OFFICIAL PUBLICATION OF THE NEW JERSEY COALITION OF AUTOMOTIVE RETAILERS

Pub. 22 2023 Issue 3

Deleting Customer Data Stored in Vehicles – Best Practice or Legal Requirement?

As the deadline for compliance with the FTC’s revised Safeguards Rule has passed, some dealers may still have questions about implementing the FTC’s new requirements.

From locking up deal jackets to installing multi-factor authentication, navigating the revised Safeguards Rule and understanding its legal requirements and practical demands has been challenging enough. In the past year, your inbox has likely been inundated with emails from vendors claiming that their product or service is “essential for Safeguards Rule compliance.” One of these emails in particular has caused many dealers concern, and it revolves around customer data stored in vehicles:

“What about deleting customer data stored in vehicles? Is that required under the Safeguards Rule or any other law?”

The short answer is no, but there is some important information to consider.

Information in Vehicles and the Federal Safeguards Rule

In order to determine whether such data stored in vehicles is subject to the Safeguards Rule, we need to understand exactly what kind of data the Safeguards Rule directly affects and what it is attempting to protect.

The Safeguards Rule is concerned with protecting non-public personal information (NPI), and under the Gramm-Leach-Bliley Act (GLBA), NPI is defined as “any record containing nonpublic personal information about a customer of a financial institution … that is handled or maintained by or on behalf of [the dealer] or [the dealer’s] affiliates.”

This means that NPI includes:

  1. Information a consumer provides in order to obtain a financial product or service
  2. Information about a consumer resulting from any transaction involving a financial product or service
  3. Any information obtained about a consumer in connection with providing a financial product or service

The definition above focuses on “financial products or services,” and in the dealership context, this would mean that NPI is data that is directly derived from a finance or lease transaction.

As you can imagine, this directly implicates information collected during the financial transaction: data such as customer social security numbers, dates of birth, and other credit-related information. NPI also includes more general types of customer information, such as the customer’s name and physical address.

Most personal data that is stored in vehicles comes from people who are pairing their smartphones using USB cables or Bluetooth. As a whole, this data is generally limited to contact information, location information, text messages, and vehicle service history.

Because the type of data typically stored in vehicles is not information derived directly from a financial transaction, it is considered a stretch to suggest that data typically stored in vehicles is NPI or is derived from a finance/lease transaction because the transaction has already concluded. In fact, at no point in their 145‑page document of the Safeguards Rule guidance does the FTC address the data stored in vehicles.

Regardless of the argument that the information stored in vehicles is NPI, dealers would still be required to provide every loaner or rental customer with a GLBA model Privacy Notice (the two-page document dealers give every credit applicant) prior to delivering the vehicle. However, this is not common practice, nor is it contemplated by any federal publications.

Information in Vehicles and Dealer Liability

Some might argue that failing to delete customer data stored in vehicles could expose the dealership to legal liability under the Invasion of Privacy or General Negligence theories.

A 2020 U.S. District Court case suggests this is not the case. In this scenario, Avis Rental Cars (also known as Avis) collected renters’ private data (i.e., device identifiers, web browsing data, the GPS history of past locations, call logs, and text messages) when renters paired their phone with the vehicle’s on-board infotainment system. The Plaintiff, a repeated user of Avis’ services, sued Avis, claiming that they allegedly refused to conduct routine deletion of private data when the vehicle was returned and did not adequately disclose to them that the infotainment system collected and stored private data.

In determining the outcome of the case, the Court dismissed the Plaintiff’s lawsuit since “[the law] does not recognize [Avis’s] conduct as violative of the Plaintiff’s right of privacy.”

The Court also stated, “To the extent that Avis has lawfully obtained confidential information and does not further disclose or use that information … the common law does not recognize such conduct as an invasion of the Plaintiff’s right to privacy. Nor does the common law recognize a parallel right which requires the Defendant to delete lawfully obtained information where the Defendant has not disclosed that information to others.”

In short, so long as customer information is (1) lawfully obtained and (2) not disclosed to others, there is no violation of substantive privacy rights. Therefore, the Plaintiff had no grounds to make a privacy claim (See Greenley v. Avis Budget Grp., Case No: 19-CV-00421-GPC-AHG; S.D. Cal. Sep. 2, 2020).

While the data stored in vehicles might not be regulated or legally protected, it still might be considered best practice to completely wipe vehicles clean of any prior owner’s data, especially where it concerns rentals and service loaners. The simple and most cost-effective way of doing so is to establish internal procedures at the dealership during the intake of trade-ins, lease returns, and other used vehicles purchased for resale.

Dealers should wipe any personal data from the previous owner’s vehicle during the reconditioning process before it is advertised for sale, in order to adhere to these best practices. Most dealerships use some type of reconditioning checklist that outlines the reconditioning process, and adding this step as part of the reconditioning process would ensure that a subsequent purchaser would not be able to view any data of the previous owner. To make things even easier, instructions on how to wipe data and reset infotainment settings can be found in the vehicle’s owner’s manual.

Dealers may further limit potential liabilities by adding language to their trade-in disclosure forms stating that the previous owner has deleted their data from the vehicle prior to trading it in. Dealers may also want to consider adding similar language to their loaner/rental forms. However, in this case, customers would be certifying that they deleted any personal data off the vehicle prior to returning it to the dealership. It is extremely important to remove personal data from vehicles, considering that rentals and loaner vehicles are typically under the direct control of (and owned by) dealers.Therefore, there may be an increased liability for customer data stored in such vehicles.

Ultimately, adopting these simple, cost-effective internal processes and form changes will represent a conservative approach to this privacy issue. Nevertheless, any individual or vendor suggesting that deleting data from vehicles is a definitive legal requirement or is explicitly mandated under the FTC Safeguards Rule is likely misinformed.

David Estrada is Regulatory Compliance Specialist at ComplyAuto. You can contact ComplyAuto at info@complyauto.com and learn more about the services they provide at www.complyauto.com.

This article should be used as a compliance aid only and is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it.