When a vehicle is a total loss, or a customer asks for an inspection prior to selling or purchasing a used vehicle, do you remember to always ask if they need help erasing their personal information?
If you do, is this a courtesy, non-included operation? A wave of regulatory changes in Canada and some recent and not-so-recent precedents now in place are about to change all of that. This will bring new challenges but also new revenue opportunities for the auto service industry.
You probably heard the expression “cars are smartphones on wheels.” That’s an understatement. People’s home addresses, garage door codes, previous destinations, phone numbers and contacts come immediately to mind, but it goes much deeper than that.
Modern vehicles capture terabytes of data each year from two sources. First, the detailed logs of time and geo-stamped events collected by an ever-growing array of sensors installed (OEM or aftermarket) such as GPS, internal and external cameras, gyroscopes, accelerometers, radars, weight sensors, microphones, etc.
Second, the data downloads and logs created from the devices that drivers and passengers (including minors) connect to the vehicle. For instance, did you know that when you connect your smartphone to a vehicle via Bluetooth to make a handsfree call, or plug into the USB to charge your phone, play your music or use Apple CarPlay or Android Auto, that vehicle will automatically in the background — and often without warning (except for the occasional “do you want to download your contacts?” pop-up on the infotainment screen) — start to download a lot of information?
With every connection, contrary to common belief, the car sucks out a non-encrypted mini clone of the smartphone. Just like you wouldn’t unlock your mobile and hand it to a stranger, leaving personal information (PI) in cars is not just a bad idea and a potential accident waiting to happen, it is increasingly at odds with Canadian privacy regulations.
Canada has a deep love affair with privacy. The Personal Information Protection and Electronics Document Acts (PIPEDA) and other similar provincial laws have been around for 20 years.
Those laws have always mandated that businesses have to know what PI is in their physical or electronic possession and that “personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.” (see: Principle 5 – Limiting Use, Disclosure, and Retention)
Moreover, it specifies that “care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.” (Paragraph 4.7.5.)
The Office of the Privacy Commissioner of Canada has occasionally enforced this provision and established important precedents as to who (spoiler alert: Not the consumer) is responsible for deleting stored PI.
Most famously, about a decade ago, Staples Business Depot was caught by a whistleblower reselling returned electronics without properly removing consumers’ personal information. The privacy commissioner deemed this an egregious violation. When Staples accepted the return of laptops, portable drives, and other electronics, they argued, it became the new property owner, assumed liability, yet negligently resold those devices with the PI of its customers still stored. Staples was heavily fined and put for years under expensive and intrusive government oversight over its data sanitization practices.
The parallel with vehicles is uncanny: All vehicles with either Bluetooth or navigation are so-called “hard drives on wheels,” and Privacy4Cars studies show that more than four out of five vehicles are resold still storing the PI of previous occupants.
Why for years the issue of data left in cars remained unaddressed is a mystery (or, if you are cynical, is the result of great lobbying, consumer misinformation, and lack of teeth in regulation).
All of that is about to change. A growing number of recent government studies and investigations specifically addressed the privacy issues posed by cars.
Geolocation data has come under particular scrutiny. You may have heard of the recent Tim Horton app scandal and investigation. But did you stop and think that most vehicles on the road capture the exact same detail of information? On Sept. 22, Quebec’s Bill 64 came into effect, carrying administrative fines as high as $10 million or 2 per cent of the enterprise’s worldwide income for violations (leaving PI behind being one).
The passing of this bill, and the August appointment of a new privacy commissioner is likely to tip other provinces towards taking similar measures or to get a vote passed on Canada’s Bill C-27, which would set even stricter standards and enforcement across the land.
For the first time in Canada, we are talking about Spielberg Jaws-level teeth for privacy rules. And yes, you’ll need a bigger boat!.
The first implication for the auto service industry in Canada is an urgent warning to step up privacy practices, including always disclosing to its business and retail customers that vehicles contain personal information and always offer to help delete this PI if the vehicle is going to be sold or handed off to a third party.
This is wise risk mitigation for your business, not only from potential legal action, but also from reputation damage now that the issue of PI in cars is out in the open, also, and specifically to service lanes thanks to the debate on right-to-repair.
The second implication for auto repairers and adjustors is that there is an opportunity, within your corporate clients, to offer PI deletion as a service. Companies will need a legally compliant way to delete PI from cars, i.e. in a manner that is robust, auditable, and accepted as a “reasonable security” standard.
While today none of the three estimating systems have data clearing labour time, it does not mean that they shouldn’t: It takes work to perform and properly document it. Your insurance company customers (for total loss) and fleets and dealerships you serve (for other cases) have obligations to safeguard consumer PI.
Your shop should look at clearing data no longer as a mere courtesy, but as a standard and valuable service that your business customers need to be in good standing with Canadian laws.
Andrea Amico is CEO/founder of Privacy4Cars in Kennesaw, Georgia and can be reached at firstname.lastname@example.org. He co-chairs the Education & Compliance Committee at the International Automotive Remarketers Alliance where he leads the compliance initiative with a special focus on privacy and data security.