Clark Hill 2023 Automotive & Manufacturing Industry Outlook: California Privacy Protection Agency to Investigate Automakers’ Data Practices

At some point, almost everyone purchases a new automobile. Every year, cars and trucks roll off the assembly line with new bells and whistles. Over the last few years, the bells and whistles have evolved into new software integrations – from sensors and cameras to voice control, built-in apps and location tracking. Most of these integrations require the collection and processing of data. Want to know what your average speed is over the life of the vehicle? Or to whom your last call was made? Or want to make a purchase while you are driving using voice recognition technology? No worries, new cars and trucks are almost as connected as your home. But ask a salesperson what data is being collected, who it is shared with, and how it is being used, and most won’t be able to answer. That’s because the collection and usage of data from automobiles is a black box that few understand.

The Enforcement Probe

That’s about to change. On July 31, the California Privacy Protection Agency (“CPPA”) announced its intent to probe how automotive companies are complying with the California Consumer Privacy Act, as amended by the California Consumer Privacy Rights Act (“CCPA”). The CCPA provides key privacy rights to California residents, including, the right to know what personal information is being collected about them by businesses, the right to have that information deleted, and the right to opt-out of the sale or sharing of their personal information.

With over 35 million vehicles registered in California, it is expected the regulator will investigate whether automobile companies manufacturing those vehicles are effectively making requisite disclosures to consumers regarding manufacturers’ data collection practices -i.e., disclosing all the ways in which this data is being used, shared and potentially sold – and providing consumers with meaningful ways to exercise their CCPA consumer rights at the point of collection. As with other enforcement probes announced by the CPPA, including into mobile apps and employers, the probe is likely to commence through a series of notices of noncompliance and information requests from the Agency, and a period of voluntary pre-filing engagement.

The California probe follows similar efforts to regulate connected cars by regulators in Europe, including the European Data Protection Board (“EDPB”)’s 2020 draft guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications.

In announcing the enforcement probe, Ashkan Soltani, CCPA’s Executive Director, said “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” Many auto  manufacturers use the interconnected facet of the car as a selling point, advertising that a car can integrate your mobile devices and smart home technology. Data collected by cars can be used to track locations, or personal habits, or the individual’s driving risks for insurance purposes. Studies have reported that cars collect up to 25 GBs of data an hour. As technology continues to change, as cars become more autonomous and capable of driverless operation, more data will be created, collected, and used.

What Can Automobile Industry Do to Prepare?

A car or truck is a conglomeration of many parts, systems, functions, most of which are provided by different companies in the manufacturing process. Automobile manufacturers and suppliers should work towards developing a robust data privacy program that includes at least the following component parts, which are at the highest risk of regulatory investigation:

Data Mapping & Evaluation of PII Collection

To address the privacy risks associated with connected vehicles, including the lack of consumer control and information asymmetry and the risk of excessive data collection, manufacturers and suppliers should create a data map: What data is being collected? For what purpose? Who is it shared with? What data do your suppliers or vendors collect? How long is the data maintained? Can you track the use of the collected data?

An important part of the data mapping process includes evaluation of whether regulated Personally Identifiable Information (“PII”) or Sensitive Personal Information (“SPI”) is being collected. Indeed, most of the data collected is likely considered PII (e.g. geolocation data; biometric data; etc.) and must be processed in accordance with existing data protection principles under the CCPA or other privacy regimes. In prior enforcement actions, the CPPA has indicated a particular interest in whether businesses are selling or sharing information with third parties, and providing requisite opt-outs to consumers concerning those practices.

Local data processing and de-identification of PII may be considered during the data mapping process as a method of potentially limiting compliance obligations.

External Policy Review & Revision

Regulators, including the CPPA, often start their enforcement probes with an investigation of a business’s external communications to consumers regarding its data collection practices. These are primarily captured in Privacy Policies and Terms of Service, but may also include pop-up notices of collection and marketing materials.  Thus, businesses should assess whether the statements made in external-facing policies reflect actual data collection and sharing practices. Further, external hyperlinks such as Do Not Sell My Personal Information or Limit Processing of SPI are required under the CCPA, as are honoring Global Privacy Controls and other browser settings which may be integrated into connected car software.

Regulators are often responsive to consumer complaints and inquiries regarding their data subject right requests (“DSR”) – i.e., whether a business is substantively honoring these requests within the relevant timeframes. Thus, testing your DSR process, ensuring employee training on the CCPA and DSR requirements, and ensuring DSRs are substantively honored is an important component of CCPA compliance.

Technical Controls & Contractual Obligations

The security and confidentiality of PII processed in the context of connected vehicles should also be considered, including the implementation of technical controls such as encryption.  Do you have the appropriate contractual controls in place with respect to the processing of PII, such as service provider and data privacy addendums? Or is the business contractually obligated to implement controls?

Some of the technological controls for connected vehicles previously recommended by the European Data Protection Board, which may be considered by automotive businesses here, include:

• “In vehicle” data processing to mitigate the potential risks of cloud processing;
• Unique encryption-key management system per vehicle to prevent control being taken by an unauthorized person;
• Implementation of profile management system inside the vehicle to store the preferences of the driver and to enable him/her to change his/her privacy settings anytime;
• Partition of the vehicle’s vital functions from those always relying on telecommunication capacities to ensure the security of connected vehicle;
• Implementation of opt-out options for the collection of service set identifier (SSID) of the on-board Wi-Fi network in order to prevent tracking.

The sooner a data management program is created and implemented, the easier it will be for the organization to adapt to changing technology, products, and law, and being in a position to demonstrate same to regulators. And while California is leading the charge with its robust consumer privacy protection laws, other states are following California’s lead. In the near future, the automobile industry will need to focus on compliance requirements across many states, not just California. Creating a flexible, dynamic program today will enable companies to quickly adapt to changing laws. 

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness