The Vehicle Privacy Blind Spot

Are vehicle technologies on a collision course with privacy and data security laws? Most creditors, dealers, and service companies in the auto space haven’t yet realized that the Nonpublic Personal Information (NPI) increasingly captured by and left behind in the vehicles that are sold, leased, shared, or rented by consumers may expose them to lawsuits and fines to the tune of hundreds of dollars per car, per day. This is in addition to the significant reputational risk that can come from the public relations implications of a potential data or privacy breach, a legal proceeding, or simply from consumers being disappointed by how your business treats and doesn’t respect their personal data. This is what we call “the vehicle privacy blind spot.”

It is hard to not marvel at the rapid technological advancement of vehicles and their promise of increased safety, convenience, and autonomy features made possible by the ever-increasing amount of sensors and computers installed in cars. The accelerometers, weight sensors, and thermometers that have been in use for many years for diagnostic purposes are now routinely complemented by GPS, proximity sensors, cameras, microphones, and all sort of connectivity modules (Bluetooth, Wi-Fi, cellular, etc.), just to mention a few. Features that were reserved for high-end luxury rides just a few years ago are now standard in commonly sold models. Yes, these features sell, but there is another reason for this exploding data collection: these sensors, and the detailed information they collect about drivers, passengers, and their whereabouts, are attracting a diverse ecosystem of companies seeking to monetize automotive data and deliver car-centric services: a new industry expected to be worth up to $750 billion by 2030, says the elite think-tank McKinsey Global Institute.

It’s not just the technology in cars that has been accelerating, so have privacy and data security laws in a growing number of states (at the time of this article, five states have passed privacy laws and over a dozen are working on introducing legislation in this session). We expect that most NAF Association members’ legal and compliance departments are keeping up with evaluating the impact of these regulatory changes on “traditional” information systems (DMSs, F&I platforms, consumer marketing and communication channels via the web and email, etc.). It is quite possible that every Non-Prime Times reader has engaged in the past year in data audits, cybersecurity training, revision of their policies regarding NPI, and had their webpage updated to include CCPA notices and a new privacy policy. However it is only recently that some of the leading creditors, dealers, and service providers (especially vehicle auctions) have started to grapple with the reality that the vehicles themselves are databases on wheels containing reams of NPI of their previous users – and take action. A growing number of players are busy putting in place new policies and procedures to address in-vehicle data so that, just as for the rest of their corporate devices and IT systems, consumers’ NPI is appropriately minimized and protected. At Privacy4Cars we are on the frontline of this data privacy transformation, having started years ago to build solutions to deliver protection and compliance to both consumers and businesses in the auto space, and simplifying for the first time the extreme complexity of dealing with the thousands of makes, models, years, trims, (not to mention the many firmware updates of these systems) and make sure this issue could be solved in a simple, intuitive, inexpensive, scalable, repeatable, and measurable way.

It is quite possible that until now you thought of your car as your private space, a refuge of independence, the modern horse of today’s cowboy. Reality is, there is less and less going on inside or outside of a car that the vehicle does not keep track of in some fashion. Cars analyze the images of their surroundings, record the voice and other biometrics of their occupants, download files and metadata from any connected devices, and painstakingly log anything that is pressed, turned, or touched. The average car on the road today collects two terabytes of data – every year – and it is not uncommon for them to collect significantly more (some vehicles have more than 100 computers onboard and run on hundreds of millions of lines of code). Some of this data is particularly “personal” – not just to regulators and the courts, but to your customers. Our statistical studies show that the vast majority of vehicles on retail or wholesale lots still contain the synced content from the previous users’ phones: contact books, call logs, text messages, phone identifiers, and (for the vehicles with nav) the log of their favorite (e.g. home) and previous destinations are commonplace. Newer vehicles increasingly also store records of the music, files, photos, and apps (including Facebook and Twitter) from the devices that had been connected to the infotainment system, the number of passengers, their weight, and much more! If that vehicle is on your balance sheet or otherwise under your company’s control (even temporarily, as in the case of repossessions, total loss vehicles, or rental/carsharing), you are responsible for the protection of this data.

