Cars learn a lot from their owners, and they know about their location. Where they're parked at night. What routes they usually take to work. What doctor's offices they visit. What churches they attend.
They know about their driving habits: how often they brake hard; how loud they set the volume; when and where they drive faster than the speed limit.
As they've added new connections to cars, auto makers have increasingly harvested and stored such information to establish new revenue streams, using it for advertising purposes or selling it to third parties.
Though there are similarities between CCPA and Europe's General Data Protection Regulation, they have separate scopes and requirements. A business that complies with GDPR may have additional obligations under CCPA, according to the California Attorney General's Office.
But a stringent new California law that went into effect at the start of this year presents new challenges. The California Consumer Privacy Act grants consumers greater access to their personal data that companies keep tabs on and perhaps, in some cases, more control over how that data is collected and shared.
Exactly what complications the CCPA introduces for car makers and dealerships remains unclear. The law focuses on personal data, not vehicle information. Some provisions remain ambiguous, and attorneys and lawmakers say they are seeking clarification from the state's attorney general on how they might apply to auto-related data. But overall, Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, said Californians should be capable of exercising CCPA rights against the car companies.
"This is totally a big deal," said Lisa Joy Rosner, chief marketing officer at Otonomo, an Israeli company that provides a data-services platform linking auto makers and third-party vendors. "It's top of mind. It's something I'm having conversations about every day."
Working with 15 auto makers around the world, Otonomo has developed apps and anonymization tools that give consumers greater control over what information they share with car companies. Recently, the company helped its European customers prepare for and comply with the General Data Protection Regulation, better known as GDPR, in the European Union. GDPR was something of a model for the California law, which attorneys said is the most stringent in the United States.
While the law itself is new, the underlying friction between privacy rights and vehicles has been brewing for a while. Rosner foresaw the headache on the horizon.
A friend had purchased a certified pre-owned vehicle from a local car dealership. She typed "home" into the embedded navigation system and immediately received directions to the home of the car's former owner. A few more clicks, and she accessed a trove of information on the previous owner's location history.
Whether the responsibility for erasing that data lies with the former owner, the dealership or the auto maker remains uncertain. But it's paramount such issues be addressed, said Rosner, who has compiled a "privacy playbook" at Otonomo that guides automakers through issues of data privacy and consumer trust.
"Privacy is a fundamental human right," she said. "Our data is us. In 2020, it should be a human right to control how your data is used."
But at the same time California codifies some rights into law, many auto makers say data access is essential to making some features work. In some extreme cases, data sharing is a requirement to purchase a vehicle. What happens if a consumer declines to divulge his or her data but still wants a car? It's at least plausible that denying the purchase is a CCPA violation.
"The CCPA gives consumers a right to nondiscrimination, meaning that businesses are not permitted to discriminate against consumers who exercise their CCPA rights," said Gail Gottehrer, an attorney who focuses on privacy issues and emerging technology. "An example of a discriminatory action would be denying goods or services to a consumer."
As electrification and driver-assist systems proliferate, the need for data access increases. Driver monitoring cameras that ensure drivers keep their eyes on the road, for example, are becoming a crucial component of these driver assist systems. But they may involve cars collecting personally identifying information and creating profiles of individual drivers.
More broadly, vehicle data can be used for a greater good. Sharing information among vehicles might prevent crashes. Should individual drivers be permitted to withhold data that could mitigate traffic jams or even save lives?
"I do see driving a car as a life-or-death proposition, and that's something different than privacy on our phones. That wireless connection is capable of notifying you that a car down the road has crashed or slid on black ice," said Roger Lanctot, an analyst with global automotive consulting company Strategy Analytics. "My concern is that we have become so obsessed with privacy that we wall ourselves off from information that might be critical to driving safely."
As the auto industry has seen with emissions standards, California's laws can hold significant influence on setting a standard followed throughout the country. Gottehrer says companies doing business in California may be covered by CCPA, even if they do not have a physical location in the state.
That means, bottom line, that auto makers and dealerships need to quickly understand how the changing legal landscape affects their use of data, explain to consumers how the companies handle this information and let them know how they can opt out.
"Remember that car companies sell cars to dealers, so fundamentally they're (business-to-business) with the exception of Tesla," Lanctot said. "So mastering these kind of communications to vehicle owners is clearly a challenge. I'm inclined to cut them some slack, but they're coming to the end of that slack."