When the Federal Trade Commission (FTC) posted an article about internet of things (IoT) devices that can derive highly sensitive information about users and are subject to regulation, connected cars were high on the list, second only to smartphones.
The July 11 blog post referenced the FTC’s Safeguards Rule, which requires dealers and other groups to have a comprehensive system for safeguarding personal information, including data stored in dealerships’ software platforms and in the electronic systems of vehicles.
“The Safeguards Rule applies to financial institutions, of which two of the biggest classes of companies that are subject to the rule are auto finance companies and dealerships,” Andrea Amico, founder and CEO of Privacy4Cars, told PYMNTS. “So, I think that when the FTC says they’re going to be enforcing this if cars collect geolocation, I think it deserves the attention of the auto community.”
Protecting Personal Information
With Privacy4Cars, a company that offers a subscription service for businesses that helps them delete consumers’ data from cars and track and certify their processes of doing so, Amico has found that 88% of auto dealerships own cars that contain the previous owners’ or drivers’ personal data.
Read more: What Happens to the Personal Data in a Connected Car When the Car is Sold?
The FTC’s Safeguards Rule has been in effect since 2003 but was amended last year with changes that are to take effect December 6. Amico said the current rule requires companies to have “reasonable security” to protect consumers’ personal information, while the amended rule includes a prescriptive list of things companies must do.
“From before you even collect the data to the moment in which you need to delete it because you have no longer a valid reason to keep it, there’s things in there that companies need to do — and they need to do that by December 6,” Amico said.
Looking at Geolocation Data
The amended rule also expands the range of businesses it covers, Amico said. Where the current rule applies to auto finance companies and dealerships, the amended rule also encompasses others in the automotive space, including those that offer marketplaces, auctions and dealer management systems (DMSs).
“Essentially, anybody who’s in the automotive system will be directly or indirectly subject to the rule, which is a big, big change,” Amico said.
In addition, the definition of “personal information” is broadly defined to include not only social security numbers and credit card numbers, but also any information that can be connected to an individual. One area of particular interest to the FTC is the geolocation data that is stored in vehicles’ navigation systems.
“There was a very famous study done, maybe a decade ago, where a university determined that you just need four points on a map with a timestamp to identify 90% of the U.S. population,” Amico said. “That’s why the FTC is looking at geolocation very intently right now.”
Talking with Suppliers
Among the requirements in the FTC’s new prescriptive list are having two-factor authentication and encryption in place and designating a person to be responsible for the company’s program to comply with the Safeguards Rule.
To ensure compliance with the Safeguards Rule in terms of the customer data collected and stored in software used in their offices, some dealerships have gone to their suppliers to see if they are in compliance, Amico said.
“Some of the stuff is stuff that their suppliers need to do,” Amico said. “Your DMS, your marketing system, your F&I system, your HR system — all of those activities provided by some software provider have technical requirements that cannot be done by the dealership itself without the help of the supplier.”
When it comes to the data collected and stored in cars, most dealerships agree that deleting the data of previous customers is a good thing to do, but some are still not doing it, Amico said.
In a white paper Privacy4Cars has released on this topic, the company suggested that dealerships delete data from all vehicles that they own or acquire, including trade-ins, lease returns, vehicles purchased at auctions, repossessed vehicles, vehicles destined to wholesale and vehicles that are used for test drives, used by employees or offered as loaners.
“If a vehicle has GPS, it is extremely common that it contains medical data, in the meaning of hospitals,” Amico said, adding that it may include geolocation data that shows that the driver parked at a building that houses a medical provider.
“If you’re parking at that specific parking spot, it really doesn’t take a lot of imagination to think about what might be the medical underlying reason why they go in there,” Amico said. “That’s exactly what the FTC is concerned about.”