The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code 1798.100-199, presents some interesting questions for mobility businesses and service providers that handle data developed or transmitted by vehicles. Although the CCPA was passed with an effective date of January 1, 2020, the regulations implementing it are still in flux—and are on their second iteration. But whether final regulations are in place or not, enforcement by the California Attorney General’s office could start as early as July 1, 2020. Because the CCPA provided only limited exemptions for information collected by the automotive industry—information collected under the Driver’s Privacy Protection Act of 1994 and certain information developed and exchanged by new auto dealers and vehicle manufacturers in connection with warranty work or vehicle/part recalls—significant questions remain as to how the CCPA will be applied to the mobility industry.
For the past hundred or so years, most vehicles did not have the electronic brains to require a CCPA “gut check.” When electronics made their debut in automobiles, tools like OBD allowed vehicles to store diagnostic codes, and eventually event recorders (now regulated by the Driver Privacy Act of 2015) recorded pre-accident conditions. Telematics began to change the picture in the late 1990s, with automobiles transmitting information to central locations using cellular (and now wireless) technology. Modern connected vehicles can collect vast amounts of data when driven—and they can pass large amounts of it to manufacturers and service providers. And even when they are not actively transmitting this information, such information can be extracted from vehicles by service personnel. SAE Level 4 and Level 5 autonomous vehicles will necessarily be more dependent on connectivity both to central data sources and to each other—and can be expected to drive an explosion in data transmitted and analyzed on a central basis. Some of this will be regulated by data privacy laws, such as the CCPA, despite the above noted exceptions for automotive information.
The CCPA is primarily designed to regulate the sale of identifying information for consumers and households, but it also includes provisions that require disclosures at or before the time personal information is collected by a business. Personal information is defined as that which “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This is an expansive definition, and the rise of data correlation tools (linking anonymized sources) will effectively cause it to expand over time, assuming no further limitations by courts, regulators, or the California legislature.
Once personal information is collected, California consumers and their households are entitled subject to statutory exceptions – (i) to know what data is being collected, for what purpose, and to whom it is disclosed; (ii) to arrange for the deletion of personal information; or (iii) to obtain that information in a reasonably usable form. If an organization sells information, it is required to allow individuals to opt-out. And any data kept needs to be subjected to adequate security measures.
As July 1, 2020 approaches, enterprises handling vehicle-generated or -stored data should consider some key questions when issue-spotting CCPA compliance:
- What personal information is being handled or collected? What is currently unregulated but may become part of regulated profiling?
- What is the nature of the relationship between the consumer whose data is being collected and the organization collecting or using the data?
- What are the circumstances in which personal information makes the jump from the vehicle to the company?
- What is the right way to make a disclosure given the particular application?
- Is collected personal information anonymized or aggregated in a way that would make it partially or completely exempt from CCPA?
- Is data being “sold” under CCPA? How is that documented? Is data being sold in a regulated form?
- Is there a defined process for handling consumer requests (opting-out, right-to-know, right-to-delete, data portability)?
- Is the data adequately secured?
The intersection between the CCPA and the mobility industry will continue to develop as the California Attorney General finalizes the rules, but understanding how you collect, interact with, and retransmit vehicle-derived data is the first step in any compliance project.
To sign up for The Open Road: Automotive Law Blog e-mail updates, please click here.