Recently, the California Privacy Protection Agency (CPPA) announced its new initiative in investigating the data privacy practices of connected vehicle (CV) manufacturers and the related technologies. Generally, the CPPA will focus its regulatory efforts on retail, advertising platforms, online platforms, and hospitality sectors. However, since modern vehicles are now “effectively connected computers on wheels,” collecting lots of information from built-in apps, sensors, and cameras, CVs are just another source of data collection like our laptops and mobile devices. In the CPPA’s press release, the Agency stated that data privacy considerations are “critical” because CVs “often automatically gather consumers’ locations, personal preferences, and details about their daily lives.” Due to these factors, the CPPA will make inquires to CV manufacturers to understand how these companies are complying with the California Consumer Privacy Act and its amendments pursuant to the California Privacy Rights Act (collectively the CCPA).

Here’s what you need to consider if you are in the CV manufacturing industry or related technologies:

Notice and Right to Know

  • The CPPA will likely want to know how consumer data is collected -think privacy policies and notice at collection. If your company doesn’t have a privacy policy, then the CPPA will likely consider it a “gateway” issue and start asking for more information on your broader CCPA compliance program. And remember, the CCPA categorizes a consumer’s precise geolocation as “sensitive personal information,” which is afforded special protections (i.e., the precise geolocation of the CV). Consider whether your privacy policy has been updated for CCPA compliance.

Right to Delete

  • Consumers may request that a business delete their personal information. While there are exceptions to this right, such as if a business is “required to complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal laws, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the user, to ensure security and integrity, or to comply with a legal obligation.” Review these exceptions ahead of time so that you can figure out the best approach to these types of deletion requests.

Right to Opt-out of Sale or Sharing

  • Under the CCPA, there are restrictions on the sale of personal information as well as the “sharing” of data with third parties for behavioral advertising. If the CPPA finds that companies have engaged in “selling” or “sharing” of personal information, they will likely further inquire whether companies have complied with requirements under the CCPA, such as: (1) disclosures in its privacy notice that it “sells” or “shares” personal information; (2) processes for consumers to opt-out of this sale and sharing, such as a link in the footer of the homepage of the website that says “Do Not Sell or Share My Personal Information;” (3) detect and process the Global Privacy Control (GPC) as a consumer’s request to opt-out. (A GPC is a web browser setting that notifies websites of a user’s privacy preferences, such as not to share or sell personal data without their consent, by sending a signal to each website a user visits; also known as do not track requests).

Automated Decision-Making Technology (ADMT)

  • If your CV collects data and either uses ADMT or sells/shares data that will be processed by a third party using ADMT, and such technology will result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities, or compensation, healthcare services, or access to essential goods, services, or opportunities, be aware that the CCPA requires certain disclosures related to this ADM and the right to opt-out of this data use.
  • If your CV collects data and uses ADMT to track the behavior, location, movements, or actions of consumers in publicly accessible places, again, be sure to disclose such collection and use in your company’s privacy policy.
  • In general, if your CV company uses automated vehicle technologies or AI/machine learning, note that there will likely be increased scrutiny from the CPPA related to ADMT.

CV manufacturers have increasingly become targets for regulatory scrutiny. Now, as the CPPA begins its enforcement of the CCPA, CV manufacturers should consider whether the CCPA applies to their business and what they need to do to comply.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.