Carmakers Selling Your Data Risk Collisions With Privacy Laws (Corrected)

You’re walking to your car after a long, brutal day at the office, meaning to pick up your kid and figure out what to do for dinner before getting home.

As you enter, your car greets you by name and suggests three destinations via your navigation system, with your kid’s practice field at the top of the list. Later, your car sees you nodding off, knows you actually are drowsy—not just checking the phone in your lap—and wakes you up with a ping from the upper driver-side speaker.

The car greets your daughter as you re-enter traffic: “great work in practice today, Emily, and remember our goal to make it a habit to wear your seatbelt!”

Those sorts of safety and convenience features are the selling points of the modern connected car—made possible through car manufacturers’ collection of terabytes of data about you. GM, Ford Motor Corp., and Toyota Corp. are among leading manufacturers moving to collect, mine and make money from data: GM for example, hired Saejin Park, a former IT executive, as its director of Global Digital Transformation and Data Monetization in 2017.

But those efforts increasingly are exposing automakers to the same kinds of legal risks that ensnared big tech companies like Alphabet Inc.'s Google and Facebook Inc. as they used their troves of data to dominate online advertising. The newest threats may be privacy laws in states including California and Illinois that require consent or the right to opt-out before collecting biometric information, and make it easier for consumers to sue over data privacy breaches.

“Cars are one place where we easily conflate privacy and security, but the security risks are significant and resulting privacy harms that could result are massive,” Joseph Jerome, public policy manager for the Center for Democracy and Technology, said in an email.

Winding Privacy Road

When a car breaks down, overheats, or has computer malfunctions, it creates data that dealers can use to solve the issue. These types of data have long been used for diagnostic purposes, research and development, and to improve dealership sales.

Newer cars, though, often come with the capability to generate a broader and much more personal range of consumer data—usually produced and stored via in-car dashboard technology like General Motors Co.’s OnStar, according to 2016 and 2018 reports on data monetization by McKinsey & Co.

A system for waking up snoozing drivers, for example, may analyze and store images of every person in a car, including children. An in-dash infotainment system may record what music you listen to, to where you seek directions and where you eat and shop.

Laws governing the area include the Driver’s Privacy Protection Act, a number of state-level consumer protection laws, and federal consumer protection laws enforced by the Federal Trade Commission. Auto-industry data monetization also falls within the ambit of the Electronic Communications Privacy Act. The DPPA, a law built around protection of abortion rights, limits the disclosure of driver data without express consent. ECPA limits unauthorized interception of digital communications without consent.

But these rules and statutes are generally aimed at limiting unfair or deceptive business practices, as opposed to regulating consumer data collected for marketing purposes. Federal and state enforcers are therefore limited, and enforcement often only takes place when carmakers and other businesses in the supply chain make false statements in advertising or through self-regulation.

“Consistent with a broader trend of class actions seeking damages for allegedly hackable consumer products, connected cars may be subject to significant (and costly) cyber litigation risk in the years to come,” Melanie Phillips, cybersecurity attorney at Orrick Herrington & Sutcliffe LLP, said.

The most obvious legal risk may be from independent hackers and those backed by nation-states—like the Russian citizens indicted by the U.S. government for allegedly helping the Kremlin interfere electronically with the 2016 elections. They tend to focus on drivers’ geolocation data, according to several privacy and cybersecurity attorneys.

“Location information can be very sensitive, and by itself (or aggregated with other information) can reveal information about users/individuals that create physical and security risks,” Phillips said.

California, Illinois Laws

Although carmakers have had to increase driver privacy protection in the wake of the EU’s General Data Protection Regulation, which took effect in May 2018, California’s privacy law will probably be the first real American test for their data collection efforts.

The California law gives state residents new data privacy rights and a private right of action in certain situations—the ability to bring their own class actions independent of federal or state regulators. The Illinois Biometrics Information Privacy Act offers similar consumer rights.

BIPA would limit the collection and possible sale of drivers’ biometrics data captured, for instance, to keep drivers alert if they fall asleep behind the wheel. Any car that collects fingerprints to verify drivers or future conceivable biometrics collection all fall under Illinois’s biometrics law. Car companies that want to use this data would need express consumer consent, often gained through privacy policies and terms and conditions, to avoid the plaintiffs bar or the Illinois state attorney general.

Possible exposure under California’s new privacy law is a bit murky. The California legislature is still weighing amendments, and state Attorney General Xavier Becerra (D) hasn’t issued rules under the law. But car companies that aren’t clear they are collecting data and possibly selling it to third parties would find themselves facing Becerra’s office for possible fines.

In the event of a data breach, carmakers that don’t disclose the cybersecurity flaw to drivers can face direct consumer class actions under the state’s limited private right to action. More state laws, including New York’s privacy bill, are likely to add to the growing complexity of carmaker data collection efforts.

Some automakers are trying to get ahead of the accumulation of laws. GM; Toyota Motor Sales, USA; Ferrari North America, LLC and Mercedes-Benz USA have signed onto the Automotive Consumer Privacy Protection Principles along with many other manufacturers.

The agreement obligates manufacturers to protect drivers’ personal information collected through infotainment systems. Carmakers agreed to obtain affirmative consent when using geolocation, biometrics, and other sensitive data, attorneys said. However, these are voluntary standards that don’t hold any car maker legally accountable for privacy failures.

“First, the mission of connectivity and data is to advance safety, improve product and service quality and enhance ownership experiences,” David Caldwell, corporate relations manager for General Motors, said in an e-mail. “Important safety and security services are enabled by connectivity – meaning services such as OnStar’s Automatic Crash Notification (alerting first responders in the event of an accident) and Stolen Vehicle Shutdown,” a feature that allows remote disabling of a vehicle.

“Secondly, we take privacy very seriously. That is why connectivity services are activated only if customers first agree to terms and conditions,” including a privacy statement, Caldwell said.

But, Google, Facebook and other tech giants also say they take privacy and security seriously. These companies are under multiple probes for their alleged privacy shortcomings.

Safety, Usability

Most major auto manufacturers are taking a wait-and-see approach to regulation before making changes to the data collection components of their business, according to one industry representative who spoke with Bloomberg Law on condition of anonymity due to the sensitivity of the topic.

“Car manufacturers can limit their privacy risk by providing clear, meaningful notices about how the data will be used and shared, and by making reasonable and responsible use of the data,” Steven Wernikoff, privacy and data security partner at Honigman LLP who also leads the firm’s autonomous vehicle group, said in an email. “Car manufacturers also can limit privacy risk by altering or combining data so that it no longer reasonably can be linked to the vehicle or the owner of the vehicle.”

Navigating these risks will continue to be a tough task for the auto industry because car data collection privacy laws and emerging technologies are a moving target. Certain data efforts that are legal one day could be regulated the next, according to a number of privacy attorneys and other stakeholders.

Automotive technology “is moving so fast and highly personalized that the law just isn’t catching up,” Mauricio Paez, cybersecurity and privacy partner at Jones Day, said.