If you attended the Consumer Electronics Show in Las Vegas, you probably noticed many concepts applied to the one item that many Americans use every day: the automobile. Over the past few years technology developers and manufacturers have set their sights on the automotive industry, which is one of the largest industries in the United States. From automated cars, syncing software, to wearable devices that interact with a vehicle, it is clear that our time in the car is under an era of rapid change.
For privacy and cyber security attorneys, these new concepts present interesting and complicated questions about data collection, use and transmission. For example, one company may be providing you a wearable, and another will be the manufacturer of the vehicle that syncs with it, and a third may be using the data to provide you with coupons for stores that are in close proximity to your car. Will the consumer have to give me permission to collect this data? Will she have access to that data? Will she have any options to limit my use of the data? Importantly - will Big Brother-or worse, the Bad Guys-know that I tend to take my car to the donut shop every Saturday morning?!
The answer to all of these questions will likely be YES, but the fact that they are pending in 2016 demonstrates that we are in the advent of yet another industry that is pushing U.S. regulators to consider the scope of our current privacy and data security laws.
What Do We Know?
Right now, in the U.S., we have to apply the current laws and regulations to these new developments in order to determine the scope of the notice and choice manufacturers and developers need to provide to consumers. Depending on the type of data that is collected and used, we may have to receive explicit “opt-in” from the end-users prior to the collection, use and storage of any data via these devices. Of course, manufacturers and developers will push these boundaries in the hope of explaining that consumers “understand” that their data is needed for these devices to function and therefore do not need to provide explicit permission. We’ll see where the regulators fall on this spectrum, but for now best practice guidance arguably requires there to be a notice and acceptance by end users. If the data is flowing cross borders, there are even more reasons these steps are necessary, especially under the General Data Protection Regulation that was recently adopted in Europe and is set to be in effect in two years.
There will soon likely be more regulations and best practices driving auto-industry compliance activities in the near future. In 2014, the Auto Alliance and Global Automakers released the "Privacy Principles For Vehicle Technologies And Services," to which 20 car companies signed on to establish baseline principles for the collection, use, and sharing of personal and identifiable information. Earlier this year, the Department of Transportation and automakers reached a similar agreement on proactive safety and security principles. Last year, Congress introduced the SPY Car Act, a bill that would launch a cross-sector investigation into vehicle cybersecurity. And just last month, we saw the formation of the House Smart Transportation Caucus, a new Congressional caucus focused on connected and self-driving cars. This is clearly a quickly accelerating area in the intersection of law, technology, privacy, and security, that—like a flashy getaway car—is garnering a lot of attention.
Where Are We Headed?
While consumers are now more used to being identifiable via the location of their mobile device, it may take another few years before they get comfortable with the idea that their car can also help to identify them. Until then, regulators will continue to wrangle with balancing the need for the data that a car may collect against the desire of (some) consumers to control this data. While there may be little explicit guidance, it is best for developers and manufacturers to be clear, concise, accurate and upfront about their practices.
Because as soon as we get our handle on these issues, it is likely that we will have a whole host of new considerations. Imagine a steering wheel that tells you that you need to drink more water, or a seat that tracks your heartrate and sends that data to your doctor’s office? Or, paying for your doctor’s visit while driving, via a video chat with a receptionist who is sitting at a virtual doctor’s office? While these concepts will make our life more informed and streamlined – (What will we do with all the free time!? More donuts, perhaps) – they certainly give rise to interesting questions under existing laws, like HIPAA and PCI DSS. How do we safeguard the health information or cardholder data that would be collected by or transmitted through our connected automobiles?
And what about our children? As driver shuttle services for kids become more and more the “norm,” we may want to think through the data that is being collected from children as they are shuttled from one place to another. COPPA poses requirements to websites operators or online services that are either directed to children under 13 years of age, or have actual knowledge that they are collecting personal information from these children – how will it regulators amend it in response to evolving automotive technologies?
Let’s not forget the security of the data that is collected. Cyber practitioners are routinely highlighting the risk of your car being controlled by an overseas hacker. It is not a farfetched consideration, certainly. The need for safeguards is heightened with automation on the roads. Because our personal safety is at stake, security protections have to be designed into these cars, instead of tacking them on. DoT’s and automakers’ agreed-to proactive security and safety principles call to mind the importance of security by design – or “data protection by design” as the GDPR has relabeled the principle. Moreover, designing security into these vehicles now is probably the best preparation for the hypothetical liabilities, which are decreasingly remaining hypothetical and becoming more real every day.
The automotive industry is presenting us with interesting and novel privacy and data security issues. While these are exciting times for privacy and data security practitioners, do not fret over the lack of structure. Focus on the type of data that is collected – create an inventory that answers these questions:
- From where will we collect data? The car, software, a wearable, the steering wheel, a mobile device, etc.
- What type of data will be collected? Use extreme caution of this data is more sensitive, such as personal health information, financial information, or information collected from children under the age of 13.
- What do we intend to do with this data? Will we share it?
- How do we provide adequate disclosures or obtain consent, where needed, about our data practices?
Once you have answered these questions, drafting your privacy and security statements becomes more straightforward. And, just like your car’s lifesaving features, these may just save your company down the road.
Arent Fox’s Cybersecurity and Data Protection group monitors developments in the connected and autonomous vehicles space. For more information, please do not hesitate to contact Sarah L. Bruno, Eva J. Pulliam, and Lourdes M. Turrecha.