Skip to main content
Back to Guides
Compliance7 min read

Cookie Consent for Automotive Sites and Car Dealerships

Auto dealers are financial institutions under federal law, and connected-car data just cost General Motors a five-year FTC ban. Here's what that means for cookie consent on dealership and automotive websites in 2026.

In January 2026 the FTC finalized an order banning General Motors and OnStar from disclosing drivers' geolocation and behavior data to consumer reporting agencies for five years, and requiring affirmative express consent before collecting connected-vehicle data going forward. Texas Attorney General Ken Paxton had already sued GM in 2024 over data from more than a million drivers, then widened the probe to Ford, Hyundai, Toyota, and others. Cars became one of the most scrutinized data sources in the country, fast.

Dealership and automotive websites sit in the middle of this. They carry a regulatory burden most marketers don't realize applies to them: car dealers are treated as financial institutions under federal law, and the personal data they collect through web forms and tracking pixels is legally protected in ways a typical retail site's isn't. This guide covers what that means for cookie consent.

Why a dealership is a financial institution

Most dealers arrange financing, so the FTC treats them as financial institutions under the Gramm-Leach-Bliley Act (GLBA). That pulls them under two rules. The GLBA Privacy Rule governs how you handle and share nonpublic personal information (NPI) and gives customers an opt-out of certain sharing. The Safeguards Rule (revised, in force since 2023, with dealer-specific FTC FAQs issued in June 2025) requires a written information security program with encryption, access controls, monitoring, and vendor oversight.

Here's the connection to your website. When a lead form collects a name, contact details, and interest in financing, that's the front door to NPI. When a chat widget, a trade-in valuation tool, or a credit pre-qualification form captures data and passes it to a third party through a tracking script, you've created a data flow that GLBA and your state's privacy law both care about. Cookie consent isn't a side issue for dealers; it's part of how you demonstrate control over regulated customer data.

The lead-form and pixel problem

Automotive sites are built to generate leads: inventory search, trade-in estimators, financing calculators, test-drive booking, and "get e-price" forms. Each one is a data-capture point, and most dealers wire them to advertising and analytics platforms so they can measure and retarget. That's where the exposure lives.

  • Form-field leakage. Advertising pixels and session-recording scripts can capture data typed into forms if they aren't scoped carefully. On a financing form, that can mean pixels ingesting the very NPI GLBA is meant to protect. Block those scripts until consent, and keep form capture off marketing tags.
  • VDP (vehicle detail page) tracking. Dealers fire dynamic retargeting so a shopper who viewed a specific truck sees that truck in ads later. That's marketing tracking and needs consent in opt-in jurisdictions and an opt-out path in US states.
  • Third-party lead vendors. Inventory platforms, chat providers, and CRM tools each drop their own cookies on your domain. You chose those vendors, so their non-essential cookies are your consent responsibility.

Run a cookie scan on your inventory and financing pages specifically. They usually carry heavier tracking than the homepage because that's where the conversion tooling lives.

Connected-vehicle data raises the stakes for OEMs

If you're a manufacturer or run OEM digital properties, the GM settlement is the map of where enforcement is heading. The FTC's order requires affirmative express consent before collecting connected-vehicle data (with narrow exceptions like sending location to emergency responders), transparency about what's collected, and a real ability for owners to delete data and opt out of collection. Precise geolocation and driving-behavior data are being treated as sensitive.

US state privacy laws reinforce this. Precise geolocation is classified as sensitive data in California and most other state privacy laws, which means processing it for advertising typically requires opt-in consent or, at minimum, a limitation right the consumer can exercise. The EDPB has published guidance on personal data in connected vehicles as well, so an automaker selling into the EU faces GDPR opt-in on top of the state-law picture. See our sensitive data under US state laws guide for how geolocation and other sensitive categories change the consent bar.

Consent posture: opt-out states and opt-in visitors

Most dealership traffic is domestic, so the US state model is the baseline. California, and the growing set of opt-out states, require a clear "Do Not Sell or Share My Personal Information" mechanism, honoring of the Global Privacy Control browser signal, and specific handling of sensitive data. A dealer running Meta and Google retargeting is almost certainly "sharing" or "selling" data in the statutory sense, which triggers those obligations.

Two practical implications:

  • Publish and wire up a Do Not Sell or Share link. It has to actually stop the sharing, not merely record a preference. Our Do Not Sell or Share guide covers building one that works.
  • Honor Global Privacy Control. California and several other states treat a GPC signal as a valid opt-out you must respect automatically. Our GPC guide explains the mechanics.

If you also serve EU or UK buyers (importers, luxury and specialty dealers, cross-border shoppers), those visitors need prior opt-in, not opt-out. Geo-targeted consent lets one banner serve US opt-out and EU opt-in from a single configuration, which our regional consent guide walks through. For the wider state-law picture, see our US state privacy laws guide.

Keeping the funnel measurable after consent

Dealers spend heavily on paid search and social, and losing conversion visibility when a shopper declines marketing cookies hurts. You don't have to choose between compliance and measurement.

  • Server-side conversions. Send lead and sale events to ad platforms server-to-server, keyed off a consented first-party signal rather than a browser pixel, so a declined banner doesn't erase attribution. Our server-side conversions and consent guide covers doing it without sending data you had no basis to share.
  • Consent Mode signals. When a visitor denies ad storage, fire the correct denied signals so Google's modelling recovers campaign-level insight instead of dropping the conversion.
  • First-party CRM audiences. Build remarketing from consented CRM contacts (past service customers, opted-in leads) instead of pixel-scraped audiences.

How CookieBeam handles automotive sites

CookieBeam is a consent platform; it manages the tracking-consent layer, not your GLBA information-security program. But it targets the specific risks dealership sites create.

  • Script blocking that protects lead forms. Marketing and session-recording scripts stay blocked until consent, so pixels can't ingest data typed into financing and trade-in forms. Essential cookies (session, CSRF, form state) are never blocked, so the forms themselves work regardless of consent choice.
  • Scanning inventory and financing pages. The scanner crawls VDPs and finance pages where lead-vendor, chat, and CRM tags accumulate, and flags new cookies and connections when a vendor changes something.
  • US opt-out plumbing. A working Do Not Sell or Share link and automatic Global Privacy Control handling, wired to actually stop the sharing.
  • Regional consent. One configuration serves US opt-out and EU/UK opt-in, with sensitive-data handling for geolocation baked into the rules.
  • Consent Mode and server-side friendly. Correct denied signals and clean consent state for server-side event forwarding, so measurement survives declines. Because dealers are treated like financial institutions, the same care that fintech sites apply is worth borrowing; see our fintech consent guide.

Checklist for dealership and automotive sites

  1. Treat financing data as regulated NPI. Keep marketing and session-recording scripts away from finance and trade-in forms.
  2. Block third-party lead, chat, and CRM tags until consent. Their cookies on your domain are your responsibility.
  3. Scan inventory and financing pages, not the homepage alone. That's where the tracking concentrates.
  4. Ship a working Do Not Sell or Share link and honor Global Privacy Control. Retargeting counts as sharing under state law.
  5. Handle geolocation as sensitive data. Precise location for advertising needs opt-in or a limitation right, and connected-vehicle data needs affirmative consent.
  6. Geo-target the banner. US opt-out, EU/UK opt-in, from one configuration.
  7. Recover measurement server-side. Server-side conversions and Consent Mode keep attribution alive when shoppers decline.
Automotive & Dealership Cookie Consent 2026 | CookieBeam | CookieBeam