As vehicles collect more & more data, how can shops protect their customers?
By onBusiness Practices | Legal | Technology
In the first of a series on data privacy best practices when it comes to connected and semi-autonomous vehicles, The National Law Review states vehicles are “actively collecting 100x more data than a personal smartphone, precipitating a revolution that will drive changes not just to automotive manufacturing, but to our culture, economy, infrastructure, legal and regulatory landscapes.”
The article mentions that mobility companies need to make decisions now about their data privacy and security policies “to optimize compliance and consumer protection with opportunities for commercial success.” Repairer Driven News found that can also be applied to collision repair shops as previously outlined by Brandon Laur with CCi Global Technologies, Pete Tagliapietra with Datatouch, and David Willett with SPARK Underwriters.
During his 2021 IDEAS Collide Showcase presentation in November at the SEMA Show, Laur said collision shops and their third-party partners store all sorts of repair-related data, including personally identifiable information (PII) – names, phone numbers, addresses, and VINs. He noted that the data is only as secure as the weakest point in the system.
Within the collision repair industry, “There’s not too many breaches, but we hear about people getting taken advantage of through ransomware and different attacks like that,” Laur said. “We as an industry have to protect ourselves.”
In February, CCi Chief Information Security Officer Steve Driz said ransomware has recently become more sophisticated. Attackers are making a copy of the data they gain access to and are threatening to publish and/or sell it. He and Laur noted that no one in a business should be given full administrative control and access to data because if they become compromised, everyone will be.
Willett recommends business owners and their employees:
-
- Be vigilant against phishing emails by looking closely at emails from external parties and never clicking on a link in the email without being certain it’s safe;
- Always report suspicious links and emails;
- Use a virtual private network (VPN) to protect your online privacy and identity on phones and tablets, such as the free app ShadowNet;
- Make sure security software on computers is always updated to the latest version to better protect against threats;
- Limit social media use to entertainment only because of the high frequency of hacking on the site; and
- Avoid clicking links on entertainment, food, cooking, and cheap travel sites because they’re a hotbed for hackers.
Tagliapietra talked about data sharing and privacy in April during a presentation by the Collision Industry Conference (CIC)’s Vehicle Data Access, Privacy and Security Committee. How VINs are used was the focus.
“What’s really salient here, with the VIN, is to understand who needs the VIN and how the VIN is being misappropriated in the industry,” Tagliapietra said. “I don’t think it’s any secret that if you’re a collision shop owner, if you write an estimate, how that repair or that estimate ended up in a vehicle history report and you have no idea on how it got there, but it did. …When you look and see who really does need the VIN, the list is not that long.”
For example, a diagnostics business needs the VIN for build sheet data while a parts dealer needs only the last eight digits, he said.
“What’s really important is how the industry can get to the point where we can control the VIN and make sure that it’s protected and the information is not shared where it shouldn’t be shared,” Tagliapietra said.
When it comes to how repair shops can protect the data they collect, he said it’s important to know “that shops have software installed on their operating systems that they’re unaware of.”
“Those applications, in our industry, when a shop performs an EMS export or BMS export that data pump – or data pumps because there’s many of them – they’re grabbing a copy of it and that information is being aggregated by the company that has that data pump running, oftentimes which the shop has no awareness of, and then they’re mining that data and they’re turning around and selling that data.”
The solution is the detection of any data pumps that are running and shutting off those that shouldn’t be, but that’s easier said than done because a way to do that is still being developed, he added.
When repairers at the meeting were asked if they believe they’re in control of their facility’s data and how it’s shared with trading partners, 88% said no.
The National Law Review recommends that only necessary data should be collected and then used solely for the purpose that customers gave permission for. The first step should be to make sure data security protections are in place before data is collected to ensure it doesn’t inadvertently get stolen, as Driz detailed. It’s also important to dispose of data that is no longer needed.
It’s also important to note the industry’s adoption of CIC’s “Golden Rules” as an official work product. The rules state:
-
- “Only use end-users’ data for the service(s) they intended for it to be used; never collect or use their data against them, or for business purposes other than those expressly intended and permitted.
- “Always provide the end-user clarity, transparency, and continuing education on the data you collect, the business purposes for which it is being used.
- “Never misappropriate end users’ data, or knowingly allow any third parties to covertly, dishonestly or unfairly access or take data generated by the end-user, for their own use.
- “Give end-users the choice to determine what data is and isn’t shared, and the opportunity to opt-out of data collection outside of the primary intended purpose.
- “Provide end-users with a clearly published, straightforward process to inquire about data that has been acquired from their business and the immediate chain of custody that data has encountered.”
The Alliance for Automotive Innovation (AAI) reiterated in January the importance of the auto industry’s “ongoing commitment to protect consumer privacy” by sharing the Consumer Privacy Protection Principles that 20 OEMs made a commitment to in 2014.
The principles were reviewed in 2018 and in March of this year. AAI says they’re reviewed periodically “to ensure that they remain relevant and robust.” When committing to the principles, automakers will: provide customers with “clear, meaningful” notices that describe the types of information collected and how it’s used and will obtain “affirmative consent before using geolocation, biometric, or driver behavior information for marketing and before sharing such information with unaffiliated third parties for their own use,” according to AAI. Owners and registered users are also to be provided with choices regarding the collection, use, and sharing of data.
