Drivers may not think of their cars as part of a network of computer systems. As a post by Merudata shows (https://www.merudata.com/single-post/privacy-in-the-automobile-industry) this is very much the case, and it raises privacy issues.
Today's cars contain about 100 million lines of software code, and this is expected to triple by 2030. An average car can generate up to 25 gigabytes an hour of data and has the power of 20 personal computers. Cars connect to the Internet and communicate with other devices and vehicles. They are equipped with sensors and equipment including navigation, pre-collision and emergency response systems. They collect and transmit this data.
The average driver is unaware their data is being shared with original equipment manufacturers, insurance companies, driving assistance services, and ride-sharing companies. Third party data companies gather and sell users' data to other businesses for analysis.
Unlike computers and smartphones, connected cars do not have a clear definition of the privacy and legal aspects of collecting and using their data. In 2021 the European Data Protection Board did publish guidelines on processing personal data collected from vehicles. The California Consumer Privacy Act also addresses how personal vehicle data is collected, used and shared.
Original equipment manufacturers need to focus on problem areas:
1. Data collection. Consumers are concerned about their personal data and privacy rights. Companies need to be mindful of what data they collect, how it is being used and who it is shared with. Data processing activity should have a legal basis. Businesses need to think beyond compliance to meeting customer expectations
- Reconsider data collecting and sharing practices. Restrict data collection to the minimum.
- Develop easy ways for users to exercise their rights.
- Provide additional options for data use.
- Incorporate privacy-protective features.
2. Consent. Original equipment manufacturers need to inform customers of what data is being collected and secure their consent.
- Provide context with a clear privacy policy.
- Consider the different participants (owner/driver/passenger) when seeking consent.
- Consent must be provided separately for each specific purpose.
- Users should have access to a profile management system. It should be easy to provide and withdraw consent.
3. Data storage. Data should be stored and processed in the vehicle, and be encrypted. Data storage and sharing should comply with laws.
4. Data ownership. Define legal obligations and liabilities of each party which controls and processes data.
5. Privacy by design. Vehicle manufacturers should define privacy instead of relying on third parties. Provide transparency and control to users with simple options.