CHICAGO -

Remarketers and dealers reselling vehicles without first erasing consumer data captured in onboard computers and convenience systems may put themselves at risk of violating consumer protection laws, said an expert in automotive-vehicle consumer data removal and consumer privacy protection.

Andrea Amico, founder of Privacy4Cars.com, said privacy issues continue to surface and get increasingly more protective and thus challenging for businesses that use consumer data, in variety of ways, for their business. The concern is for what’s known as Personally Identifiable Information (PII).

For instance, he said, how consumer data captured in automobiles via smartphone connections, OBD-II computers and various sensors puts drivers and their passenger’s personal information at risk of data breach.

“Privacy issues are not a flavor of the month, and the legal burden will only increase,” Amico said. He recently spoke in August to the International Automotive Remarketers Alliance about the topic, and later with me again during a follow-up telephone interview.

He said consumers could, technically, sue a dealer or remarketer selling a vehicle they had owned or leased from which their private data is hacked.

“If you are a consignor, you need to worry first because it is your name on the title and you’re the controller of that data; you should do something about it,” he said. Doing “something about it” means taking responsibility to erase consumer information from vehicle infotainment and other systems as vehicles are acquired.

According to a press release from CarGurus citing a recent survey, most consumers do not know or understand the security and privacy implications of connected vehicle technology:

  • Thirty-three percent did not know that a key fob is a potential pathway for hackers to gain access to a connected vehicle.
  • Sixty-one percent of connected vehicle owners did not know that a hacker can access the steering wheel or the brakes of their automobile.
  • Sixty-five percent of connected vehicle owners incorrectly believed that the vehicle manufacturer is required to notify owners of software and security updates.
  • As to protecting their personal data, 70% of consumers surveyed by CarGurus said they’d synced their smartphones to their vehicles and 46% said they did not know the industry best practices on how to keep their personal data safe when driving their car.

As new vehicles even more “connected” than their predecessors flow into the used car space, dealers and remarketers will be even more challenged to protect themselves from this issue, Amico said.

“Two-and-a-half-years ago, cars going through auction were the first models to contain (in various onboard systems) personal information, and over time the situation has gotten worse as people now synch more personal devices,” Amico said.

To this point, the CarGurus press releases noted that “Consumer perception of the most at-risk devices could explain why more people are connecting to their cars but remain unaware of the security implications.”

The CarGurus survey found that only 22% of people perceive connected vehicles as a significant threat to data security, compared to smartphones (45%), laptops/tablets (41%), smart speakers (40%) and smart home devices (30%).

With more states enacting hands-free laws, people do not realize how much personal information streams into the car, including the passing of data when a passenger uses a charging station on an Uber ride, Amico said.

He said auctions should delete PII from vehicles, including Bluetooth data, navigation data and garage door codes. He said emerging consumer compliance law will pressure auctions to address PII in cars, and that risk-averse consignors will urge the auctions they use to perform these data-erasing activities; he said auctions will see this as a revenue-generating service to provide consignors.

Auto Remarketing correspondent Daryl Lubinsky reported  recently in an article on consumer pushback to autonomous vehicles that data privacy is one reason. Citing information from Ryan Robinson, an automotive researcher for Deloitte, Lubinsky noted how PII and other vehicle data is being reported back to OEMs and “other stakeholders such as insurance companies.”

“We know that there is a lot of concern over this, like data privacy, data security,” Robinson told Lubinsky. A 2018 Deloitte study showed that 64% of U.S. consumers agree with this statement: “With my vehicle connected via wireless internet, I fear someone hacking into my car and risking my personal safety,” Lubinsky noted in his article.

No federal law nationally regulates this data, though individual states are very interested in enacting more comprehensive privacy legislation, with the new California Consumer Protection Act, effective Jan. 1, being the first. That law is so intentionally broadly written, Amico said, as it applied, for practical purposes, to any business operating in California or that does business with consumers residing in California.

Amico, whose company offers a PII deletion app for quick removal of personal data from vehicles, said consumers whose data is hacked are likely to pursue remedy from deep pockets in the supply chain.

“Finance and insurance companies, manufacturers and large fleet companies are likely to be sued, and auctions have an interesting role to play; that depends on who is said to ‘control’ the title.

“This is a manual (removal) process — there is no magic wand to wave; inspection companies can be part of the solution, as can dealers where they take action to remove personal data,” Amico said.