Vehicles are no longer means of transportation; they are rolling computers that store dozens of megabytes of sensitive consumer information and data. Navigation history, paired phones, garage door codes, and personal contacts are just a few categories of personal information stored in a vehicle’s memory.
The recent enactment of Senate Bill 2740 in New Jersey in January underscores the importance of safeguarding this data and its implications for auto dealers. The law now mandates automobile retailers to offer the deletion of personal information stored in motor vehicles on trade-ins. This legislative move responds to growing concerns regarding privacy and data security in the automotive industry and has far-reaching implications.
The law aims to protect consumers by adequately handling their sensitive data, but it’s now incumbent on the dealer to remove this data. Since each vehicle has data stored in different ways and locations, removing it will require in-depth knowledge and expertise.
Under the provisions of the law, automobile dealers must adhere to strict protocols outlined in the Guidelines for Media Sanitization established by the National Institute of Standards and Technology (NIST). These protocols dictate the proper procedures for clearing personal data, including instructions for overwriting or resetting devices to factory settings. By following these guidelines, dealers can ensure that all traces of personal information are effectively erased from the vehicle’s systems.
Notably, the law also addresses the issue of transparency and consumer choice. Auto dealers are permitted to charge for the deletion of data, but they must disclose the associated costs to consumers upfront. Additionally, dealers must inform consumers that they can delete the data themselves or seek services from alternative vendors. This provision makes consumers more aware of the risks associated with leaving their data on their vehicle and to make informed decisions about handling this information and their rights.
Securing vehicle data goes beyond mere compliance with legislation. It is a matter of trust and accountability between auto dealers and their customers and is likely required under the new Safeguards Rule. Comply Auto, which calls itself “The only true all-in-one FTC Safeguards compliance solution,” suggests this may be the case.
“In order to determine whether such data stored in vehicles is subject to the Safeguards Rule,” ComplyAuto states, “we need to understand exactly what kind of data the Safeguards Rule directly affects and what it is attempting to protect.”
ComplyAuto states in a lengthy article that the Safeguards Rule concerns protecting nonpublic personal information (NPI). Under the Gramm-Leach-Bliley Act, NPI is defined as “any record containing nonpublic personal information about a customer of a financial institution…that is handled or maintained by or on behalf of [the dealer] or [the dealer’s] affiliates.”
This includes:
Under the Safeguards Rule, dealers may have to remove personal information from vehicles they sell, with or without state law. Removing the data may be in dealers’ best interests for several reasons. Dealers can enhance customer confidence and loyalty by prioritizing data security and privacy. Moreover, robust data protection measures can mitigate the risk of data breaches and safeguard against potential legal liabilities.
New Jersey’s new law codifies the critical importance of securing vehicle data. Dealers must comply with legislative requirements in New Jersey, and other states are moving quickly to mirror the move. Now’s the time to become more aware of the issue and be proactive by training techs to clear personal data on the myriad of makes and models. Even without legislative mandates, dealers can offer such services to build trust with their customers and uphold the highest standards of ethical business practices.
