with third party affiliates and non-affiliates for business and marketing purposes. To learn more, please visit our privacy policy.” Though not a perfect remedy by itself (as the definition of “express consent” continues to evolve), it would serve as a useful addition when coupled with these other preventative measures. Contact your chat module vendor to see if such a disclaimer is possible.
The Proof: Almost 10,000 ComplyAuto Clients and No Privacy Incidents
It’s unfortunate that in 2024, plaintiff’s attorneys have chosen to align themselves with these “creative” interpretations of state and federal personal data laws. However, it is fortunate that ComplyAuto’s foresight has allowed dealers to address these issues proactively. Since 2020, we have been diligently working to offer our dealer clients robust protection, ensuring they stay ahead in managing these evolving legal challenges.
With nearly 10,000 dealer clients, we have no reported personal data incidents – neither a potential lawsuit, nor an action from any local, state, or federal agency. Our success rate speaks for itself. Our tools work so you don’t have to. For more information about our products and services, please visit our website at https://www.complyauto.com or send an email to info@complyauto.com.