How Car Companies Can Ensure Compliance With Automotive Industry Regulations When Collecting and Handling Driver Data

Posted by Legalease Solutions on 3 Nov, 2021

In a world weaned on apps and social media, both new and existing car customers are looking to leverage their vehicles’ connectivity features beyond Apple CarPlay and Android Auto.  According to various McKinsey studies, more than a third of car drivers said they would switch car brands to take advantage of improved app offerings, connectivity options, and technology features. These studies also revealed that nearly 40% of all car drivers and 47% of premium car brand owners intend to unlock their vehicles’ connectivity and technology features after purchasing.  This trend presents a fantastic revenue opportunity for OEMs and vehicle brands to offset pandemic-related revenue problems, as McKinsey predicts the automotive data industry to be worth between $450 billion and $750 billion by 2030.

Although OEMs and automakers should explore the opportunities presented by collecting driver data, companies will need to do so within the confines of privacy-focused automotive industry regulations such as GDPR, CCPA, FCPA, and PIPEDA.  They will also need to ensure their collection practices account for cybersecurity, as shown by the UN’s World Forum of Harmonization for Vehicle Regulations recent recommendations and initiatives.  After all, the penalties for non-compliance can be harsh.  Companies could be forced to pay the greater of 20 million Euros or 4% of the company’s global turnover for the severest GDPR violations.  Automakers who fall under the CCPA’s purview could also face up to a $7,500 fine per violation from the California state attorney general and the added threat of a private right of action.

When addressing the alphabet soup of privacy regulations that impact government regulation on the automotive industry today, automakers will need to account for emerging compliance risks as they begin to build out connected technology features in their vehicles and collect driver data.  Here is what they can do to help ensure compliance with privacy-centered automotive industry regulations.

Uncovering and Addressing Compliance Issues Related to Privacy-Centered Automotive Industry Regulations

Uncovering and resolving privacy-related compliance issues related to applicable automotive industry regulations will require in-depth investigation into your organization’s data collection and sharing practices.  You can start this process by talking with key executives, managers, and employees across your divisions and supply chain to assess what types of data your company is collecting or sharing.  For example, if you are currently collecting information related to geolocation data or visual information related to driver movements, you could be collecting CCPA-protected personal information.   If you are also planning to package, sell, or share your customers’ data with data brokers or advertisers, you may need to monitor the progress of upcoming state laws such as the proposed New York Privacy Act.   Different segments of your organization may even face distinct, territory-specific government regulations on the automotive industry, including your international offices.  Your division-level practices can ultimately expose your entire organization to compliance risks depending on the circumstances and how your group is structured, and therefore trigger important compliance and internal training requirements.

Once you have developed a better idea of how your organization is collecting and managing data, run risk assessments related to your privacy and data collection practices.  Make sure to let your in-house or outside counsel lead these investigations, as doing so could give you the opportunity to raise attorney-client privilege in the event your company uncovers possible violations of privacy automotive industry regulations.  Since different departments will likely have different data collection objectives, consider tailoring your investigations on a division-by-division level and assess whether each division is complying with pertinent government regulations on the automotive industry that would affect their operations. 

It is also important to see whether your organization’s existing controls and safeguards for protecting consumer data are adequate, or if they would need to be updated to accommodate your current regulatory needs.  You should plan to schedule penetration tests, engage white-hat hackers, and take other steps to confirm the strength of your current cybersecurity safeguards.  You should also consult with outside cybersecurity, IT, and compliance specialists to discuss what additional steps your group would need to take to ensure your protective measures are fully compliant with applicable automotive industry regulations.  Even if your safeguards do pass muster, it is still possible that your organization could confront a breach that would trigger compliance with government regulations on the automotive industry.  To prepare for this possibility, set up quarterly or annual meetings that allow your in-house attorneys, outside privacy counsel, IT employees, and CTO to provide suggestions that could help with updating your data breach response plan.

Ensuring Your Customers and Stakeholders are on the Same Page Regarding Privacy-Centered Government Regulation on the Automotive Industry

Once you and your in-house teams are clear on your new or updated data protection plans, you will need to deploy a coordinated strategy that works for both your stakeholders and customers.  Since specific regulatory requirements and exemptions will vary based on the territories you serve, be sure to consult updated privacy regulations for your target jurisdictions.  You can also consult the updated, voluntary, privacy-related guidelines published by the Alliance for Automotive Innovation to see how your approaches match up with industry recommendations related to cybersecurity-focused automotive industry regulations.

Although there are notable differences across privacy-centered automotive industry regulations, one common theme they share revolves around transparency and choice.  Your organization should ensure that any data privacy policies and agreements distributed to your consumers are easy for consumers to read and find, and are drafted in a manner that details the types of data your group collects, processes, and sells.  You should also ensure that any privacy policy opt-in procedures and associated checkboxes require your customers’ affirmative consent, and are not pre-checked or pre-selected by default.  If your organization shares customer or employee data with contractors and supply chain partners, have your in-house attorneys routinely review all supplier contracts to ensure the inclusion of pertinent privacy and data protection clauses that satisfy CCPA, GDPR, and other relevant protection requirements.  Consult our contract playbooks, risk analysis programs, and related contract management tools for relevant updates you may need your in-house attorneys to work in, and consider adding schedules to your agreements if necessary to clarify relevant data protection guidelines.

Even companies with the best safeguards, however, can jeopardize consumer data due to human error.  In fact, Verizon’s 2021 Data Breach Incident report found that 85% of data breach incidents across all organizations surveyed involved a human element or employee mistake, while 61% of data breach incidents involved the misuse of security credentials.  While it is impossible to mitigate all types of human errors, the gravity and costs of such mistakes can be mitigated by proper training.  To that end, OEMs and automakers should ensure that their employees and stakeholders have access to FAQ sheets, concise summaries of pertinent government regulations on the automotive industry, and access to online portals for more information and resources about the company’s data security and handling protocols.  Engaging a privacy attorney that has experience in educational and training initiatives, along with using robust and bespoke regulatory compliance tools, can help bring your officers and employees up to speed.  And in the event your company does experience a breach, make sure to follow and document the steps you and pertinent stakeholders took to follow your data breach response plan to ensure compliance.