Privacy is a hot topic these days, and the automotive industry is no exception. Connected cars, in-car location services, telematics systems, event data records (black boxes), driverless cars, online consumer targeted advertising, vehicle-to-vehicle communications, mobile apps for cars, data analytics by insurance companies, Apple and Google operating systems for cars – all of these developments are shining a brighter spotlight on privacy in the automotive industry. Consumers and privacy advocates are becoming more and more concerned about privacy violations that may result from the IoT – the “Internet of things” – and cars are part of the IoT infrastructure. OEMs, component part manufacturers, suppliers, service organizations, distributors and dealers all find themselves in the chain of handling personal information and accordingly should be concerned about legal compliance, public relations and customer relationships when it comes to dealing with customer information.
FTC regulations and guidance, for example, require “privacy by design” – building privacy into product and service design and development from the ground up. Consumers must be given notice of what personal information is collected, for what purposes, how it is used and with whom it is shared. Consumers must also be given access to their personal information and a choice (the ability to opt-out) when it comes to using the information for purposes other than product or service delivery, such as sharing with third parties for marketing purposes. Generally, affirmative opt-in consent – not just notice – must be obtained before collecting location information. We all have seen the notices that pop up on our smart phones. We see those notices for a reason – and much of it is driven by legal compliance.
The GAO’s In-Car Location-Based Services report addresses a number of these issues, including disclosure of privacy collection, use and sharing practices; consumer consent and controls; security safeguards and retention of customer information; and accountability for misuse and unauthorized disclosure. Among other things, the GAO states in connection with the collection of in-car location and other information, companies should:
- State the reasons companies collect and share data
- State specifically that collection of location data is limited to specific needs
- Not use data for a purpose other than what has been disclosed to consumers without providing notice and obtaining consent before using the data
- Obtain consumers’ consent before collecting their personal information
- Provide consumers the ability to opt out of data collection to which they have previously consented
- Allow consumers to delete location data that have been collected (The GAO pointed out that the automotive industry has been particularly deficient with respect to this point)
- State a specific time frame for retaining consumer data
- Protect data with reasonable security safeguards against risks such as loss or unauthorized access.
- De-identify data when possible, particularly when transferring data to third parties.
Lastly, the GAO urged the industry to be more accountable when using third-party service providers to handle and maintain customer information. For example, companies should:
- Contractually require service providers to protect privacy and security, and/or comply with certain privacy and security practices
- Limit or prohibit commingling data with data from other customers
- Conduct due diligence risk assessments
- Obtain copies of audits or risk assessments obtained or conducted by the service provider
Failure to comply with legal obligations with respect to the privacy and security of personal information can result in state and federal regulatory investigations and enforcement actions, as well as private claims and class actions. While consumer product retailers have been grabbing the most headlines lately with respect to privacy breaches, companies in the automotive industry should likewise take care to build in a “privacy by design” approach to products and services in order to minimize the risks associated with collecting, using and sharing personal consumer information.