Repairer Driven News
« Back « PREV Article  |  NEXT Article »

An inside look at one company’s data collection protocols, user ‘consent’ details

By on
Legal | Technology
Share This:

CerebrumX Labs, which describes itself as an artificial intelligence (AI)-driven automotive data services and product provider, uses “a highly secure, AI-based Augmented Deep Learning Platform (ADLP)” and, so far, has collected more than 100 million miles of data from vehicles. The data collected, with consent from automakers and drivers, includes personally identifiable information (PII) but what does “consent,” in this case, mean?

Companies and unauthorized third parties collecting and/or selling data that many users may think is private is now commonplace not only in the automotive and collision repair space but in just about any cloud-connected or online-based service.

Collision repair shops and consumers need to be aware of what’s collected and how to ensure their data is safe. It’s been previously suggested by the Society of Collision Repair Specialists (SCRS), the Database Enhancement Gateway (DEG), and Mike Anderson’s Collision Advice for shops to get authorization from their customers to reset or clear PII data for total loss vehicles or vehicles they intend to sell and have them sign a release to avoid any liability associated with the procedure.

A new data privacy concern regarding scan tool end-user license agreements (EULAs) was brought to the attention of the collision repair industry earlier this month during the Collision Industry Conference (CIC)’s meeting in Richmond, Virginia. An Autel Technology Corp. EULA states a broad array of customer data can be collected from its diagnostic scan tools can be shared, and governed by the People’s Republic of China.

CerebrumX CEO and co-founder Sandip Ranjhan told Repairer Driven News there are multiple levels of consent that end users agree to beginning with consent to collect from the company’s partners, including OEMs, media companies, insurers, fleet companies, and smart cities/municipalities. Then, the user must give consent for the data to be shared with CerebrumX or any other party. There are also consent requests for specific occurrences by date and time, such as vehicle crashes, Ranjhan said.

“These are all consents which are explicitly documented [and] recorded in the system and, for compliance purposes, I think they can be audited,” Ranjhan said.

He added that CerebrumX follows U.S. data collection and privacy compliance laws as well as state laws, which vary from state to state.

A news release from the company says CerebrumX’s Augmented Deep Learning Platform (ADLP) “collects and consolidates scattered data from our partners and other third-party apps and devices to enable the activation of connected vehicle data that has previously been under-utilized to any significant level due to the absence of an integrated Automotive Ecosystem.”

Ranjhan said data collected for insurance companies and fleet purposes includes idling and driving time, fuel and driver efficiency, fuel consumption patterns, driving behaviors, and crash data, which are pulled from OEM sensors already located in vehicles from the factory after over-the-air (OTA) consent is given. Data collected by insurers is typically used for usage-based insurance, he said.

CerebrumX’s systems never talk to vehicles directly and all data is encrypted, requires two-factor authentication to gain access, and servers that store the data are located in the U.S. If consent is revoked — for example, when a user opts out of data collection — all information about that user is deleted from CerebrumX’s servers, Ranjhan said.

There are currently more than 80,000 users who have given their consent for CerebrumX to collect data, with more being added every month.

The company denied giving RDN a copy of its full EULA but did provide the consent portion of it. It defines consent as the customer “agreeing to the use of their Aggregate Data and PII in response to a clear, meaningful, and prominent notice disclosing the specific purposes for which the Supplier shall use the Aggregate Data and PII that is otherwise legally sufficient under Applicable Law.”

The data won’t be used outside of the U.S. and “applicable law” means “any statute, law, regulation, ordinance, rule, judgment, notification, order, decree, bylaw, permits, licenses, approvals, consents, authorizations, government approvals, directives, guidelines, requirements or other governmental restrictions…,” according to the EULA.

“In terms of personal information, we are very careful if at all the user has consented,” Ranjhan said. “For example, [in] insurance, you give consent — that I’m OK to really get that data,’ then only we collect that data. So the PII information, we are extremely careful. That has to be explicitly consented by the user.

“Same goes with fleets, like the fleet owners have to explicitly consent, and they should also take the consent from their drivers… If it is not consented then we have to anonymize the data. …We are extremely, extremely careful. To an extent, we are paranoid about all these aspects of compliance and the security aspects and similar things we expect from our partners.”

He added that consent agreements from both sides are reviewed by CerebrumX and their partners to meet each company’s privacy and consent standards.

One of CerebrumX’s partners, Toyota, told RDN its customers that work with the data company are fleet operators, and its EULA is designed specifically for those customers.

On a macro level, the OEM’s Privacy Notice states users consent to Toyota’s “electronic collection and use of your account information and vehicle data and our storage of such data wherever we designate.” The notice applies to vehicles equipped with “Connected Services,” including Safety Connect, Service Connect, Remote Connect, Navigation, Wi-Fi Connectivity, and several other features. Data collected includes “vehicle location, health and driving data, to support navigation assistance, emergency services, remote engine start, maintenance alerts, infotainment apps and more.”

Under the “Usage of Vehicle Data and Its Limitations” section of CerebrumX’s consent EULA, customers agree that, “All valid Consent herein collected by the Purchaser shall be shared with concerned OEM as required at their sole responsibility. The Supplier shall provide Vehicle Data only after the Purchaser has determined that an insurable interest exists in the vehicle relative to the named Customer. …The Purchaser shall not share or disclose the Vehicle Data and the PII with any third party. The Supplier shall not share or disclose any Vehicle Data or PII obtained from Purchaser with any third party.”

CerebrumX recently announced an investment from BlackBerry that will help it ramp up the delivery of new data-driven, in-vehicle products and services that “make it easier for automakers to create turnkey user-centric applications and enterprise solutions.”

CerebrumX has an ambitious vision, together with our partners, customers, and stakeholders, to deliver intelligent real-time data insights at scale, and we are excited to have BlackBerry onboard as an investor, who share the same long-term commitment to the global connected vehicle data industry,” Ranjhan said in a news release about the investment.

With the new funding and by integrating with BlackBerry IVY, BlackBerry’s cloud-connected, automotive artificial intelligence (AI) platform, CerebrumX will “be able to develop embedded in-car synthetic sensors to collect valuable consented data and perform critical data processing at the edge, delivering real-time insights that can help inform in-demand applications such as comprehensive driver and vehicle health scores,” the release says.


Featured image: metamorworks/iStock

Share This: