Today’s modern vehicles capture thousands of data points of personal information from consumers, including but certainly not limited to phone numbers, home addresses, navigation history and garage door codes. If this information is not proactively deleted before the vehicle changes hands, it can lead to identity theft, home burglaries and more.
Once this occurs, auto-finance companies and insurance companies — the legal owners of millions of vehicles on the road today — may be held liable for damages and simultaneously faced with expensive penalties and years of litigation.
Regulators and plaintiff attorneys are increasingly putting the auto industry and the lack of protection surrounding the personal data collected by cars under scrutiny. For instance, the attorney general of California recently reported its investigative and enforcement activity of the California Consumer Privacy Act to the public. The first case mentioned is a vehicle manufacturer/dealership collecting data from consumers during test drives.
This is not a California-only problem; in fact, unbeknownst to most people in the industry, there are currently over 200 laws that aim to regulate this data. Some laws generally apply to all entities (e.g., data security and data breach laws), while some apply to specific sectors. An example of the latter are the National Association of Insurance Commissioners’ Model 673 and Model 670 laws (currently enacted in 39 states and Washington D.C.). These two laws impose requirements on the data collected by insurance providers — including the data stored in vehicles that may end up becoming the property of an insurance carrier (i.e., after a vehicle is deemed a total loss and the title is transferred).
With fines that can cost up to $7,500 per occurrence and with 273 million vehicles on the road today, not deleting the personal information in vehicles constitutes a multi-billion-dollar exposure for the automotive industry. Plus consumer damages. Plus legal costs.
The “it can’t happen to us” mindset isn’t applicable to the automotive industry anymore. All the main car rental companies have already been sued over the data left behind in infotainment systems. Two of those auto businesses have settled for hundreds of thousands of dollars per plaintiff. This is why there is a growing number of marquee names — from OEM captives and national banks, to fleet management companies, dealership chains and credit unions — taking action and creating technical and administrative measures to create “reasonable security” (as required by most laws). This is done by removing the personal information of consumers and ensuring there is a strong trail of records to demonstrate compliance.
Every compliance expert will tell you that just deleting the information is not enough. In order to minimize risk, three steps are necessary. First, it’s imperative to document a policy that requires the deletion of personal information from each and every car. In fact, we see automotive manufacturers adding language to their privacy policies stating that data left behind in the vehicle systems could be exposed to unauthorized third parties, and therefore the owner should remove it before handing off the vehicle. The second step is to be sure that the personal information removal process is deemed legally “reasonable,” meaning that the process can be monitored and has already been proven to deliver reliable outcomes. Finally, businesses must track robust records. These records will serve as reliable evidence of the protections that you have laid out for your customers and that your policy has lived up to its promise.
Have you considered this massive liability as a material threat to your business? If it sounds serious, it’s because it is. Taking action may feel overwhelming given the tens of thousands of variations of systems across vehicle makes, models, years and trims, but it doesn’t have to be. New tools can help businesses like yours put simple procedures in place to address compliance with local and federal laws. With consumers increasingly worried about protecting their data, we have strong evidence that auto businesses that act can also benefit from higher customer retention and satisfaction.