by Mark Sandborn
Senior Product and Regulatory Counsel
The digital age has brought about unprecedented opportunities for auto dealerships to engage with customers online, leveraging powerful tools like cookies and other tracking technologies. However, with great power comes great responsibility, and the use of these technologies has given rise to a new wave of legal challenges, most recently in the form of wiretapping claims.
Recent litigation trends have seen a surge in cases brought under laws like the California Invasion of Privacy Act (“CIPA”), alleging that online tracking tools constitute illegal “wiretapping” or recording of user activities and communications through websites without consent. This has put auto dealerships and manufacturers in the crosshairs, facing legal claims not only in states where they physically operate but also based on the state law where individuals have accessed their websites.
The crux of these wiretapping claims lies in the interpretation and application of CIPA and similar state and federal laws. Plaintiffs argue that the use of cookies, tracking pixels, session replay tools, scripts, chat modules, and the like to monitor and record user interactions and communications on dealership websites violates these laws, because the websites did not obtain the users’ prior express consent.
Many of the recent legal claims alleging wiretapping violations related to online tracking have been initiated by the same law firms previously active in website accessibility cases, often using “tester” plaintiffs who visit dealership websites with the primary intention of identifying potential violations rather than genuinely engaging as prospective customers.
The potential consequences for dealerships are significant, with CIPA allowing for statutory damages of $5,000 per violation or three-times actual damages, whichever is higher. As the number of plaintiffs and alleged instances of tracking increases, the potential damages can quickly skyrocket.
But it’s not just California that auto dealerships need to worry about. 14 states in total require all-party consent for recording or monitoring communications, and plaintiffs’ lawyers are starting to adopt similar strategies for these jurisdictions. Even federal law, in the form of the Wiretap Act, sets a baseline of protection against unauthorized interception of electronic communications.
It’s also important to recognize that the risk extends beyond just dealers located in the 14 states with all-party consent wiretapping laws. Plaintiffs’ lawyers have successfully pursued claims against dealerships located in states without all-party consent legislation based on the fact that the plaintiff was located in an all-party consent state when they accessed the website. This means that even if a dealership is not located in an all-party consent state, they may still face potential liability under other wiretapping-related legal principles. Moreover, it’s worth noting that additional legal theories related to wiretapping can be applicable, such as the use of pen registers or trap-and-trace devices. In light of these considerations, dealerships across the country should be mindful of the complexities and far-reaching implications of wiretapping laws, regardless of their specific state’s legislation.
So, what can auto dealerships do to navigate this legal minefield?
The key lies in understanding the legal landscape, implementing robust consent mechanisms, and being transparent about data practices.
Dealerships must prioritize obtaining explicit, informed consent from website visitors before deploying any tracking technologies. This means implementing clear and conspicuous cookie consent banners that explain the types of data being collected, the purposes for which it will be used, and the third parties with whom it may be shared. Burying this information in lengthy privacy policies or using manipulative design practices (known as “dark patterns”) is unlikely to pass legal muster.
In addition to consent, dealerships should consider preventing the deployment of certain marketing cookies and tracking technologies until a user provides consent. From a technical perspective, achieving this objective requires strategic placement of the cookie banner script at the top of the header section of the website source code to effectively block the execution of third-party marketing cookies, scripts, etc. This aligns with the principle of prior express consent, avoids potential limitations of after-the-fact opt-outs, and is consistent with recommendations made by some courts and regulators. This does not mean that dealerships need to adopt GDPR-style practices, but it does mean that dealerships need to be thinking strategically about the use of cookies and tracking technologies on their websites.
A cookie banner should also be paired with a privacy policy that meets the requirements of state and federal laws, accurately reflecting the organization’s data collection, use, and sharing practices. Dealerships should also maintain accurate inventories of the cookies and tracking technologies used on their websites, regularly auditing and documenting these tools to ensure compliance with privacy laws and facilitate transparent disclosures to users.
When it comes to vendor management, dealerships must be diligent in vetting third parties that have access to user data collected through their websites. This includes establishing contractual safeguards, regularly monitoring vendor compliance, and promptly updating privacy policies when new vendors or data-sharing practices are introduced.
In the face of potentially costly litigation, dealerships may also consider implementing arbitration agreements and class action waivers in their website terms of use. However, the enforceability of such provisions can vary by state, necessitating close collaboration with legal counsel to craft legally sound and enforceable terms.
Navigating the legal landscape of online tracking is no easy feat for auto dealerships, but with a proactive approach, a commitment to transparency and consent, and a robust compliance strategy, they can harness the power of these technologies while minimizing legal risk. By staying informed and adaptable in the face of evolving legal challenges, dealerships can continue to innovate and thrive in the digital age.
Questions?
For more information about this, or our Privacy products, contact us at info@complyauto.com.