Most modern vehicles are basically rolling computers containing a wide variety of personal information.
According to data privacy experts, more than four out of five cars sold in 2020 contained personal data.
There are currently established best practices for computers and cell phones when they are returned to an electronics retailer. These best practices can serve as foundational guidelines for dealers to build consumer trust regarding the protection of the private information contained in their used, lease return, or rental return vehicle.
Bill S2740, introduced in the State Senate in June 2022, and A4723, introduced in the General Assembly in October 2022, are both being considered in their respective chambers. A4723 was voted out of the Assembly Science, Innovation and Technology Committee on March 23, 2023, with amendments championed by NJ CAR. The bills address the data deletion issue as well as the role dealers may play in offering to delete consumers’ personal information (PI). Amendments to A4723 allow dealers to charge a reasonable fee to provide the service.
A4723, as amended, also provides more insight into what is considered “personal information,” “including, but not limited to, navigation history, paired phones, and garage doors codes.” The bill requires data deletion to be done utilizing protocols “developed by the National Institute of Standards and Technology, using techniques specified by the vehicle manufacturer to overwrite data or by using a menu option to reset the (relevant) device(s) to original factory settings.”
Dealers should educate themselves (and their employees) about what is and isn’t required by New Jersey’s legislation, as well as the recently updated Safeguards Rules that went into effect on June 9, 2023. The Safeguards Rule does NOT require data deletion from vehicles.
That being said, it is in the best interest of every dealer to adopt industry best practices when it comes to data deletion of customer PI in order to promote consumer trust and limit possible future litigation. Some potential best practices dealerships might want to consider include:
- Developing and implementing a secure data deletion policy that identifies all types of PI captured by vehicles and the process the dealership follows to delete the information as an optional service for their customers.
- Preparing disclosures dealership staff can provide consumers, including:
- A general disclosure for computerized vehicles capable of data collection, transmission, and sharing with OEMs or any third parties.
- A disclosure for vehicle owners about data inside the vehicle the dealership may share with that vehicle’s OEM and vice versa.
- A disclosure to vehicle owners that data will be captured and stored within the vehicle itself, noting the vehicle owner’s manual will provide them with instructions on how to erase the data stored prior to trading in or ending a lease.
Potential alternative ways to delete in-vehicle PI could involve telling authorized personnel that they are responsible for deleting PI from the vehicle, providing employees with tools to delete PI, or contracting a third party to delete the PI.
While data deletion is not required under the Safeguards Rule, it makes sense for dealerships to consider how they want to address this important issue that can benefit both their customer service AND their bottom line. Developing a consistent and compliant policy using common best practices will help dealerships protect themselves from potential litigation, build brand reputation, and improve consumer trust as technology continues to evolve in the auto industry.
Johanna Stubenhofer is NJ CAR’s Communications Associate and can be reached at jstubenhofer@njcar.org.