On July 31 the California Privacy Protection Agency’s (CPPA) Enforcement Division announced that it will review the data privacy activities of connected vehicle (CV) manufacturers and related CV technologies to assess their compliance with the California Consumer Privacy Act, as amended (CCPA). The announcement comes just weeks after California’s attorney general made a public statement of his office’s enforcement actions regarding CCPA compliance in the employment and HR context. With a broad range of enforcement actions being undertaken with respect to the CCPA, organizations should immediately reassess their data privacy compliance programs and policies.
CVs and Data Protection Issues
With significant technological advancements in recent years, CVs have been described as “smartphones on wheels.” They are WiFi-enabled, embedded with Bluetooth, and have their own central processing units.
A CV’s sensors and automated components generate large amounts of data about the vehicle and the driver, including the vehicle’s precise location, the driver’s behavior (e.g., speed, distance between other vehicles, seat belt use, information about braking habits), car crash-related data, and overall vehicle performance.
According to the Congressional Research Service, “[h]ackers could use more than a dozen portals to enter even a conventional vehicle’s electronic systems, including seemingly innocuous entry points such as the airbag, the lighting system, and the tire pressure monitoring system. Requirements that increasingly automated vehicles accept remote software updates, so that owners do not need to take action each time software is revised, are in part a response to concerns that security weaknesses be rectified as quickly as possible.”
Importantly, certain motor vehicle trade associations have developed “Privacy Principles for Vehicle Technologies and Services,” which was recently reviewed for updates in March 2022. These principles mirror several of the CCPA’s requirements.
CPPA Audit and Compliance Measures
The CPPA was created in 2020, when the CCPA was amended by the California Privacy Rights Act, and is the first independent data protection authority in the United States.
When announcing its decision to target CV manufacturers for privacy compliance audits, the CPPA noted that CVs “are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”
CPPA Executive Director Ashkan Soltani noted that CVs are “able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” and that the CPPA “is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.”
Accordingly, organizations subject to this enforcement action should consider several of the key components of CCPA compliance, including:
- Transparency and accessibility. CV manufacturers and dealers need to ensure they are furnishing consumers with privacy notices that describe their data processing practices, including the types of personal information a CV may collect on the driver and passengers, how this personal information is used and shared, and consumers’ rights with respect to their personal information. All privacy notices published under the CCPA need to “[b]e available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.” This is especially important for large CV manufacturers and dealers that draft legal terms, warranties, or other disclaimers in the non-English languages, such as Spanish. The CCPA’s regulations also require certain privacy notices to be “reasonably accessible to consumers with disabilities” and online-furnished privacy notices must “follow generally recognized industry standards, such as the Web Content Accessibility Guidelines.”
- Data subject rights and requests. CV manufacturers and dealers should ensure that CV drivers and passengers can exercise their CCPA-provided data privacy rights concerning the collection and use of their personal information, such as the right to access specific or general categories of personal information, the right to delete personal information, and the right to prevent the “sale” of their personal information. The CCPA’s regulations set forth strict requirements with respect to how organizations must provide notice of these rights (e.g., via web forms, toll-free numbers, dedicated privacy email addresses). They also mandate the time frames in which organizations must respond to these data subject requests, what information must be furnished (or is exempted) in such a response, the training requirements for individuals who are responsible for assisting in the response process, how to verify and authenticate the identity of the data subject making the request and/or their third-party agent, and any relevant compliance exceptions. Accordingly, organizations should ensure they have a documented and tested process to receive, process, and respond to a data subject privacy request in accordance with the law.
- Data processing agreements. It is important from both a legal compliance and a data security perspective that CV manufacturers and dealers implement contract terms (e.g., data processing agreements) with their third-party service providers that retain and process personal information on their behalf. These agreements are required to limit how a service provider can access, use, and disclose personal information that they process on behalf of a covered business. It has also become an industry standard and a best practice to ensure these data processing terms address data ownership, information security, indemnification, and cybersecurity insurance, among other areas.
- Security controls. The personal information processed in connection with CV drivers and passengers might be sensitive in nature, including biometric data, precise geolocation data, and health and safety data. Accordingly, CV manufacturers and dealers should ensure they have implemented comprehensive technical, physical, and administrative security controls to protect such sensitive personal information from a security breach, and that they maintain (and routinely practice) an incident response plan in the event of a breach.
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2023 THOMPSON HINE LLP. ALL RIGHTS RESERVED.