OFFICIAL PUBLICATION OF THE VIRGINIA AUTOMOBILE DEALERS ASSOCIATION

Purchase Ad Space

2025 Pub. 6 Issue 4

ISSUE HOMEPAGE

Living in the Digital Age

Picture of By Barrie Charapp Beaty, Charapp & Weiss LLP, with Brad Miller, Chief Executive Officer/Chief Legal Officer, ComplyAuto

By Barrie Charapp Beaty, Charapp & Weiss LLP, with Brad Miller, Chief Executive Officer/Chief Legal Officer, ComplyAuto

Summary

A recent federal court ruling has set a precedent that could expose dealerships to litigation in states where they don’t have a physical presence. The case, Briskin v. Shopify Inc., established a “traveling cookie” rule, meaning a company can be subject to jurisdiction in any state where a consumer’s device with an installed tracking cookie travels. This decision, combined with the increasing number of states passing strict data privacy laws like the new Maryland Online Data Privacy Act (MODPA), means dealerships must ensure their websites are compliant with a wider range of state laws to avoid potential penalties.

Get the Latest

Brick-and-mortar dealerships are the heart and soul of the dealership model, but dealerships are living in a digital age. Recently, the United States Court of Appeals for the 9th Circuit issued a decision that could impact dealerships nationwide and how dealerships comply with state data privacy and perhaps even other state consumer protection laws. One recent case highlights the issues courts are struggling with in an age where online commerce is the norm. In the case Briskin v. Shopify Inc., Briskin, a California resident, purchased clothes from a California merchant’s website powered by Shopify’s e-commerce platform. Shopify Inc. is a Canadian corporation headquartered in Ottawa, with two subsidiaries wholly owned in the United States as Delaware corporations. Shopify’s software automatically installed tracking cookies on Briskin’s phone, gathering Briskin’s personal data without his knowledge or consent. Plaintiffs brought claims under California privacy and other state laws. 

Shopify argued that jurisdiction was improper and that Briskin unilaterally acted on his own, which resulted in the taking of his personal data, not through any intentional acts of Shopify itself. The 9th Circuit Court found that California had jurisdiction over the case and that Shopify violated California state law by collecting, maintaining and selling Briskin’s personal data, even if Shopify did not intend to obtain Briskin’s personal data specifically. In essence, the court created a new “traveling cookie” rule: When a company attaches cookies to a person’s electronic device, jurisdiction attaches wherever that person happens to be and wherever that person happens to travel thereafter. The 9th Circuit has ruled that interactive platforms, such as websites that are available nationwide, and that automatically monitor or gather the personal data of interacting users, are expressly aiming wrongful conduct towards other states that have stricter state consumer privacy laws. This decision could set a precedent for the concept that dealerships are subject to jurisdictions in California, or other states with stricter consumer privacy and related laws, simply by virtue of a website that interacts with consumers from those states. Dealerships may be roped into litigation simply based on the fact that a consumer accessed their website/advertisement, cookies were automatically attached to the consumer’s device without the consent of the consumer and personal data was taken and/or sold in violation of a state’s privacy laws.

Notably, the primary claims in the Briskin case were brought under the California state wiretapping law — CIPA — that allows for statutory damages related to cookies and other tracking technologies loaded onto a website without adequate consumer consent. The same jurisdictional theories, however, could apply to state privacy laws like the CCPA and other state privacy laws. Not all states have restrictive privacy laws like California, but there are now 19 states with state privacy laws, including Maryland. The MODPA, signed into law on May 9, 2024, took effect on 

Oct. 1, 2025, and it grants Maryland residents broad privacy rights in the usage and collection of their personal data while imposing obligations and restrictions on businesses that conduct business in Maryland or target the residents of Maryland. Businesses, like dealerships, must conform to specific standards regarding the control and processing of Maryland consumers’ personal data.

What are Data Privacy Laws?

