While the California Consumer Privacy Act has impacted businesses in all sectors, one industry that has been steadily barreling toward compliance is the automotive industry. Simply put: The new “oil” in the automotive sector is data. Vehicular data is needed to enable repairs, ensure and promote security both in vehicles and on the road, identify and predict performance and maintenance, as well as enable the industry to develop better solutions for drivers and passengers. Whether you drive to work every day, carpool or simply rent a car on vacation, it’s likely that you have data passing to a car manufacturer more than a handful of times a month. And, until recently, this data collection was business as usual for the auto industry without much fanfare or discussion.
But, surprise, surprise: California has changed that. The CCPA has expanded the definition of “personal information” in the U.S., which means that car manufacturers and service providers must now ensure that they conduct data inventories and monitor the flow of data to be able to develop systems for compliance. Further, it has given renewed attention to the notice requirements for data collected by cars: How do we ensure consumers are aware of what is collected and how it is used? Do we need consent? The CCPA also has that pesky “right to delete” provision. This has pushed automakers, service providers and dealers to consider data flows and the practical and theoretical risks of deleting data. What can we delete, and what is the impact of that deletion?
The concerns don’t stop there. The opt-out requirement may be relatively seamless for an online retailer, but perhaps not so seamless when implementing it via an automobile, especially when we consider the user interface, which does not always function in the same way as a tablet or website. These are big questions, especially to an entire industry of technicians and third parties that may be exchanging data for a variety of reasons, many of which are operational.
This two-part analysis contemplates CCPA and its impact on the automotive industry and whether the concerns about compliance impacting driver safety are well founded. In part one, below, we'll look at the rules of the road to help you identify data and map your progress. Look for part two, on "Where the automotive industry must get in line with CCPA compliance rights," in the November edition of The Privacy Advisor.
Vehicle data: personal or not?
By now, we all know that the definition of “personal information” under the CCPA is the broadest we have seen in the U.S. The CCPA defines personal information as the “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household.” This definition arguably covers the majority of the data that is collected by a vehicle, which means that manufacturers and service providers are now getting up to speed with all the legal requirements attached to the use and control of this data.
Before getting into those requirements, it's important to understand the scope of the data that is collected by your vehicle. Today’s automobile functions as a large consumer electronic device, which not only informs the driver, but also sends data back to the manufacturer and potentially to service providers. This data informs automakers, manufacturers and service providers about the functionality of the car, all with the goal of keeping consumers safely in motion.
Consider all the data at issue: information about a vehicle’s functionality, such as mileage, fuel consumption, oil levels, engine status, temperature or speed; information about the vehicle’s performance, operation and environment, such as where it is located and how it responds in certain weather conditions or at certain speeds; maintenance information, including when the vehicle has been serviced and when the next service may be required; and any malfunction reports. We also have to consider the information that is collected via on-board diagnostics systems or the telematics systems — in other words, information that is collected via the communication or infotainment systems and/or via driver inputs, such as the location of the driver’s home or office. And, looking ahead, it may also include even more sensitive information, such as biometric information, or whether the driver had too much to drink or is too tired to operate the vehicle. This data can be used for a plethora of purposes, but its main purpose is for manufacturers and service providers to ensure vehicle operation and efficient repairs and services.
Where do I go? Mapping your CCPA compliance
Not all data is the same. And not all data goes to the same places. Given this, as a first step, manufacturers and service providers should conduct an inventory of what data they collect and use. From there, they should determine where the data is sent and for what purpose. That will guide all the steps of compliance under the CCPA. Notably, to the extent that the data collected by a car is classified as personal information, there are a number of rights that must be granted to California residents, including:
- Opt-out or -in.
- Equal services and prices regardless of choices made.
Who has the right of way?
Some of the rights that may require the greatest amount of consideration as it relates to information collected by vehicles and how appropriate information is then passed along to operators.
So who has the right of way? The consumer.
Under the CCPA, consumers have broad rights to personal information collected about them, including information collected by vehicle manufacturers, dealers and service providers. Thus, even if the data is collected and used by a carmaker, that manufacturer must remember that the CCPA gives the consumer the right to know what data is held about them, and they may always reach in and try to limit or control the use of that data. And the CCPA requires carmakers to ensure that there are systems in place to ensure that we can give the consumer that right.
What data is exempt?
The CCPA provides for some notable exemptions that assist those in the automotive industry. These apply to personal information collected under the Driver’s Privacy Protection Act of 1994 and personal information collected, processed, shared and otherwise disclosed under the Gramm-Leach Bliley Act or the California Financial Information Privacy Act. To the extent that these laws apply to personal information, the rules set forth under these laws should be followed. That being said, information gathered in a transaction may very well fall both within one of the exceptions and outside of the exceptions. The requirements for this commingled data are still up for discussion, but the data inventory and understanding the purpose for which the data was collected will likely dictate the analysis. Importantly, even where financial transaction data that is collected in accordance with GLBA is captured for the purchase of a car, the CCPA still applies to the other information that is collected outside of GLBA, such as for information collected for marketing purposes.
Separately, there is Assembly Bill 1146, which was recently passed and is one of the more prominent bills under consideration as it relates to vehicle information. The bill exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair from the right to deletion. It also provides that the CCPA’s “do not sell” requirements do not apply to vehicle or ownership information retained or shared between a new motor vehicle dealer and the manufacturer if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair or recall, provided that the dealer or manufacturer with which that information is shared does not sell, share or use that information for any other purpose. This information is often needed to ensure vehicles are operating safely and is also the kind of information that many dealers may not have flagged in a database that easily facilitates providing the rights required under the CCPA.
Notably, the amendment does not get manufacturers or dealers out of having to comply with the CCPA’s notification and disclosure requirements. Additionally, civil actions under Section 1798.150 of the CCPA could still be brought against dealers and manufacturers.
If you want to comment on this post, you need to login.