CPPA’s spotlight: Evaluating privacy measures in the world of connected vehicles

Connected vehicles can collect and share detailed information about drivers’ locations, film their surroundings, and share data about our habits. But despite this, the automotive industry has received little attention from the world’s data protection and privacy regulators—until now.

The California Privacy Protection Agency (CPPA) has announced a review into connected vehicles as part of its remit to enforce the California Consumer Privacy Act (CCPA).

This article will consider how the CCPA applies to the automotive industry and what we can expect from the CPPA’s review.

What is the CPPA?

The CPPA is a five-member board established under Proposition 24, via which Californians voted to pass the California Privacy Rights Act (CPRA), which amended the CCPA.

The CPPA is the first dedicated privacy regulator in the US and, along with the California Attorney General, has powers to enforce the CCPA and make associated regulations.

What privacy issues are raised by cars?

The CPPA’s review focuses on connected vehicles and associated technologies.

“Modern vehicles are effectively connected computers on wheels,” said the CPPA’s executive director, Ashkan Soltani in a press release.

“They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”

How do connected vehicles relate to the CCPA?

The CPPA has not provided much detail on the particulars of its review. However, there are clear links between the sorts of activities regulated under the CCPA and the sorts of data processing that occurs via connected vehicles.

Let’s consider three aspects of the CCPA as it relates to connected vehicles.

Personal Information

The CCPA, like every other modern data protection and privacy law, takes a broad view of the types of data that can constitute “personal information”.

Let’s look at an example. Tesla’s privacy notice describes the types of personal information that its connected vehicle technologies can collect:

• Location data: Tesla uses “GPS, Bluetooth, IP address, and Wi-Fi and mobile towers” to provide “in-vehicle maps, navigation, or mobile app location services” and also “as a result of a safety event”.
• Safety analysis data: Tesla collects information such as “data about accidents or near accident-like circumstances”, “data about remote services” (such as remotely honking the horn or unlocking the vehicle), and data about the car’s software and firmware.
• Advanced features: Certain other Tesla features process information such as “road segment data”, which can reveal a person’s location or activity.
• Charging information: Tesla collects information about how drivers use chargers, and which charging stations they use, for its own purposes.
• Service history: Tesla collects data such as “vehicle identity number (VIN), repair history, parts details, estimate and costs, outstanding recalls, bills due, customer complaints, and any other information related to the vehicle’s service history.”

Most of the data listed above could be “personal information” under the CCPA: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

Connected vehicles are often equipped with cameras that monitor the vehicle’s exterior for security purposes. There are privacy implications when filming public areas.

Indeed, Tesla was required by the Dutch data protection authority to limit the storage period for footage collected by its cars when operating in “Sentry Mode”, to only allow the feature to be enabled at the request of the user, and to notify passersby when they were being filmed.

Consumer rights

The CCPA’s consumer rights apply in respect of personal information collected from connected vehicles. Let’s put them in context:

• The right to know: Connected vehicle providers must respond to requests for access to personal information, and must provide notice before collecting a driver’s personal information. This notice could be a pop-up on the connected vehicle’s user interface.
• The right to delete: Drivers can request the deletion of their personal information from connected vehicle providers. An exemption might apply if, for example, the driver’s information is still required to provide requested connected vehicle services.
• The right to opt out: If a connected vehicle provider sells personal information about its drivers, the right to opt out might apply—but Section 1798.145 (7) (g) (1) of the CCPA provides an exemption for certain vehicle dealers and vehicle manufacturers in some circumstances.
• The right to correct: The CPRA introduced a “right to correct”, which could apply if a connected vehicle provider maintains inaccurate personal information about a driver.
• The right to limit the use and disclosure of sensitive personal information: Since the CPRA, precise geolocation (within 1,850 feet) is one of the CCPA’s categories of “sensitive personal information”. Drivers can opt out of certain uses of this type of data—but not to the extent that the data is required to provide requested services.

Purpose limitation

Another important amendment under the CPRA introduced a principle of “purpose limitation” into California law.

Businesses must only collect or otherwise process personal information to the extent that is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected”.

Personal information can be used “for another disclosed purpose” but only if it is “compatible with the context in which the personal information was collected”.

As such, connected vehicle providers must:

• Carefully consider the purposes for which they collect personal information.
• Suspend any data collection for which there is no clear purpose.
• Notify drivers about the purposes for which the provider collects personal information.
• Disclose any further purposes for which the personal information will be used.
• Not use personal information for incompatible further purposes.

Will the CPPA enforce the CCPA against connected vehicle providers?

The CPPA describes its investigation into connected vehicles as a “review”, but the agency does have enforcement powers (and the Attorney General retains them, too).

As such, this might be the first area in which we see the CPPA flex its regulatory muscles.

Connected vehicle providers operate in an area that remains relatively untested by privacy law. It is not always clear how privacy laws like the CCPA—which are broad in scope but written with websites and mobile apps in mind—apply to complex systems and emerging technologies.

However, the CCPA’s rules and principles apply are broadly “technologically neutral”—as are the provisions of other US privacy laws in states such as Colorado, Connecticut, and Virginia.

Businesses across every sector should prioritize compliance with the comprehensive privacy laws that have now been enacted in 11 US states.