Numerous states have passed data privacy laws that could impact your dealership. Living in the digital age, most of you have traveled to a website recently where you had to click on whether to allow cookies or reject them. Such banners are used, in part, to comply with data privacy laws. Some states have much stricter laws than others, but dealers need to be aware of the laws that impact their dealership. Compliance companies, like ComplyAuto, assist in making sure your dealership is compliant. In Maryland, the MODPA, which is applicable to persons and legal entities conducting business in Maryland or providing products/services targeted to the residents of Maryland AND during the previous year, either (1) controlled or processed at least 35,000 consumers’ personal data (excluding personal data controlled or processed for the purpose of completing a payment transaction) OR (2) controlled or processed the personal data of at least 10,000 consumers and over 20% of the entity’s gross revenue is attributable to the sale of personal data. Note that most dealers will meet this customer data threshold.

Under MODPA, consumers are granted the right to:

  1. Confirm whether a controller, which is a business/individual determining the purpose and means of processing personal data, is processing their personal data, and consumers have the right to access it.
  2. Correct inaccuracies in their personal data.
  3. Require the controller to delete personal data unless retention of the data is required by law.
  4. Obtain a copy of their personal data from a controller processing their personal data in a readily usable format allowing the consumer to easily transmit the data to another controller.
  5. Obtain a list of the categories of third parties to which the controller disclosed the consumer’s personal data.
  6. Opt-out of the processing of personal data for the purpose of targeted advertising, the sale of personal data or profiling. Dealers subject to MODPA will be “controllers” and must establish a secure and reliable method for consumers to exercise the rights previously listed. Controllers must comply with consumer requests to exercise one of the above rights, responding no later than 45 days after they receive a request (plus a 45-day extension if it is reasonably necessary to complete the request due to complexity and number of requests). Controllers can reject a consumer’s request by informing the consumer no later than 45 days after the initial request, with justification for declining, as well as providing instructions for how to appeal the decision to decline.

The MODPA provides a non-exhaustive list of requirements that dealerships must meet to adhere to the law, including but not limited to:

  1. Limit the collection of personal data of a consumer to what is reasonably necessary and proportionate to provide a specific product or service requested by the consumer.
  2. Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect personal data confidentiality, integrity and accessibility.
  3. Provide an effective mechanism for consumers to revoke their consent that is as easy as the mechanism by which the consumer provided consent initially. (The controller must then stop processing the consumer’s personal data no later than 30 days after receiving the request to revoke consent.)
  4. Not sell sensitive data, process personal data in violation of state and federal laws prohibiting unlawful discrimination, and unless the consumer consents, a controller must not process personal data for a purpose that isn’t reasonably necessary to/compatible with the disclosed purpose for which the personal data is processed.

Penalties for Violations

Most privacy laws have penalties for violations, which can be very steep. For example, violations of MODPA are considered an unfair, abusive or deceptive trade practice, falling under the authority of Maryland’s Consumer Protection Act. Maryland has discretion in whether to initiate an action immediately or issue a notice of violation to the controller/processor if they determine that a cure is possible (if notice is issued, the controller/processor has at least 60 days to cure). MODPA violations can provide relief not limited to injunctive relief, civil penalties and attorneys’ fees. MODPA violators are subject to civil penalties not exceeding $10,000 for each violation. Repeat violators will be subject to fines not exceeding $25,000 for each subsequent violation.

How do Data Privacy Laws Impact Dealerships?

Dealerships need to know the data privacy laws in the states they operate — but that is not all. First, many dealerships are located close to borders; for example, dealers in Virginia that often sell to Maryland consumers may also meet the requirements of MODPA. In addition, cases like Briskin and overbroad laws like the MODPA, which applies to businesses “providing products/services targeted to the residents of Maryland,” dealerships that do not operate in certain states could receive threatening letters from consumers or zealous attorney generals. Dealers must begin addressing any potential issues they have with collecting personal data through their websites and advertisements. Dealers should consult experts like ComplyAuto to ensure compliance with data privacy laws.

Get Social and Share!

Sign Up to Receive this Publication in your inbox

More In This Issue