Spotlight on Privacy in the Automotive Industry

24 July 2014 Dashboard Insights Blog

Privacy is a hot topic these days, and the automotive industry is no exception. Connected cars, in-car location services, telematics systems, event data records (black boxes), driverless cars, online consumer targeted advertising, vehicle-to-vehicle communications, mobile apps for cars, data analytics by insurance companies, Apple and Google operating systems for cars – all of these developments are shining a brighter spotlight on privacy in the automotive industry. Consumers and privacy advocates are becoming more and more concerned about privacy violations that may result from the IoT – the “Internet of things” – and cars are part of the IoT infrastructure. OEMs, component part manufacturers, suppliers, service organizations, distributors and dealers all find themselves in the chain of handling personal information and accordingly should be concerned about legal compliance, public relations and customer relationships when it comes to dealing with customer information.

FTC regulations and guidance, for example, require “privacy by design” – building privacy into product and service design and development from the ground up. Consumers must be given notice of what personal information is collected, for what purposes, how it is used and with whom it is shared. Consumers must also be given access to their personal information and a choice (the ability to opt-out) when it comes to using the information for purposes other than product or service delivery, such as sharing with third parties for marketing purposes. Generally, affirmative opt-in consent – not just notice – must be obtained before collecting location information. We all have seen the notices that pop up on our smart phones. We see those notices for a reason – and much of it is driven by legal compliance.

The GAO’s In-Car Location-Based Services report addresses a number of these issues, including disclosure of privacy collection, use and sharing practices; consumer consent and controls; security safeguards and retention of customer information; and accountability for misuse and unauthorized disclosure. Among other things, the GAO states in connection with the collection of in-car location and other information, companies should:

• State the reasons companies collect and share data

• State specifically that collection of location data is limited to specific needs

• Not use data for a purpose other than what has been disclosed to consumers without providing notice and obtaining consent before using the data

• Obtain consumers’ consent before collecting their personal information

• Provide consumers the ability to opt out of data collection to which they have previously consented

• Allow consumers to delete location data that have been collected (The GAO pointed out that the automotive industry has been particularly deficient with respect to this point)

• State a specific time frame for retaining consumer data

• Protect data with reasonable security safeguards against risks such as loss or unauthorized access.

• De-identify data when possible, particularly when transferring data to third parties.

Lastly, the GAO urged the industry to be more accountable when using third-party service providers to handle and maintain customer information. For example, companies should:

• Contractually require service providers to protect privacy and security, and/or comply with certain privacy and security practices

• Limit or prohibit commingling data with data from other customers

• Conduct due diligence risk assessments

• Obtain copies of audits or risk assessments obtained or conducted by the service provider

Failure to comply with legal obligations with respect to the privacy and security of personal information can result in state and federal regulatory investigations and enforcement actions, as well as private claims and class actions. While consumer product retailers have been grabbing the most headlines lately with respect to privacy breaches, companies in the automotive industry should likewise take care to build in a “privacy by design” approach to products and services in order to minimize the risks associated with collecting, using and sharing personal consumer information.

The authors of this post will further discuss the topic of automotive privacy during a free Web Conference on Tuesday, July 29. You can register to attend on

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services