The two leading trade associations for automobile manufacturers—the Association of Global Automakers and the Alliance of Automobile Manufacturers, Inc.—released the Consumer Privacy Protection Principles for Vehicle Technologies and Services (“Principles”) in November 2014.1 The Principles were developed jointly by the two trade associations over the course of many months in recognition of the increasing ability of in-car technologies and services to collect and use information about the driving experience.
The Principles apply to “covered information,” which is defined as any information collected, generated, recorded, or stored by a vehicle in electronic form, when retrieved from a vehicle by the manufacturer, that is linked or linkable to the vehicle from which the information is retrieved, or personal subscription information provided by individuals who register for vehicle technologies and services. When covered information includes biometric, driver behavior, and geolocation information, that information receives heightened protection under the Principles. In addition, the Principles require a warrant or court order for government access to geolocation information.
The Principles are meant to be a baseline framework that different manufacturers may implement as they see fit. Subscribing to the Principles is voluntary. At the time of release, nineteen auto manufacturers had made a public commitment to subscribe to the Principles. Participating companies must implement the Principles for new vehicles manufactured no later than Model Year 2017 and for vehicle technologies and services, subscriptions that are initiated or renewed on or after January 2, 2016.
The Principles are as follows:
- Transparency: Participating Members commit to providing Owners and Registered Users with ready access to clear, meaningful notices about the Participating Member’s collection, use, and sharing of Covered Information.
- Choice: Participating Members commit to offering Owners and Registered Users with certain choices regarding the collection, use, and sharing of Covered Information.
- Respect for Context: Participating Members commit to using and sharing Covered Information in ways that are consistent with the context in which the Covered Information was collected, taking account of the likely impact on Owners and Registered Users.
- Data Minimization, De-Identification & Retention: Participating Members commit to collecting Covered Information only as needed for legitimate business purposes. Participating Members commit to retaining Covered Information no longer than they determine necessary for legitimate business purposes.
- Data Security: Participating Members commit to implementing reasonable measures to protect Covered Information against loss and unauthorized access or use.
- Integrity & Access: Participating Members commit to implementing reasonable measures to maintain the accuracy of Covered Information and commit to offering Owners and Registered Users reasonable means to review and correct Personal Subscription Information that they provide during the subscription or registration process for Vehicle Technologies and Services.
- Accountability: Participating Members commit to taking reasonable steps to ensure that they and other entities that receive Covered Information adhere to the Principles.