In part one of this two-part series, we discussed some of the initial considerations for those in the automotive industry. Now that it's clear what data is at issue, where it is flowing and whether an exemption applies, it's important to consider some of the more notable rights granted under the law — the rights to notice, deletion and opt-out requests.

CCPA notice requirements

Before looking strictly at the CCPA, consider that both federal and state laws impose requirements regarding notice and consent for the collection, use and sharing of personal information. Under both, appropriate and detailed notice regarding data practices is required. Typically, appropriate notice involves a just-in-time notice at the point of collection explaining what is being collected and why, as well as a privacy policy clearly explaining a company’s data practices. 

From a federal U.S. law standpoint, the Federal Trade Commission, the primary federal agency in charge of privacy, garnering authority from Section 5 of the FTC Act, requires that all notices incorporate honesty and transparency. The FTC brings enforcement actions under Section 5 of the FTC Act governing unfair and deceptive trade practices. In general, the FTC has interpreted deceptive trade practices broadly to include handling of personal information in a manner that is contrary to the ways disclosed to the consumer (e.g., in a privacy policy), as well as handling such information in a way that is unforeseen by a consumer.  

California has long taken required privacy notices a few steps beyond the FTC’s fairly straightforward and simple requirements. For example, the California Online Privacy Protection Act requires disclosures surrounding data collection, use, sharing, security, material changes and requirement to provide contact information. Additionally, California’s “Shine the Light” law also requires disclosures regarding the sharing of personal information with third parties for their direct marketing purposes. The CCPA has pushed the requirements even further. The CCPA expanded upon the current requirements; but given that California is one of the largest economies in the world (and the largest in the United States), requirements imposed by California law often have national impact. 

Accordingly, all automakers should consider the requirements of CCPA for notification. Under the CCPA, notices are now required “at or before the point of collection,” as well as in the privacy policy. More specifically, the CCPA imposes the following:

• At or before the point of collection, companies covered by the CCPA must inform consumers regarding the categories of personal information collected and the purposes for such collection.
• Within the privacy policy, consumers must be notified about the rights (access and deletion, for example) that each consumer has with respect to their personal information, as provided in the CCPA.

Many in the automotive industry are accustomed to ensuring that newer model cars provide notice: “Check engine!” “Low fuel!” What may not be part of that notice is the fact that cars are collecting numerous pieces of personal information. Therefore, when a consumer powers up a GPS, they may not be accustomed to a notice saying, “We are collecting your present location and information regarding your vehicle to assist you with your requests” or the like. Indeed, many consumers may not even realize how much information cars are collecting at any given moment — voice collection, mobile device information with pairing of Bluetooth devices, specific geolocation information, vehicle health and location information, accident information, and so much more.  Automakers now must consider where and how this information will be provided.

CCPA right to delete

The CCPA does not stop there. One of the requirements of the CCPA that may hit automakers and vehicle service providers a little harder is the fact that it provides consumers with the “right to delete” their data. This means that any individual who drives a rental car, visits a service shop or even purchases a vehicle from a manufacturer or dealer could send a note after the transaction has been completed and request that they be “erased” from the operator’s database. And the operator must comply within 45 days, unless an extension of time (up to 90 days) is granted.  

While this may seem like a relatively “simple” request for an online retailer (who will likely beg to differ), it leads to a host of questions in the automotive space about whether the deletion of this data could have an impact on the safe operation of the vehicle. While vehicles are crash-tested and include a robust set of features that ensure the physical safety of passengers, one area that may not have been considered is how important the data contained by the vehicle is to the safe operation of the vehicle. And, until the right to delete came along, this was not a key question for manufacturers, since the data was not going anywhere. But now, thanks to the CCPA, we are considering that question and whether a sudden deletion of certain personal information could impact the safe operation of the vehicle.

Automakers and service providers, which have been historically passing diagnostic and repair data to vendors and third parties for the purpose of education, repair, diagnosis and maintenance, or back to manufacturers as a result of a contract now are forced to conduct an inventory and analysis of this data to determine whether deletion is required by contract, and if it isn’t, whether the deletion of it could impact the safe operation of the car. 

