Industry Efforts at Privacy Regulation

A couple weeks ago, I wrote a post outlining the fledgling legal efforts to address the increasingly urgent privacy concerns related to automated vehicles. While Europe’s General Data Privacy Regulation and California’s Consumer Privacy Act set a few standards to limit data sharing, the US as a whole has yet to seriously step into the field of data privacy. In the absence of national regulation in the United States, this post will look at an industry created standard. The auto industry standard is important not only for its present-day impact on how auto companies use our personal information, but also for the role it is likely to play in influencing any eventual Congressional legislation on the subject.

In 2014, two major industry trade associations – the Alliance of Automobile Manufacturers and the Association of Global Automakers collaborated to create a set of guiding principles for collection and management of consumer data. These twenty automakers, including the “Big Three” in the US and virtually every major auto company around the globe, created a list of seven privacy protection principles to abide by in the coming years.

In the list, two of the principles are somewhat well fleshed out: transparency and choice. On transparency, the automakers have pledged to provide “clear, meaningful information” about things like the types of information collected, why that information is collected, and who it is shared with. For certain types of information, primarily the collection of geolocation, biometric, or driver behavior information, the principles go one step further, requiring “clear, meaningful, and prominent notices.”  When it comes to choice, the industry says that simply choosing to use a vehicle constitutes consent for most types of data collection. Affirmative consent is sometimes required when geolocation, biometric or driver behavior data is shared, but that requirement contains several important exceptions that allow the automaker to share such data with their corporate partners.

The remaining five: respect for context; data minimization, de-identification and retention; data security; integrity and access, and; accountability may serve as important benchmarks going forward. For now, each of these five points contains no more than a handful of sentences pledging things like “reasonable measures.”

These industry-developed privacy protection principles are, for the most part, still pretty vague. The document describing all seven of them in-depth runs a mere 12 pages. In order for the standards to be truly meaningful, much more needs to be known about what constitutes reasonable measures, and in what sorts of situations geolocation, biometric, or driver behavior data can be shared. Furthermore, consumers should know whether the automaker’s corporate partners are bound by the same limits on data sharing to which the manufacturers have held themselves.

Without more detail, it is unclear whether these principles afford consumers any more protections than they would have otherwise had. They are important nonetheless for two reasons. They show that the industry at least recognizes some potential problems with unclear data-sharing rules, and they will likely play a key role in the development of any future legislation or federal regulation on the topic.