Andrea Amico, Founder and CEO of Privacy4Cars, is passionate about privacy and security, and is full of statistics and facts about the extent of data sharing and how many companies have access to personal information. Vehicles themselves collect and store more information than most of us would ever realize, and there are more and more violations, warnings, lawsuits and even regulations. Amico showcased all of this during a session at the March 2022 NAFA Institute & Expo, surprising attendees with more than just her blue hair.
Amico first attracted the crowd by distributing USB filters that allow a mobile phone to charge without its data being recovered. The purpose was to warn attendees never to use other USB drives, especially provided by vendors, “because that’s how the bad guys do things.”
Next, Amico provided some basic definitions: security in this case is defined as preventing unauthorized people or companies from gaining access to personal data, and privacy is the right to have data in the first place.
Chances are you don’t really know how your car works, he said. Car data is not like a database which has traditional security and privacy. On the contrary, cars are like laptops containing data.
When you plug your phone into a car, whether to pair it or charge it via USB, a lot of information from that phone is collected. This may include:
- Biometric IDs
- Call logs
- Text messages
- Calendar events
- Files downloaded
- Medical providers
- Navigation history
- Home Address
- Garage codes
- Health and credit information
- Third-party apps
Businesses and individuals can also purchase this data for a flight. Amico said the current market price is between $10 and $60 per person per year.
While most drivers only see directions on their in-car GPS navigation, this geotagging goes far beyond Google or Apple. It is also shared with firmware vendors, component manufacturers, telecommunications providers, other connected devices, traffic services, weather services, insurance companies, etc.
You do not believe it ? Check out these titles.
In this case, sharing is not caring.
State and Federal Laws
“There are a lot of things America is leading in, but privacy isn’t one of them,” Amico said, referring to the EU’s General Data Protection Regulation (GDPR), known as the law. the world’s strictest on privacy and security.
In the United States, without a federal privacy law, data regulation is left to the states. And all 50 states regulate personal information collected by vehicles, but not all laws are created equal. California, Colorado, Virginia, and Utah have privacy laws inspired by European GDPR; while California adds IoT security laws; and Illinois, Florida, California, Washington, and some cities have biometrics laws. New Jersey was the first state to pass a vehicle telematics and driver monitoring bill, where companies must tell employees they are being tracked. If they don’t, the company is indeed liable.
Biometrics laws, in particular, are coming under intense scrutiny, and several companies are facing multiple lawsuits for violations. In one example, Amico offers this: “You’re driving a Tesla, it has a camera in front of you, it actually recognizes you, but doesn’t ask for your consent. It’s a violation of statutory damages of $500 per person, so a smart lawyer ran the tab and they figured it was probably worth suing Tesla for.
To help understand the laws that apply to your state, Privacy4Cars offers a free online resource.
Don’t be a stat: know your rights, delete your data and protect your privacy.
Youtube: https://t.co/ByuibB0RvJ#BZConsultants #FactsNotFeelings #AndreaAmico #Privacy4Cars #Privacy #Automotive @Privacy4Cars pic.twitter.com/cG9u4mMDZ9
— BZConsultants (@BzConsultants) April 13, 2022
The good news
While many companies will issue statements about their ethics, data anonymization, GDPR or CCPA compliance, Amico advises digging deeper.
What to Read or Ask OEM and Telematics Suppliers
- Agreement and clauses on consent, use, sharing and retention of data.
- Whether geolocation data is anonymized (if so, that’s a red flag).
- Documentation of compliance with California IoT law (even if you are not in California).
- Take the fleet risk assessment from Privacy4Cars.
Privacy4Cars Fleet Risk Assessment
The are steps you can take to protect your data. In 2018, the FTC actually advised fleets to dump data stored in cars in a post titled “Be Discreet When Deleting Your Fleet.”
Amico recommends connecting with fleet management companies (FMCs), many of which offer deletion of in-car data at the time of sale — Element, Wheels Donlen and Holman all do, he said.
Steps to Take to Reduce Risk
- Read all privacy and service policies.
- Ask your FMC what solutions they have in place to help you.
- Engage legal.
- Perform RSS/compliance checks.
- Delete all vehicle data during transfers and sale.
- Perform a data privacy assessment.
- Get vehicles under the same policies as other devices (laptops, phones).
- Plum! What data do you really need?
- Implement robust consent management.
- Require a telematics “kill switch” for non-work hours.
For the last item on the list above, Amico explains that in Europe, employees – and all family members – who use a work vehicle for personal purposes after working hours cannot be tracked. California plans to adopt this rule starting in January, and other states are likely to follow suit. Until then, Amico recommends asking your telematics provider how to disable tracking between shifts.
Additionally, consider adding a clause on shared vehicles and rentals to your fleet policy that requires deletion of data upon transfer.
“As a business, to protect your employees, you need to start protecting yourself,” Amico said.
Originally posted on Car fleet