States Ramp Up Car Privacy Enforcement Using Tricks Old and New

Carmakers are in the crosshairs of state enforcers, with California becoming the latest to target the industry’s data practices.

The California Privacy Protection Agency announced on Wednesday an enforcement action and settlement accusing American Honda Motor Co. Inc. of violating state privacy law. Honda required consumers to provide excessive personal information for privacy requests and created obstacles for users seeking to opt out of cookie tracking, according to the CPPA.

As part of the settlement, the company agreed to pay more than $600,000 and make changes to its consumer privacy practices.

California follows a pair of separate disputes by Texas and Arkansas against General Motors Co. and its subsidiary OnStar LLC under the states’ consumer-protection laws, alleging deceptive practices by collecting and selling drivers’ data to third-party data brokers. The brokers, not named in the dispute, then sold the data to insurance companies that used the information to increase insurance rates.

The settlement is the CPPA’s first public enforcement action under the comprehensive California Consumer Privacy Act and, combined with actions by other states’ attorneys general, a warning to the automotive industry.

“This is just the tip of what we’re going to see. What we’ve learned from California is they are saying, ‘We are coming after connected cars,’” said Sara H. Jodka, data privacy and cybersecurity attorney at Dickinson Wright PLLC. Automakers “have a target on their back.”

Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals’ Washington, D.C., office, agreed.

“Enforcers are using privacy and consumer protection laws as a one-two punch to make sure automakers—and others—recognize consumers’ strong interest in their data,” he said in an email. “This will not slow down any time soon.”

The cases all center on “properly honoring consumers’ choices—whether before the fact, to get opt-in consent to collect sensitive location data—or after the fact, to provide the required mechanisms for consumers to exercise opt outs,” Zweifel-Keegan wrote.

The automaker said in a statement to Bloomberg Government Wednesday that it fully cooperated with the agency and began implementing the settlement’s required changes.

State Enforcement Push

Privacy attorneys now anticipate a significant shift in privacy enforcement as states increasingly take the lead in holding companies accountable.

A change in Federal Trade Commission leadership could narrow federal oversight, leaving states to fill in enforcement gaps with more targeted and assertive actions.

“When you have red states also looking at this, that’s telling,” said Henry J. Noye, a partner at Obermayer Rebmann Maxwell & Hippel LLP, pointing to the Texas and Arkansas suits. “You’re going to see a lot of state actions. I just don’t think that the FTC will have the ability to do anything in the coming months.”

In January, Texas sued Allstate Corp. under its privacy law, accusing them of collecting driver data without consent. With states including Colorado, Connecticut, and Virginia also ramping up enforcement of their new privacy laws—and proposals in other states moving through legislatures—the shift from broader consumer-protection probes to privacy-specific ones could accelerate.

“As these new consumer privacy laws come on the books, you will see states enforcing not only through the old method of, getting privacy compliance through consumer business laws, you’ll also now start seeing it in the privacy laws,” said Jodka.

“You’re going to see states follow California and do exactly what is happening to Honda in this case,” she added.

Indeed, California may have offered an efficient template for other regulators to follow.

“It’s actually very middle-lane for them to say, ‘Here is the list of the rights the consumers should have. This is how they should be implemented,’” said Andrea Amico, CEO and founder of Privacy4Cars, a technology company seeking to flag data privacy issues across the automotive ecosystem. “Literally, go through the checklist and say, ‘And you haven’t done this, and you haven’t done this, and you haven’t done this.’”

“It’s actually very systematic, very factual, very difficult to argue against it,” he added.

In contrast, an investigation of carmakers’ data-collection and storage practices—especially from vehicles themselves—could be much more “complex” and require more significant resources, Amico said.

But companies aren’t only facing enforcement threats from state officials.

GM and Honda are both facing class actions related to their privacy practices. In January, GM also reached a settlement with the FTC to address allegations also raised by the Texas and Arkansas suits, requiring the company to obtain affirmative consent to collect and disclose connected-vehicle data.

“I don’t think automakers can remain in business at $2,500 to $7,500 a pop if the number of complaints go up,” Amico said. “They have to act.”