Regulators in California, Colorado, and Connecticut have stepped up enforcement in a very visible way. On September 9, 2025, regulators in these three states announced a coordinated sweep of businesses that appear to be ignoring opt out preference signals, including Global Privacy Control (GPC) signals, the browser-based tool that automatically communicates a consumer’s choice to opt out of targeted advertising and the sale of their personal information.1
For dealerships, this development is a signal that regulators are looking closely at the way businesses’ websites, including dealer websites, collect and use consumer data, and whether those practices line up with state privacy laws.
Opt-out preference signals—often referred to as Global Privacy Control (GPC) signals—are browser- or device-based mechanisms that automatically communicate a consumer’s choice to opt out of the sale or sharing of their personal information. These signals allow users to express privacy preferences universally, rather than having to make individual requests on every website they visit. Under many state privacy laws, businesses must recognize and honor valid opt-out preference signals as a legally binding consumer request.
Why This Sweep Matters for Dealers
Dealership websites are among the most data-intensive in retail. Lead forms, trade-in calculators, service schedulers, chat tools, cookies, and digital advertising pixels all capture and transmit customer information around the clock. Regulators know this, which is why honoring GPC signals has become a top priority.
What makes this especially urgent is how easy it is to check. Regulators and consumers can test in minutes whether a website respects GPC signals. There’s no gray area: either it works or it doesn’t. Many states, such as California, Colorado, Connecticut, Texas, Maryland, and Minnesota, already require GPC recognition.
What Dealerships Should Do Now
The lesson from this sweep is clear: do not wait for a regulator’s letter to check your compliance. Dealers can take practical steps today to reduce risk and strengthen their compliance:
1. Check Your Website Functionality
Ensure your website recognizes and processes GPC signals. Many consent management tools support this already, but don’t assume yours does.
2. Audit Your Tracking Technologies
Dealers often run multiple layers of tracking scripts from OEMs, third-party vendors, and advertising partners. Verify that your website is configured to respect opt-out signals for all technologies on your website. This requires accurately classifying all tracking tools on your site so your consent manager can handle each one correctly.
3. Test Independently
Run your own tests across different browsers. Don’t rely solely on the vendor that built or manages your site to test itself. Regulators can run the same tests you can.
4. Update Your Privacy Policy
Make sure your privacy disclosures explain how you handle opt-out preference signals. Align what you say publicly with what your website actually does. If your disclosures say one thing but your site operates differently, regulators and consumers can hold you independently liable for misleading statements, even apart from the underlying privacy violation.
5. Train Your Teams
Ensure that compliance, marketing, and sales staff understand the dealership’s obligations, and that business practices track what your policy promises.
Looking Ahead
This multi-state sweep is part of a broader enforcement shift. State regulators are increasingly pooling resources and focusing on simple, technology-driven requirements that are easy to verify. For dealerships, this means the compliance spotlight will increasingly fall on the website and the public-facing tools like GPC compliance.
The takeaway is straightforward: treat GPC compliance as a must-have, not a nice-to-have. Dealers that act now to test and update their systems will not only reduce enforcement risk but also position themselves to meet the next wave of privacy obligations already on the horizon.
How ComplyAuto is Helping
The good news is that ComplyAuto Privacy customers don’t have to worry about scrambling to catch up. Our consent management tool is already configured to recognize and honor opt-out preference signals, including Global Privacy Control signals, ensuring your dealership meets this key requirement automatically. That means while regulators are turning up the heat, your store can stay focused on selling cars, knowing your privacy compliance foundation is already in place.
- This sweep follows an April 2025 announcement by state regulators from Colorado, Connecticut, California, New Jersey, Delaware, Oregon, and Indiana, who agreed to collaborate on privacy enforcement and share expertise. Since that announcement, several additional states have joined the multistate consortium. ↩︎