April 2019

A couple weeks ago, I wrote a post outlining the fledgling legal efforts to address the increasingly urgent privacy concerns related to automated vehicles. While Europe’s General Data Privacy Regulation and California’s Consumer Privacy Act set a few standards to limit data sharing, the US as a whole has yet to seriously step into the field of data privacy. In the absence of national regulation in the United States, this post will look at an industry created standard. The auto industry standard is important not only for its present-day impact on how auto companies use our personal information, but also for the role it is likely to play in influencing any eventual Congressional legislation on the subject.

In 2014, two major industry trade associations – the Alliance of Automobile Manufacturers and the Association of Global Automakers collaborated to create a set of guiding principles for collection and management of consumer data. These twenty automakers, including the “Big Three” in the US and virtually every major auto company around the globe, created a list of seven privacy protection principles to abide by in the coming years.

In the list, two of the principles are somewhat well fleshed out: transparency and choice. On transparency, the automakers have pledged to provide “clear, meaningful information” about things like the types of information collected, why that information is collected, and who it is shared with. For certain types of information, primarily the collection of geolocation, biometric, or driver behavior information, the principles go one step further, requiring “clear, meaningful, and prominent notices.”  When it comes to choice, the industry says that simply choosing to use a vehicle constitutes consent for most types of data collection. Affirmative consent is sometimes required when geolocation, biometric or driver behavior data is shared, but that requirement contains several important exceptions that allow the automaker to share such data with their corporate partners.

The remaining five: respect for context; data minimization, de-identification and retention; data security; integrity and access, and; accountability may serve as important benchmarks going forward. For now, each of these five points contains no more than a handful of sentences pledging things like “reasonable measures.”

These industry-developed privacy protection principles are, for the most part, still pretty vague. The document describing all seven of them in-depth runs a mere 12 pages. In order for the standards to be truly meaningful, much more needs to be known about what constitutes reasonable measures, and in what sorts of situations geolocation, biometric, or driver behavior data can be shared. Furthermore, consumers should know whether the automaker’s corporate partners are bound by the same limits on data sharing to which the manufacturers have held themselves.

Without more detail, it is unclear whether these principles afford consumers any more protections than they would have otherwise had. They are important nonetheless for two reasons. They show that the industry at least recognizes some potential problems with unclear data-sharing rules, and they will likely play a key role in the development of any future legislation or federal regulation on the topic.

For the past several months, this blog has primarily focused on new legal questions that will be raised by connected and automated vehicles. This new transportation technology will undoubtedly raise novel concerns around tort liability, traffic stops, and city design. Along with raising novel problems, CAVs will also add new urgency to longstanding legal challenges. In some ways, this is best encapsulated in the field of privacy and data management.

In recent decades, the need to understand where our data goes has increased exponentially. The smartphones that most of us carry around every day are already capable of tracking our location, and recording a lot of our personal information. In addition to this computer/data generation machine in our pockets, the CAV will be a supercomputer on wheels, predicted to generate 4,000 gigabytes of data per day. Human driven vehicles with some automated features, such as Tesla’s with the company’s “Autopilot” functionality, already collect vast amounts of user data. Tesla’s website notes that the company may access a user’s browsing history, navigation history, and radio listening history, for example.

In response to this growing concern, California recently passed a sweeping new digital privacy law, set to take effect in 2020. Nicknamed “GDPR-Lite” after the European Union’s General Data Protection Regulation, California’s law “grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it.” It also requires companies to delete data about a customer upon request, and mandates that companies provide the same quality and cost of service to users who opt out of data collection as those who opt in.

In comparison to the GDPR, California’s law is relatively limited in scope. The California Consumer Privacy Act (CCPA) is tailored to apply only to businesses that are relatively large or that are primarily engaged in the business of collecting and selling personal data. Furthermore, CCPA contains few limitations on what a business can do internally with data it collects. Instead, it focuses on the sale of that data to third parties.

In many ways, it remains too early to evaluate the effectiveness of California’s approach. This is in part because the law does not take effect until the beginning of next year. The bill also enables the California Attorney General to issue guidance and regulations fleshing out the requirements of the bill. These as-yet-unknown regulations will play a major role in how CCPA operates in practice.

Regardless of its uncertainties and potential shortcomings though, CCPA is likely to play a significant role in the future of American data privacy law and policy. It is the first significant privacy legislation in the US to respond to the recent tech boom, and it comes out of a state that is the world’s fifth largest economy. CCPA’s implementation will undoubtedly provide important lessons for both other states and the federal government as they consider the future of data privacy.