As July came to a close, the California Privacy Protection Agency (CPPA) announced that it was launching a review of the data protection regimes, or lack thereof, covering assisted driving systems.
California not only has massive armies of vehicles on its roads (its registrations total around 35M, if you’re curious), it’s also sort of a Ground Zero for privacy protection laws thanks to its ever-thriving native tech sector. So, like other corners of the modern economy that generate reams of data, automakers and ADAS solutions providers are starting to come under the regulatory microscope (although we don’t know which ones, because the CPPA hasn’t revealed any specifics about the companies it might be targeting. Also, the agency turned down a request to answer fresh questions for this article, saying that its press release on the probe is sufficient comment).
According to Alcia Arnold, managing director of corporate data consultancy fifty-five, this is correct and necessary because with the very act of driving today, “Users are sharing an enormous amount of data. Any automobile feature that requires connectivity – such as remote lock/unlock, engine start/stop, climate control, vehicle status, location tracking, geofencing, emergency assistance, and even in-cabin music – gathers and uses consumer data. Because there is so much sensitive information being shared within these connected cars, it is imperative the state sets policies in place to ensure consumer protection.”
This leads to a concern, or a hope, depending on your point of view: will California's in-car data privacy push be the first of many such regulatory efforts? “Yes and no,” said Peter Cassat, partner at tech sector-focused law firm Culhane Meadows and former general counsel for Cox Automotive. “California is often the leader and the de facto standard setter for privacy initiatives but whether other states will have the resources to devote to enforcement efforts, is less certain and this is part of a larger privacy debate not just related to automotive.”
Regardless, once the genie is out of the bottle, it’s hard to stuff it back in. Assuming the CPPA can more or less properly address data privacy concerns inside the vehicle, we can fully expect other state, and even national and supra-national, regulators to follow its lead. One executive that’s anticipating such a development is Ani Chaudhuri, CEO of data security solutions company Dasera. In his view: “The California privacy watchdog's recent move reflects a growing global concern: the vast and intricate web of data generated by connected vehicles. History has shown us that regulation often follows where data proliferation goes, whether it's with social media platforms, online transactions or connected vehicles. This is less a beginning and more an inevitable progression.”
It’s important to note, though, that this progress is at different stages throughout the world. Kirsten Whitfield, a partner at the tech and data practice of UK-headquartered law firm Fieldfisher, pointed out that relatively robust data protection regulations are already in place in her part of the planet. “Because of our broader brush principles-based approach to data protection compliance in Europe and the UK, we are unlikely to see specific laws introduced on connected vehicle personal data collection and use,” she said. “What we have seen in recent years, however, is data protection regulators in the EU and the UK spotting the need for specific guidance in this area.”
Meaning that almost everywhere a person may drive, regulators are at least evaluating whether and how users are shielded from in-car data exploitation. Therefore, any entity involved in developing, manufacturing, and/or selling ADAS solutions needs to start preparing to follow new rules, if it isn’t doing so already. Because inevitably, more than a few regulators are going to introduce them.
Yet some observers, like Choudhuri, see this as an opportunity for such businesses rather than a burden. “While initial reactions might view these regulations as cumbersome or barriers to innovation, they can serve as catalysts. Clear ‘rules of the road’ can streamline development processes, reduce wasteful practices, and prevent costly missteps. Stricter data guidelines will drive OEMs and solution providers to be more creative within the confines, potentially leading to breakthrough innovations.”
They should be careful, however, because customers can be sensitive to practices seen as financially exploitative. Raj Rajkumar, professor of electrical and computer engineering at Carnegie Mellon University, pointed out: “There is a ton of value in tracking user habits for marketing purposes. It is hard to imagine that this value will go untapped within cars. However, carmakers and their suppliers need to respect privacy and only use versions that filter out user identities. Else, there will be a backlash at some time or the other.”
In summary, players in the connected car game to pay sharp, and constant, attention to the customer’s want and need for privacy. While many car owners are willing to sacrifice some of their precious data to, say, provide emergency assistance for an accident, they have their limits. Some of these limits will inevitably be codified into law in the very near future.