As for AV companies, The National Law Review believes in-house counsel should be “responsible for constructing their company’s data privacy and security policies” with best practices “set around: what data to collect and when, how collected data will be used, how to store collected data securely, and data ownership and monetization.
“In the emerging regulatory landscape, in-house counsel will continue to be challenged to balance safety and privacy,” the article states. “Biometrics will become even more prevalent in connection to identification and authentication, along with other driver-monitoring technologies for all connected and autonomous vehicles, but particularly in relation to commercial fleet deployments.”
Swiss Re Institute notes in an October 2021 article, “We do not know exactly how AV business models will develop, what services will be offered or how the (large amounts of) data will be used and shared. Insurers will have to consider mapping emerging ecosystems to assess how they can best offer coverage.”
Swiss Re Senior Insurance Economist
AVs will supply new and higher frequency data which will support underwriting and pricing. Insurers should prioritise accessing such data.”And with that in mind, Swiss Re says, “More granular and higher frequency data from new business models could allow for enhanced insurance product tailoring. This could enable a more precise assessment of risk profiles for different vehicle makes and models; as well as tracking risk more frequently (when and where a vehicle travels).”
The National Highway Traffic Safety Administration (NHTSA) states on its website that data privacy matters when it comes to advanced and automated safety technologies because data that’s collected, such as routes frequently traveled and addresses visited, is “viewed by private citizens as sensitive and personal” and knowing that it can be collected leads some to avoid the new technologies. That, the NHTSA states, “may slow deployment and undermine promising safety benefits (i.e., lives saved and injuries avoided).”
“Although NHTSA has broad regulatory authority over the safety of passenger vehicles, it is the FTC [Federal Trade Commission] that is the primary federal agency responsible for protecting consumer privacy,” NHTSA states. “The FTC and NHTSA staff meet, coordinate, collaborate and communicate frequently on privacy issues related to motor vehicles, including those involving new technologies such as connected and automated safety systems.”
The FTC noted in 2018 – the most recent information RDN found on the topic on the commission’s website – that “consumers may be concerned about secondary, unexpected uses of… data” and that “addressing consumer privacy concerns is critical to consumer acceptance and adoption of the emerging technologies behind connected cars and that different approaches may be needed depending on how the data is used.”
The National Automobile Dealers Association (NADA) points out that advanced driver assistance systems (ADAS), such as blind-spot detection, automatic emergency braking, parking assist, lane departure warnings, and others depend on data collected from the driver and their driving habits as well as the vehicle “to perform effectively.”
“Some of this data may be collected automatically, and some you may choose to provide in order to enable certain functions,” the NADA article states.
For example, services that collect and share data “should be accompanied by a privacy policy that describes data collection and use,” which can be found in vehicle purchase agreements, user manuals, on the screen when signing up for services, or within any device or app interface that connects with vehicles, according to NADA.
State laws on data privacy
Vehicle and driver data collection practices can vary by state according to laws in place and while some may not specifically relate to VINs or vehicle data collection, they do apply to businesses.
According to The National Law Review, California led the pack by being the first state to enact a data privacy protection law. The California Consumer Privacy Act of 2018 (CCPA), effective in 2023, “gives consumers more control over the personal information that businesses collect about them and… provide[s] guidance on how to implement the law,” according to The California Department of Justice.
A bill signed into law in Florida this spring, and effective in March 2023, amends current law to safeguard PII found in vehicle crash reports and traffic citations by restricting public access to the data. Also during this year’s legislative session, Kentucky lawmakers signed into law model provisions written by the National Association of Insurance Commissioners (NAIC) to protect consumer data that is provided to insurance carriers.
Connecticut in April passed the Connecticut Data Privacy Act (CTDPA) to “establish (A) a framework for controlling and processing personal data, and (B) responsibilities and privacy protection standards for data controllers and processors; and (2) grant consumers the right to (A) access, correct, delete and obtain a copy of personal data, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers,” according to the text of the law.
In Virginia, the Consumer Data Protection Act was signed into law last year to outline “responsibilities and privacy protection standards for data controllers and processors.” While it only applies to certain businesses and not to state or local governmental entities and contains exceptions for data governed by federal law, the law “grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising.”
The Colorado Privacy Act, effective July 1, 2023, applies to certain businesses to specify how they “fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data” and requires them to conduct a data protection assessment for each of their processing activities that involves personal data “that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising, profiling, selling personal data, or processing sensitive data,” according to the law.
The Massachusetts Information Privacy and Security Act made it to committee during the 2021 session and was introduced again this year. The Senate’s Advanced Information Technology, the Internet and Cybersecurity gave it a favorable recommendation for passage and referred it to the Ways and Means Committee. The current bill applies to businesses and states, “personal information shall be: (1) Processed lawfully, fairly, and in a transparent manner in relation to the individual and in compliance with this chapter; (2) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (3) Processed in a manner that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed; (4) Maintained in a manner such that the information is accurate and, where necessary, kept up to date; (5) Maintained in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal information is processed; and (6) Processed in a manner that ensures that the information remains appropriately secure.”
While data protection and privacy regulations likely have a long way yet to go, it’s important that collision repair shops understand sooner rather than later what data they and their third party vendors are collecting, how it’s protected and used, and that it’s properly disposed of at the proper time.
IMAGES
Featured image credit: kaptnali/iStock