ARTICLE
30 July 2014

Spotlight On Privacy In The Automotive Industry

FL
Foley & Lardner

Contributor

Foley & Lardner logo
Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Explore Firm Details
Consumers and privacy advocates are becoming concerned about privacy violations that may result from the "Internet of things", and cars are part of the IoT infrastructure.
United States Privacy
Mark A. Aiello and Chanley Howell
Your Author LinkedIn Connections
Foley & Lardner are most popular:
  • within Coronavirus (COVID-19), Cannabis & Hemp and Insolvency/Bankruptcy/Re-Structuring topic(s)

Privacy is a hot topic these days, and the automotive industry is no exception. Connected cars, in-car location services, telematics systems, event data records (black boxes), driverless cars, online consumer targeted advertising, vehicle-to-vehicle communications, mobile apps for cars, data analytics by insurance companies, Apple and Google operating systems for cars – all of these developments are shining a brighter spotlight on privacy in the automotive industry. Consumers and privacy advocates are becoming more and more concerned about privacy violations that may result from the IoT – the "Internet of things" – and cars are part of the IoT infrastructure. OEMs, component part manufacturers, suppliers, service organizations, distributors and dealers all find themselves in the chain of handling personal information and accordingly should be concerned about legal compliance, public relations and customer relationships when it comes to dealing with customer information.

FTC regulations and guidance, for example, require "privacy by design" – building privacy into product and service design and development from the ground up. Consumers must be given notice of what personal information is collected, for what purposes, how it is used and with whom it is shared. Consumers must also be given access to their personal information and a choice (the ability to opt-out) when it comes to using the information for purposes other than product or service delivery, such as sharing with third parties for marketing purposes. Generally, affirmative opt-in consent – not just notice – must be obtained before collecting location information. We all have seen the notices that pop up on our smart phones. We see those notices for a reason – and much of it is driven by legal compliance.

The GAO's In-Car Location-Based Services report addresses a number of these issues, including disclosure of privacy collection, use and sharing practices; consumer consent and controls; security safeguards and retention of customer information; and accountability for misuse and unauthorized disclosure. Among other things, the GAO states in connection with the collection of in-car location and other information, companies should:

  • State the reasons companies collect and share data
  • State specifically that collection of location data is limited to specific needs
  • Not use data for a purpose other than what has been disclosed to consumers without providing notice and obtaining consent before using the data
  • Obtain consumers' consent before collecting their personal information
  • Provide consumers the ability to opt out of data collection to which they have previously consented
  • Allow consumers to delete location data that have been collected (The GAO pointed out that the automotive industry has been particularly deficient with respect to this point)
  • State a specific time frame for retaining consumer data
  • Protect data with reasonable security safeguards against risks such as loss or unauthorized access.
  • De-identify data when possible, particularly when transferring data to third parties.

Lastly, the GAO urged the industry to be more accountable when using third-party service providers to handle and maintain customer information. For example, companies should:

  • Contractually require service providers to protect privacy and security, and/or comply with certain privacy and security practices
  • Limit or prohibit commingling data with data from other customers
  • Conduct due diligence risk assessments
  • Obtain copies of audits or risk assessments obtained or conducted by the service provider

Failure to comply with legal obligations with respect to the privacy and security of personal information can result in state and federal regulatory investigations and enforcement actions, as well as private claims and class actions. While consumer product retailers have been grabbing the most headlines lately with respect to privacy breaches, companies in the automotive industry should likewise take care to build in a "privacy by design" approach to products and services in order to minimize the risks associated with collecting, using and sharing personal consumer information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Mark A. Aiello
Mark A. Aiello
Photo of Chanley Howell
Chanley Howell
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More