Christian Wolgemuth, associate with McNees Wallace and Nurick LLC, explores the modern-day passenger vehicle. As new technological features have emerged, so has the presentation of more in-depth vehicle data
The purpose of the passenger vehicle – to transport its occupants from one location to another, wherever and whenever they want to go – has remained relatively unchanged since Carl Benz dreamt up a gasoline-powered, three-wheeled, two-seater in the late 1800s. While modern passenger vehicles have certainly become more comfortable, capable and advanced over the last 130 years, their core functionality has remained generally the same. However, as automotive manufacturers have integrated more technological features and conveniences to entice new buyers, they have also created new commercial opportunities for those vehicles to the benefit of the manufacturers and other third parties in the tech industry. With every mile traveled by the driver and every digital “tick” of the odometer, modern vehicles generate incredible amounts of valuable data, and every party gathering, sharing or using that data needs to be aware of the responsibilities and implications that come along for the ride.
The information associated with a vehicle now includes more than just make, model, year and mileage. These modern vehicles generate, and manufacturers and other parties collect, vehicle data that now includes:
• Vehicle health data, such as odometer reading, fuel level, oil life, diagnostic codes and other maintenance information.
• Remote data, such as status of powered doors, windows, hood, trunk, sunroof, hazard lights, fuel economy and trip distance.
• Driving data, which includes acceleration rates and vehicle speeds, steering and breaking usage and travel direction.
• Data relating to the vehicle occupants’ usage of multimedia screens.
• Voice prompts and voice recordings.
• Historic GPS and precise vehicle location data.
Just like data generated from an internet user’s browsing or online shopping history, data generated from vehicles is incredibly valuable to manufacturers and third parties integrating consumer-friendly technology. The generation and mining of this data has generally not gotten the same level of public attention as internet browsing or cell phone data, but it does need to be treated similarly by the controllers and processors of that data to make sure that the applicable privacy laws are not violated. Given the size and sophistication of modern automotive manufacturers operating in the United States, they are certainly cognizant of their obligations toward consumer online privacy stemming from domestic legislation like the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Privacy Act (VCDPA) and international legislation like the European Union’s General Data Protection Regulation (GDPR). A quick glance at most of their online privacy policies will confirm as much, but some manufacturers still have room for improvement in how they acknowledge their use of data generated by their vehicles.
To be fair to the manufacturers, the current body of applicable privacy law does not address data generated by vehicles as clearly as it could or should. Although tighter legislation could potentially decrease the commercial value of data if it restricts how that data can be used, more coherent legislation can have the beneficial effect of providing clarity to companies so that they can structure their use of data in ways that limit their exposure to lawsuits by consumers and fines by regulatory agencies.
The CCPA and CPRA define personal information as any information that directly or indirectly identifies relates to, or describes a particular consumer or household or is reasonably capable of being associated with or could reasonably be linked to a particular consumer or household. This includes geolocation data. The VCDPA similarly defines personal information as any information that is linked or reasonably linkable to an identified or identifiable natural person (where an identified or identifiable natural person is a person who can be readily identified, directly or indirectly). Continuing the theme, the EU’s GDPR defines personal data to be any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one that can be identified, directly or indirectly, by reference to an identifier, such as name, ID number, location data or online identifier.
Focusing only on vehicle information data, it does not take much imagination to see how historic GPS and precise vehicle location data could be associated with a particular consumer or household. Even if the data is anonymized so that the driver’s name is not connected to the vehicle, that data will clearly show where the driver lives and works based on where it is regularly parked and driven during certain times of the day. The very nature of that location data makes it nearly impossible not to be associated with or linked to a particular consumer or household. Despite the hassle and potential confusion of having to cross-reference multiple legislative acts and bodies of law, the good news for automotive companies is that the definitions of “personal information” are uniform in their inclusion of and applicability to vehicle location history.
Law enforcement agencies and the courts are beginning to grapple with the complexity of constitutionality questions surrounding the use of precise geolocation recordings.
Given the sensitivity of location data that shows where individuals live, work, travel, and spend their free time, companies need to be keenly aware of the risks of running afoul of privacy laws through their use of that data or failure to adequately protect that data. Under the CCPA, CPRA and VCDPA the respective states’ Attorneys General can bring actions for civil penalties of up to $7,500 per violation if the acts were intentional (e.g. selling data in violation of their own privacy policy or the opt-out requests of their customers). The GDPR likewise allows its enforcement authorities to bring administrative fines of up to 20 million euros or 4 percent of global revenue, whichever is higher.
To give an example of the risks to companies for inappropriately selling location data and running afoul of privacy laws, in February 2020 the FCC (under Republican leadership) proposed $200 million in fines to Verizon, AT&T, T-Mobile and Sprint for sharing their customers’ data in violation of the Telecommunications Act. While that amount of money is certainly substantial, some lawmakers in Washington, D.C. thought it was “comically inadequate” when compared to the $350 billion in combined revenue those four companies had in the previous year. Given the value and quantity of data being generated by vehicles and the overall earnings by automotive manufacturers, they too should be focused on avoiding the types of fines being slammed on other industries for using and sharing data inappropriately. Ford, Toyota and Hyundai (to name just a few) all have privacy policies on their respective websites that acknowledge their collection of precise vehicle location information over time. Those privacy policies also disclose the fact that vehicle location information may be shared or sold for marketing or analytics purposes. While sharing this information is not per se a violation of consumer privacy statutes, automotive companies must ensure that their practices adhere to the requirements of applicable laws if they wish to avoid the types of penalties levied upon Verizon, AT&T, T-Mobile and Sprint.
Precise historical vehicle location data has great value to other parties as well – law enforcement. While the previously discussed privacy laws are designed to limit or restrict the disclosure of personal information, automotive companies may inevitably find themselves in situations where they are required to disclose that data in cooperation with criminal investigations. Law enforcement agencies and the courts are beginning to grapple with the complexity of constitutionality questions surrounding the use of precise geolocation recordings. Analogies are being made to the use of cell phone location data to retroactively track a suspect’s movements. A federal court in Illinois made just such a comparison in 2019 when it held that it was unconstitutional for the police to obtain a vehicle’s location information from a third party without a warrant and attempt to use it against the driver of that vehicle. However, in May of 2020 the Ninth Circuit Court of Appeals held that a criminal defendant had no reasonable expectation of privacy in his movements as revealed by the historical location data of his rental vehicle after failing to return the vehicle by the contract due date. That defendant therefore lacked standing to challenge the warrantless search of the vehicle location database that contained evidence leading to his arrest.
In October of 2020, the same federal court in Illinois held that there was probable cause to issue a search warrant for cell phone geofence location data held by Google in the investigation of a string of arsons. Law enforcement wished to obtain Google account identifier and subscriber information for any device that happened to be located within the specific places and timeframes where the arsons occurred. The court stated that there was probable cause that evidence of the crimes would be located at Google because location data on cell phones at the scene of the arsons and the surrounding streets could provide evidence on the identity of the perpetrators and witnesses to the crimes. The court was willing to grant that search warrant even where there was no direct evidence to suggest that the perpetrators or witnesses would have had cell phones on them at the time.
As for automotive companies, the precise and historic vehicle location data they now possess could provide the exact type of evidence that law enforcement sought from Google. Automotive companies need to be prepared to handle similar requests and warrants for data.
Nothing in this article constitutes legal advice. If you have a question about data privacy laws that may apply to you or your business practices, you should contact a qualified attorney.
Published August 13, 2021.
