California reviews privacy practices of connected car technology

California’s privacy regulator is looking into who collects, controls and shares the data your car is gathering from you as you drive.

The Enforcement Division of the California Privacy Protection Agency (CPPA) has announced a review of data privacy practices by connected vehicle manufacturers and related technologies.

It believes some new data privacy considerations are needed in this area because such vehicles have the ability to automatically gather consumers’ locations, personal preferences, and details about their daily lives. They do so via technologies such as location sharing, web-based entertainment, smartphone integration, and cameras.

The term often used in this arena is “connected cars,” which should be understood in a broad sense, including applications on mobility management, vehicle management, road safety, entertainment, driver assistance and wellbeing.

The agency said it would examine the growing array of data collected by smart vehicles and whether the business practices of the companies collecting that data comply with state law.

“Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” said Ashkan Soltani, CPPA’s Executive Director.

The agency said it would examine the growing array of data collected by smart vehicles and whether the business practices of the companies collecting that data comply with state law.

Privacy rights in California

In November of 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA added new protections to a prior privacy act called the California Consumer Privacy Act of 2018.

The CPRA also established a new agency, the California Privacy Protection Agency (CPPA) to implement and enforce the law, which is governed by a five-member board. 

It is the only regulator in the nation solely dedicated to privacy issues. (Other states have placed their data privacy divisions within another agency, like the Attorney General’s Office, or have such agencies focus on other issues other than data privacy.)

The CCPA created six specific rights for consumers:

  1. The right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom.
  2. The right to delete personal information collected from the consumer.
  3. The right to opt out of the sale of personal information (if applicable).
  4. The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable).
  5. The right to nondiscriminatory treatment for exercising any rights.
  6. The right to initiate a private cause of action for data breaches.

And the CPRA added two more rights to that list:

  1. The right to correct inaccurate personal information.
  2. The right to limit use and disclosure of sensitive personal information.

European data protection

US regulators’ efforts in the area of privacy and auto technology lag behind such efforts in Europe, which has forced automakers to update software to limit the collection and protect the privacy of consumers through processes like anonymization and encryption of the communication channel.

In early 2020, the European Data Protection Board published guidelines on processing personal data in the context of connected vehicles and mobility related applications.

The guidelines specifically state that the relevant EU legal framework behind regulating connected cars is the General Data Protection Regulation (GDPR) whenever a connected vehicle is processing the personal data of an individual.

For their own part, some automakers have adopted the privacy principles as outlined by the Alliance of Automotive Innovation that outline an approach to customer privacy that members can choose to adopt, with a list of the participating firms.

A large array, including Ford, BMW, Subaru and General Motors are on the list, and other automakers, like Porsche, have other means for accomplishing these aims. To comply with the GDPR specifically, Porsche provides a vehicle dashboard on which drivers can give or withdraw their consent for the company to collect personal data or share it with third-party suppliers.