Lucky for all of us, the CCPA does have some exemptions that seem to apply here:

• Expected internal uses: This is one exception that will likely be relied upon heavily by the auto industry, as it states that the right to delete does not apply if the information is needed to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Simply put: If the information is needed to ensure the vehicle operates, the service is provided, the music plays, the navigation functions, the phone and telematics systems work, then the data does not have to be deleted.  While further guidance and interpretation will be helpful, this is certainly going to apply to big pools of the data collected and used in vehicles and by service providers. 
• Transactional exception: The CCPA right to delete does not apply when the personal information is necessary for the operator to complete a transaction or provide a good or service to the consumer. If the data is needed to fulfill a contract or provide an ongoing service to the consumer, then the operator does not have to be deleted. But if a consumer buys a car from a manufacturer, when is the transaction completed? Is this an ongoing service? These are questions we hope are interpreted in the coming months, but for now, it seems the contract will dictate this potential exemption. On this, the current solution would be to look at the vehicle systems and consider the data needed to ensure operation, and to ensure the contract links the use of the data to that operation. Service providers and manufacturers should revisit contracts with consumers to ensure the language is appropriate to cover this type of continued use of data. And, automakers should develop systems to routinely evaluate what data they have to ensure that the data that is collected and used is all that is needed to provide certain features and services on an ongoing basis to the consumer. 
• Security exception: There is also an exception from the right to delete if the purpose of the data is to help detect security incidents or protect against malicious, deceptive or fraudulent activity. These threats could be considered major incidents if you consider the ability of an intruder to enter the telematics system of a car and impact the safe operation of it. Certain information collected by manufacturers and cybersecurity experts would fall within this bucket, and if automakers are able to establish that the storage of the data assists with secure operation, then deletion of certain personal information would not likely be necessary. 
• Identify repair errors: The CCPA also allows for an exception to deletion if the data is needed to “debug to identify and repair errors that impair existing intended functionality.” While we will need more interpretation and guidance here, this exception may allow service providers and repair shops to keep data to correct functionality errors.
• Consistent with consumer’s intention: If the first exception wasn’t broad enough to allow storage of data to ensure a vehicle can operate as a consumer expects it to operate, this one may be. This exception seems similarly general, and while it will certainly be subject to interpretation, it likely allows automakers and service providers to hold on to data to use it in accordance with consumers’ expectations, even if there is a deletion request. The scope of this exemption is still up for debate, but certainly it gives rise to questions about whether a service provider can keep a consumer’s contact information to remind them of maintenance check-ups, in accordance with a verbal agreement. 

These exceptions seem to give automakers and service providers the freedom to use the data for the purposes that it was collected, without potentially impacting the vehicle operation. But certainly these exceptions would not apply to data that is collected and used outside the scope of that, such as data that is collected for marketing purposes or data collected to understand driver behavior or habits for research and development of products and services.  

Do not sell – opt me out

The CCPA also places some roadblocks up when it comes to sharing information with third parties. It provides consumers with the right to opt-out of the “sale” of their personal information to third parties. But here is where it gets tricky: The term “sale” is broadly defined under the CCPA to include selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration. The current interpretation of “valuable consideration” looks to contract law. In other words, it is a benefit to which the third party is not legally entitled to absent the agreement. 

This means that arguably any transfer for some benefit to a third party may qualify as a “sale” under the CCPA.  To meet their obligations regarding the opt-out rights enshrined in the CCPA, businesses must provide a “reasonably accessible” and “clear and conspicuous” link on their website’s homepage titled “do not sell my personal information,” and this must be presented to California consumers. This link will enable a consumer to opt out of the sale of their personal information but must not require them to create an account in order to do so. The link must also describe the consumer’s rights and must be contained in its online privacy policies, as well as any “California-specific description of consumers’ privacy rights” that it maintains. If a business does not sell personal information, as that term is defined in the CCPA, it may state so in the privacy policy and may not need to provide the link, but must still provide information in the privacy policy about this right. For vehicles, this may mean a privacy-dedicated screen within the vehicle computer so that drivers that open their vehicles to use the radio, telephone or GPS have access to appropriate privacy notices.

The automotive industry will have to consider who maintains the central repository of data on individual consumers’ information and, with that in mind, take steps to ensure that consumers’ rights can be easily and quickly effectuated upon receipt of a verifiable request. Where a manufacturer holds the data, they will need to pass this information on to service providers, vendors and third parties with whom they may share personal information unless a relevant exception applies. 

No u-turn ahead

While the CCPA sets forth rather rigorous requirements, it is likely the first step in an onslaught of similar state (and perhaps federal) privacy laws. All industries, including the automotive industry, must grapple with this new wave of privacy rights and privacy enforcement. The CCPA certainly puts consumers in the driver’s seat with respect to their data and the industry is working hard to ensure that doesn’t impact consumer safety and the proper maintenance and functionality of a vehicle.

Photo by toine G on Unsplash