You may have assumed or been told that the personal information is held securely by the vehicles – but extraction of personal information from vehicles is the second most common kind of cyberattack perpetrated by criminals against vehicles (only surpassed by theft via keyfob tampering) according to automotive cybersecurity firm Upstream. In fact, the State Police of Michigan, home of the nation’s three largest automakers, issued a warning earlier this year that criminals can easily steal this personal information and put vehicle owners at risk of identity theft. Sometimes this is done through hacks (such as the technique nicknamed “CarsBlues” that we disclosed to the Auto-ISAC in 2018 and that, in their estimate, affects tens of millions of vehicles still in circulation from at least 23 different Makes). Sometimes it can be even easier: since 2016 we have shown how information that is readily at the fingertips of anybody who has the keys (such as navigation data, phone identifiers, garage door codes, and phone numbers) can be used to build a profile of the people who last owned or drove the vehicle. How willing are you to bet your reputation that none of your employees, contractors, service providers, or anybody else who may have access to this information (including prospective buyers) is not going to access it from any of your vehicles? Unless your company takes steps to remove this information (and consequently protect it) you may be held liable (at the time of this writing all four major rental car agencies have class actions against them regarding the non-deletion of personal information after every rental).

Until recently consumer’s awareness of the issue was low, but with the rising concern over privacy violations, newsworthy data security breaches, and vehicle-privacy specific exposés from national media, this is quickly changing. A consumer survey conducted by fleet management company LeasePlan in March 2020 revealed that 52 percent of respondents strongly agree with the statement “I am worried about personal data (e.g. locations visited, music played) that can still be found in cars when you return or sell them.” Considering a growing number of current and proposed regulations come with a private right of action (such as California’s Consumer Privacy Act, which is often used as a blueprint for other states’ proposed laws) and the rising attention of federal regulators (FTC, CFPB) and state Attorney Generals to the issue of personal information protection, it is no surprise that legal and compliance heads across the entire automotive industry are taking a second look at existing privacy rules, record protection and retention laws, and their internal guidelines, and deciding to put “reasonable security” in place for in-vehicle data.

So what is the prudent course of action? At Privacy4Cars we recommend a number of steps:

1. Understand your exposure by performing an internal audit on how often and what kind of personal information can be found in your vehicles;

2. Prepare a policy addressing vehicle data including at minimum disclosures and retention policies. It may be helpful to ask yourself: “if this information was printed and left on the passenger’s seat, what would we do under our current policy?”;

3. Make sure the new policy translates into specific processes on how your personnel and/or vendors need to handle the vehicles and the NPI in them. These policies may be operationalized differently for different kinds of vehicles (e.g. have repo. companies or auctions clear the infotainment of repossessed vehicles but have dealers or inspectors handle CPOs and loaners);

4. Revise language in contracts and agreements; and

5. Keep the pulse on the continuous changes in technology and legislation (consider getting external advice).

If you decide to join the ranks of those companies who find it prudent to delete the NPI from vehicles, consider using a specialized tool like Privacy4Cars. You can try our patent-pending technology by downloading for free our app, available on Google Play or the App Store. We also offer a Software Development Kit (SDK) that makes it easy to embed our technology in your own app, if you have one. You can find more information at www.Privacy4Cars.com.

Sidebar: What about COVID?
Understandably your business may be going through unprecedented and unplanned circumstances, including a decrease in activity. Unfortunately, your legal obligations to protect the privacy of your customers remain. For instance, the California AG recently declared he will not put on hold the enforcement of CCPA (scheduled for July 1, 2020). Also, in times of economic contraction plaintiff attorneys and consumers may become more litigious. Lastly, you may be facing heightened competition as consumers have more choices available to them to purchase, lease, share, or rent a vehicle, so enhancing your value proposition by offering additional care and protection may yield additional trust. Consequently, if you have personnel that are not fully utilized, it may be a great idea to tackle privacy protection measures now, so you are ready when the (hopefully soon) your business activity returns to pre-emergency levels.

Andrea Amico
Andrea Amico is a vehicle privacy advocate, a cybersecurity researcher, and the founder of Privacy4Cars.com, the first and patent-pending mobile process designed to help erase Personal Information collected by vehicles (e.g. contact, call logs, text messages, detailed GPS history, etc.) that millions of drivers unconsciously leave behind every year in vehicles that are sold, rented, returned at the end of a lease, repossessed, and otherwise no longer under their control. Amico co-chairs the Compliance Committee at the International Automotive Remarketers Alliance, is an Adjunct Professor of Engineering Ethics at Kennesaw State University in Georgia (one of the fastest-growing engineering program in the nation) and is increasingly involved with regulators, industry groups, and consumer advocates on the topics of cybersecurity and privacy for automotive.