California: Connected vehicles and the CPRA, CDPA, and CPA - 10 things to know and do
Cars collect information including vehicle usage data, vehicle technical data, and metadata, such as the maintenance status. Under the new U.S. laws, i.e. the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), the California Privacy Rights Act of 2020 ('CPRA'), the Virginia Consumer Data Protection Act ('CDPA'), and Senate Bill 21-190 for the Colorado Privacy Act ('CPA'), the information collected by vehicles can be personal information even if not directly linked to a name, but rather only to technical aspects and features of the car. In the CCPA, with similar versions in the other laws, personal information is defined as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". In its Final Statement of Reasons for Proposed Regulations under the CCPA, the California Attorney General ('AG') stated that whether vehicle-related data is considered personal information, is a fact-specific determination and vehicle information, including the vehicle identification number ('VIN'), is specifically excluded from certain obligations under the CCPA.
The new privacy laws CPRA, CDPA, and CPA apply to connected vehicles
When collecting and handling personal information, or its close relative personal data, in California, soon also in Virginia and Colorado, and meeting with other monetary and other thresholds, the new U.S. data privacy laws are applicable.
You need to (re)assess the data you are collecting and sharing
The CPRA, CPA, and CDPA restrict any data collected by a business or a controller to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. It is no longer sufficient to have a general purpose which is related to the business purposes. This obligation, which is similar to the obligation of data minimisation under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') requires original equipment manufacturers ('OEMs') and other providers in the mobility space to map and inventory all data collected and shared, to consider the reasons and purposes for the collection, and to assess whether or not it is necessary for each purpose.
You need to provide a privacy notice to the users of the vehicle
The U.S. data privacy laws require to provide a detailed notice, in a conspicuous manner, of the personal information collected. This means, for starters, that knowing exactly what information is collected and how it will be used and shared is necessary. In the notice, at least the type of collected information, the purpose for the collection, the type of third parties the information is shared with, the purpose of sharing, and the consumer's rights in connection with this collection need to be described in a way (language, format, location) that consumers would understand. Complexities such as interacting with multiple providers (e.g. who provides the disclosure, how to get the information from other providers), ensuring that the notice is provided to the right individual, and how to apply these issues in the context of the sale of a used vehicle need to be addressed. To use information for a purpose which is different from the one for which it was originally collected, it is required to disclose and potentially obtain consent for the new use.
You need to provide notices at collection throughout the data collection process
In addition to the overall privacy disclosure, providing specific notices at or before the point of collection of the data is needed. The notices provide a snapshot of the data collected and refer to the privacy notice for more information. It is important to determine where and how these notices will be provided, e.g. through stickers or pop-ups.
You need to account for information the collection of which the vehicle facilitates
The data that the vehicle collects is not the only data in scope. In the connected and automated vehicle space, there are many players collecting information. This includes third-party providers, such as apps, infotainment providers, third-party sensors, driver monitoring, and in-vehicle payment systems. The consumer needs to have a comprehensive picture of the data collected from them through or by the vehicle, which is done by multiple parties and not the OEM alone.
You need to provide the users with choice
If information is collected and then shared with third parties for their own purpose, including marketing, this may be considered a sale under the U.S. privacy laws. In order to comply with the laws, a notice and the ability to opt-out of this data sharing must be provided. For some information, for example collection of real time location, more prominent notice and even consent may be required. For sensitive information, including biometric information, consent may be required. It is essential to be mindful of processing information which may constitute profiling, which is the automated processing performed on personal data to evaluate, analyse, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. This type of processing may have additional requirements attached to it, including the obligation to conduct a Data Protection Impact Assessment ('DPIA').
One way to meet with the necessary and proportionate test would be implementing a system of Privacy by Design and Default, which considers data protection at every stage and for every data processing. The following questions cover some of the issues to be considered: can you anonymise data that leaves the vehicle? Is it necessary? Is it relevant for what you need to do? Can you localise the processing and keep it in the car? Is it secure? Is there a less privacy invasive way to achieve the goal? How long is it necessary for you to retain the data in identified form? Can you allow individuals to directly access the data or permanently delete it? Can you develop a profile management system for your vehicle? Where applicable and for optional data collections or uses, the less invasive option can be set as the default option, thus giving the consumer the ability to turn it on.
It is interesting to note that in Europe, a connected vehicle and every device connected to it, is, in fact, terminal equipment (just like a computer, a smartphone, or a smart TV). Therefore, storing or accessing information in the vehicle is governed by the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') and requires consent other than in narrow exceptions. Subseqeuntly, any further processing would need a separate legal basis under the GDPR.
You need to give access, opt out and deletion
In addition to the right to opt-out of a sale or the right to opt-in to the collection of sensitive information, consumers need to be provided with the ability to access their information or to have information deleted, which requires incorporating the information collected by or via the vehicle into the consumer rights process to make sure that no requests are missed, that all the relevant data is compiled, and communication back to the consumer occurs in a timely manner. In this context, it is helpful to consider a consumer dashboard that will allow the consumer to access information themselves or to change preferences. It is important to consider whether there are any sensitivities or exceptions with respect to the data requested: are you able to verify the person who is making the request to a sufficient level of certainty, or do you need more information? Will the information that you provide identify other people? If so, do you have their consent to product the information or is it possible to redact their information? Is there any exception that would allow you to refrain from producing or deleting the information?
You need to limit your retention of the data
Similar to the GDPR, under the CPRA and the other new laws, information may be retained in an identified manner for as long as is necessary to fulfil the purpose for which it was collected. This means assessing for how long information can be retained and why. Sound justifications, as well as the development and implementation of a process for timely deleting (or anonymising, if this is a feasible possibility) of the information, retention policies, and retention schedules are required.
Be mindful of other legal obligations like IoT laws
A connected vehicle is a type of Internet of things ('IoT'). As such, making sure to address the same information security concerns as with other IoT devices is essential. This is especially the case since vehicle pose potentially greater stakes to the information due to a security breach potentially endangering lives.
It is recommended to consider information security in every aspect of development; to incorporate the state of the art encryption and industry standard protections; to be particularly mindful of the air transmission and updates, the ability to remotely operate the vehicle, secure storage of the information in the vehicle, security of any apps that are connected to the vehicles, untethering apps, and deleting information when vehicles exchange hands.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia