Sibros Closes $12 Mn Series A Funding for First Deep Connected Vehicle Platform
Read More

California Data Privacy Laws Differ From EU Standards

May 12, 2021

Resources
Security & Privacy

The cars we drive say a lot about us.  Driving a convertible or an exotic sports car may say something about adventure or a driver who enjoys carefree afternoons.  A sedate plain-Jane sedan might signal that the driver is a more conservative business person.

But underneath their skin, modern cars are spilling secrets.  They are telling the world much more than drivers know about where they go, how they drive, or even where they live.  Data from in-car cameras can monitor eye movement, for example, and tell insurance companies if the driver is not paying enough attention to the road. GPS systems that help drivers find the closest fill-up when they are low on gas or a hotel to book for the night are intended to be a convenience for drivers.  But the data can also reveal consumer preferences or insights into travel habits.

As car makers move toward more autonomous driving systems, the amount of data generated is growing exponentially.  Obstacle detection sensors collect mapping data to guide future self-driving cars, as does Over the Air data exchanges between cars.  Data recorders map acceleration, braking and steering inputs, similar to the “black box” on commercial aircraft.    

With computing power greater than a dozen or more laptops and as many as 200 sensors, a modern car can convey a trove of data that is a marketer’s pot of gold. Some industry watchers, such as McKinsey, estimate that the data collected industry-wide is worth between $450 and $750 billion. 

But while manufacturers retain the right to sell this data, regulators are making it clear that primary ownership of the information belongs to consumers and are giving them more tools to control access to it. The European Union’s General Data Protection Regulation (GDPR) was the world’s most comprehensive ruling of its type when it went into effect in 2018, intended to safeguard consumer’s personal information. 

In late April, 2021, the EU unveiled the draft of yet another far-reaching regulation governing the use of artificial intelligence to target or identify consumers, furthering reinforcing privacy policies and consumers’ “right to be forgotten.”     

As the EU exerts leadership over privacy laws, regulators in the U.S, the industry’s second largest global market, are failing to gain traction, but with one exception.  California, the industry’s largest domestic market, is continuing its tradition of pioneering new ground with its own privacy law.

Adopted in 2018 and effective in 2020, the California Consumer Privacy Act (CCPA) shares the EU’s goals of protecting consumers privacy and giving them a say in whether data related to them can be used. But while the goals are similar, there are noteworthy differences between the two laws.  Compliance with EU standards does not assure manufacturers’ compliance with California standards.

While the EU standards apply to all business, California’s law only applies to large for-profit businesses with gross revenue above $25 million and that interact with at least 50,000 California consumers, a standard that most car manufacturers likely meet.  Both require companies to disclose personal information upon request. Clean-up legislation (AB 1146, 2019) in California exempted vehicle information related to recalls or warranty shared between manufacturers and dealers, out of concern for safety.

The biggest difference between the two:  The EU requires disclosure after the fact and gives consumers the ability to restrict some of the ways data is used and to rectify incorrect information.  The CCPA requires advance approval for the use of personal data and gives consumers the explicit right to opt out of its sale. 

The EU sets technical standards for the systems that process data.  The CCPA does not, but it allows consumers to take legal action if a data breach occurs.

The California law is just as sweeping as the EU in how it defines data.  Essentially, the CCPA requires manufacturers to tell consumers, if they ask, what data they have, how they got it and who they share it with.  In California, “sharing is selling,” whether or not money is involved.  Data shared between a manufacturer and a financing affiliate or with a research partner, for example, would be covered.

Even though names and addresses are obvious ways of identifying consumers, the CCPA defines personal information broadly to include any data that can be used to infer or suggest an identity, such as IP addresses, demographic or geolocation data that would allow someone to be identified through a composite assembling of the information.     

The California law considers all of this information personal and subject to disclosure, even if it’s available on public forums, such as through social media postings.

The CCPA gives manufacturers 45 days to comply with requests and imposes fines ranging from $2,500 to $7,500 for each individual violation or breach of security, (compared to the EU range of $10-$20 million and two to four percent of global sales), suggesting the need for a strong cloud-based mapping system to integrate and extract data quickly and accurately.

As it has with its leadership on anti-smog laws, California’s CCPA has the potential to become the U.S. standard for privacy. 

Sibros' OTA software update system and automotive data management platform has been designed to handle various data privacy laws, including those of California. Contact Sibros for more information on how they can help your organization navigate these regulatory requirements for your vehicle design strategy today.

Bill Sessa
Bill Sessa is a California-based and award-winning freelance journalist who specializes in automotive, motorsports, energy and environmental coverage. He served as the Communications Director for the California Air Resources Board and the California Environmental Affairs Agency.
Schedule a Demo