Repairer Driven News
« Back « PREV Article  |  NEXT Article »

ASA offers sample vendor data pact after CARFAX leak produces ‘irate’ customer

By on
Announcements | Associations | Business Practices | Education | Market Trends | Repair Operations | Technology
Share This:

Citing a recent incident with a shop’s “irate” customer, the Automotive Service Association on Wednesday warned both the mechanical and collision industries against the threat of third-party vendors using customer data for purposes unauthorized by the shop or vehicle owner.

It’s also released a sample data privacy agreement collision repairers might use to prevent such headaches. (Our usual caveat: Run all legal documents and questions first through a qualified attorney licensed in your state to ensure suitability for your situation.)

The actions came after an ASA board member reported a shop and customer found themselves caught off-guard by an as-yet-unknown third party’s CARFAX report.

CARFAX received vehicle information 48 hours after the estimate creation, leading the customer to erroneously blame the shop.

“The board member stated that the consumer was irate because the value of his vehicle was impacted severely,” the ASA wrote in a news release. “He demanded to know why the shop shared the information without his consent.”

The shop hadn’t shared it, and it hasn’t figured out who had. However, CARFAX has assured the facility that it wasn’t estimating service CCC.

“CARFAX currently gathers information from more than 34,000 sources,” CARFAX communications director Larry Gamache wrote in a letter. “However, CCC is not one of these. CCC does not report information from your facility to CARFAX.”

“Shops need to take control of their data,” ASA Collision Division Operations Committee director Scott Benavidez (Mr. B’s Paint & Body Shop) said in a statement. “Situations like this aren’t unique, and the potential for class-action lawsuits should cause everyone to lock down their data. Nobody should be profiting from the data we are generating on behalf of our customers.”

Benavidez is correct. The Society of Collision Repair Specialists warned of such scenarios three years ago after a shop faced getting suspended from a direct repair program after a VIN database obtained a customer’s loss information.

The VIN service confirmed it didn’t get that information directly from the information provider or the repairer, leaving that shop off the hook, “but it further reinforced the need for collision repair business owners to have protocol in place to maintain control of information and data generated by their business,” SCRS wrote at the time.

Such fears also demonstrate the need to shift to the Collision Industry Economic Commerce Association’s Business Message Specification data standard, which only disseminates the portion of an estimate each business partner needs to do their job, and nothing more. The obsolete Estimate Management Standard format that remained in use at many shops last year just sends the entire estimate over indiscriminately unless a shop takes precautions.

CCC has offered BMS free for a year now through its Secure Share feature. Mitchell had promised to offer it free by December 2017, and Audatex has promised to make it available free sometime this month.

The sample ASA data security agreement holds a vendor to “reasonable security procedures and practices” to keep a shop (and customer’s) data from being destroyed or disclosed.

“Vendor further agrees and warrants that it shall not access, use, modify, disclose, or sell (broadly defined as receiving any monetary or non-monetary consideration, including reciprocal sharing agreements) to a third-party any Personal Information or Proprietary Technical Data it receives from Company without the express written consent of Company after Vendor’s full disclosure of its intended use of the Personal Information or Proprietary Technical Data, the identification of all third-parties that will receive any such data and their intended use, and any consideration Vendor may receive for the data in individual or aggregate form,” it continues. “This includes, but is not limited to, the mining, manipulation, analysis, breakdown, summary, or repackaging of Personal Information or Proprietary Technical Data.”

The vendor must also notify the shop in 72 hours of any data breach.

“The document states that all information (data) provided to outside vendors is owned exclusively by the shop and provided for the sole purpose of conducting business,” the ASA news release states. “It does not grant the authority or privilege to share the data, sell it, or repackage it in total or part without the express written consent of the shop.”

Some vendors might balk at these broad terms, not because they want to sell your customer’s data to VIN reporting companies but rather because aggregate data is inherently useful for research and business purposes — both within the vendor’s company and at third parties. For example, CCC, Mitchell and Enterprise often report for free trends they find in the industry from aggregate data, and LKQ has also mentioned using CCC’s research as a metric with which to compare its own growth. (It’s unclear if it pays CCC for this privilege.) A vendor might not even know to whom they’d be selling or providing data months or even years into the future.

And finally, subsidizing a service with the ability to use one’s data is an attractive business model for both a company and consumer (the shop). John Ellis, founder of Ellis & Associates and a former Ford global technologist, has proposed a future where consumers could offset the price of a car by allowing their personal data to be sold.

He described it in an October TEDx talk as a logical extension of a “zero dollar economy” with roots at least as far back as the first newspapers to sell ads to lower the cover price in 18th Century Colonial America. Such a “zero dollar” business model now allows highly useful services like Google’s product suite and Facebook to operate without charging their billions of users anything, he said.

But as the recent controversy over Facebook and Cambridge Analytica and the CARFAX incident show, sometimes data can be misused, and perhaps neither you nor your customer are comfortable with what a third party could do with it or the unknown fourth parties buying it off them. Or perhaps you feel like you’re not getting enough compensation (in the form of a discounted price) for the use of that data.

All these considerations are definitely things that all businesses will wish to consider and hash out with customers and business partners, and the vendor agreement is a good place to start that conversation.

“We believe that most third-party vendors in the industry do a great job of protecting a shop’s data,” ASA Mechanical Division Operations Committee director Bob Wills (Wills Auto Service) said in a statement, “and they have policies and contractual language to highlight their commitment to doing the right thing. We also know that there are a few vendors that profit from using the shops’ data without their express written consent. It’s time for the industry to take note and take control of their data.”

More information:

“Concerns Raised About Third-Party Vendors Sharing Shop Data on Customers”

Automotive Service Association, April 26, 2018

ASA data security agreement

ASA, April 26, 2018

“SCRS Researches EMS Data Export Options to Identify Data Pumps”

Society of Collision Repair Specialists, July 7, 2015


An inflatable CARFAX mascot is seen outside of a Sacramento, Calif., dealership in March 2014. (slobo/iStock)

A representative of how various disparate data sets can be mined for valuable insight. (ArtHead-/iStock)

Share This: