State Privacy Laws May Grant Auto Exceptions
Amendments to two state privacy laws—the California Consumer Privacy Act of 2018 (CCPA) and a bill which amends Nevada’s existing Internet privacy law (SB 220)—have carved out exceptions related to information connected to or transmitted by automobiles. While these amendments do not completely exempt the auto industry from their requirements, they do provide some helpful carve outs to lighten the burden of compliance.
Automobiles have the ability to collect a significant amount of personal information through imbedded internal computers. An increasing amount of information is being transmitted by automobiles to manufacturers, service providers, dealers and other third parties. Many automobiles will have the ability to wirelessly transmit significant information related to health, location, mileage, accidents, and driving habits and patterns. Given this, the industry has been closely monitoring developments in state and federal privacy laws, particularly with regard to whether any of the new state privacy laws would exempt automobile information from the rigorous requirements imposed upon other operators and developers of Internet of Things devices. Two new developments at the state level include such exemptions, which we explain below:
As previously reported, the CCPA, which will go into effect on January 1, 2020, is one of the strongest privacy laws in the United States. It applies to (i) any business with at least $25 million in annual revenue, (ii) any business that handles information from more than 50,000 individuals, or (iii) any business that derives more than 50 percent of its annual revenue from selling consumer personal information.
Since the CCPA was signed into law, a series of bills have been introduced to clarify and refine its scope prior to 2020. Among the bills that have been passed by the California Assembly, and currently being considered by the state Senate, is AB 1146. The bill as originally written would have exempt vehicle information, including VIN, make, model, year, odometer reading, and the name and contact information of the registered owners shared between a “new motor vehicle dealer” and the vehicle’s manufacturer where such information is shared “pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall pursuant to specified federal law.” This information is often needed to ensure vehicles are operating safely and is also information that many dealers may not have flagged in a database that easily facilitates providing the rights required under CCPA.
AB 1146 has been amended twice in the Senate, narrowing this exemption for vehicle information. As currently written, it would (1) exempt from the right to opt-out vehicle information or ownership information “retained or shared” between a new motor vehicle dealer and the manufacturer, if the information is shared “for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or recall,” and (2) exempt from the right of deletion personal information that is needed “to maintain in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
Notably, the amendment does not get manufacturers or dealers out of having to comply with the CCPA’s notification and disclosure requirements. Additionally, civil actions under Section 1798.150 of the CCPA could still be brought against dealers and manufacturers.
The Senate has until September 13 to vote AB 1146 into law. If it survives the Senate, the Governor has until October 13 to sign or veto the bill.
Governor Steve Sisolak signed SB 220 into law on May 29, 2019, amending Nevada’s existing privacy statute, which went into effect in 2017 and applies to “operators” of websites and online services that collect personal information from Nevada consumers. “Covered information” under the law includes name, home or other physical address, email address, telephone number, social security number, identifiers that allow a specific person to be contacted either physically or online, and any other information concerning a person collected from the person through a website or online service combined with an identifier that makes the information personally identifiable. The primary requirement of the law is to provide a privacy notice explaining the operator’s privacy practices.
SB 220, which goes into effect before the CCPA, on October 1, 2019, allows consumers to opt-out of the sale of personal information to other entities for monetary consideration. While the burden of facilitating this opt-out is something that many businesses are clamoring to accommodate, the amendment provides some relief for the auto industry given that the definition specifies that the term “operator” does not include “a manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores personal information that is either “retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle” or “provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.”
It is important to note that these exceptions do not exempt dealers and manufacturers from all compliance obligations of the CCPA and Nevada’s Internet privacy law. They will still be subject to the requirements of these laws, for example, for personal information collected via their websites or from consumers who visit the dealerships.
- Related Practices