Privacy, cars, and consumer rights: Who owns vehicle data?

From location data to driving behavior to who’s wearing a seatbelt – cars now collect a lot of personal data. But who “owns” this data – which is often both highly sensitive and potentially valuable? Vehicle manufacturers or drivers? 

Privacy law is a fast-developing field. And in certain jurisdictions, it’s unclear who should have ownership or control over automotive personal data. In this article, we’ll explain what car manufacturers should know about how this regulatory landscape is developing. 

The scope of vehicle data collection

Modern cars collect all sorts of information that can qualify as “personal data”, depending on the circumstances. 

Connected cars collect data such about: 

• Telematics 
• GPS location 
• Driver behavior 
• Accidents 
• Infotainment use 

When linked to an individual (usually the driver), all these types of information can be “personal data” in jurisdictions such as the UK, the European Economic Area (EEA), and California. 

This data can be extremely valuable to car manufacturers, who share often information about their drivers with service providers and advertisers. 

Some of these services primarily benefit the consumer – for example, to help navigation or provide in-car entertainment. Other data-sharing – namely for advertising or analytics purposes – primarily benefits the car manufacturer. 

In any case, sharing personal data about drivers can present a privacy risk. 

The regulatory landscape

Privacy in cars is regulated by generally applicable privacy and data protection laws, automotive-specific laws, and consumer protection law. 

• In the EEA and UK, the General Data Protection Regulation (GDPR) provides rules and principles that govern how “controllers” – including car manufacturers – collect, use, and share personal data about drivers. Another EU law, the ePrivacy Directive, is also highly relevant to automotive data.
• In California, the California Consumer Privacy Act (CCPA) applies to car manufacturers and in-car software providers. The state’s Attorney General and privacy regulator, the California Privacy Protection Agency (CPPA), have both signaled their intention to enforce this law in the automotive sector. 

Elsewhere, similar laws regulate the collection of vehicle data, such as Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA), Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), or China’s Personal Information Protection Law (PIPL). 

But these jurisdictions each regulate automotive data in different ways. 

Automotive data in the EEA and UK

Across most of Europe, the GDPR requires controllers to determine whether they have a “legal basis” before processing personal data.  

For example, if a car manufacturer intends to collect personal data about how people use an entertainment system, the manufacturer must determine its legal basis for doing so. 

At this point, another law kicks in – the ePrivacy Directive, which has been implemented into national law by each EEA country and the UK. Under these laws, subject to certain exceptions, only one legal basis is available for collecting information from people’s “terminal equipment” (including their cars) – consent. 

Car manufacturers will generally require consent to collect information (personal data or otherwise) about drivers unless the purpose of the collection is strictly necessary for either  

• Ensuring that the car’s entertainment services (etc.) work properly, or 
• Providing a service requested by the user. 

As such, collecting information for the purpose of sharing it with advertisers is possible in the EEA or UK – but it requires consent. 

Automotive data in California

According to an analysis by Capgemini, automotive data could be worth $800 billion to US car manufacturers by 2030. 

But in some states—most notably California – manufacturers wishing to cash in on data about their drivers must proceed with caution. 

Unlike under European data protection and privacy law, the CCPA does not generally require car manufacturers to obtain consent to collect vehicle data – even if they intend to sell that personal data to advertisers or other companies. 

However, the CCPA requires businesses to provide detailed notice to consumers before collecting their personal information and offer them a clear way to opt out of its sale or sharing. 

Who owns automotive data?

Assuming a car manufacturer has collected information about its drivers lawfully, with appropriate notice and consent where necessary – does the car manufacturer own that data? 

Privacy law and property law are distinct fields, and it’s unclear how – or whether – a company can establish legal ownership of personal data – particularly given that consumers have rights over that data even after it has been collected. 

In the EEA or UK, once a car manufacturer has collected automotive data – even with consent -the manufacturer “controls” the data, rather than “owning” it. Drivers and passengers may withdraw their consent, request access to the data, delete the data, or control how the data is used. 

And Californian businesses should also avoid thinking of themselves as the “owners” of personal information (automotive or otherwise). California consumers have similar rights to delete and control their personal information, and state authorities tend to interpret such rights in favor of consumers. 

Arguably, neither manufacturers nor drivers “own” such personal data. They each retain some degree of control over the data, and car manufacturers must ensure they respect drivers’ privacy rights. 

But sharing or even selling automotive data can be perfectly legal both in the US and Europe – if the manufacturer takes the necessary compliance steps, including obtaining consent where appropriate.