Pub. 22 2023 Issue 3

Regardless of the argument that the information stored in vehicles is NPI, dealers would still be required to provide every loaner or rental customer with a GLBA model Privacy Notice (the two-page document dealers give every credit applicant) prior to delivering the vehicle. However, this is not common practice, nor is it contemplated by any federal publications. INFORMATION IN VEHICLES AND DEALER LIABILITY Some might argue that failing to delete customer data stored in vehicles could expose the dealership to legal liability under the Invasion of Privacy or General Negligence theories. A 2020 U.S. District Court case suggests this is not the case. In this scenario, Avis Rental Cars (also known as Avis) collected renters’ private data (i.e., device identifiers, web browsing data, the GPS history of past locations, call logs, and text messages) when renters paired their phone with the vehicle’s on-board infotainment system. The Plaintiff, a repeated user of Avis’ services, sued Avis, claiming that they allegedly refused to conduct routine deletion of private data when the vehicle was returned and did not adequately disclose to them that the infotainment system collected and stored private data. In determining the outcome of the case, the Court dismissed the Plaintiff’s lawsuit since “[the law] does not recognize [Avis’s] conduct as violative of the Plaintiff’s right of privacy.” The Court also stated, “To the extent that Avis has lawfully obtained confidential information and does not further disclose or use that information … the common law does not recognize such conduct as an invasion of the Plaintiff’s right to privacy. Nor does the common law recognize a parallel right which requires the Defendant to delete lawfully obtained information where the Defendant has not disclosed that information to others.” In short, so long as customer information is (1) lawfully obtained and (2) not disclosed to others, there is no violation of substantive privacy rights. Therefore, the Plaintiff had no grounds to make a privacy claim (See Greenley v. Avis Budget Grp., Case No: 19-CV-00421-GPC-AHG; S.D. Cal. Sep. 2, 2020). While the data stored in vehicles might not be regulated or legally protected, it still might be considered best practice to completely wipe vehicles clean of any prior owner’s data, especially where it concerns rentals and service loaners. The simple and most cost-effective way of doing so is to establish internal procedures at the dealership during the intake of trade-ins, lease returns, and other used vehicles purchased for resale. Dealers should wipe any personal data from the previous owner’s vehicle during the reconditioning process before it is advertised for sale, in order to adhere to these best practices. Most dealerships use some type of reconditioning checklist that outlines the reconditioning process, and adding this step as part of the reconditioning process would ensure that a subsequent purchaser would not be able to view any data of the previous owner. To make things even easier, instructions on how to wipe data and reset infotainment settings can be found in the vehicle’s owner’s manual. Dealers may further limit potential liabilities by adding language to their trade-in disclosure forms stating that the previous owner has deleted their data from the vehicle prior to trading it in. Dealers may also want to consider adding similar language to their loaner/rental forms. However, in this case, customers would be certifying that they deleted any personal data off the vehicle prior to returning it to the dealership. It is extremely important to remove personal data from vehicles, considering that rentals and loaner vehicles are typically under the direct control of (and owned by) dealers. Therefore, there may be an increased liability for customer data stored in such vehicles. Ultimately, adopting these simple, cost-effective internal processes and form changes will represent a conservative approach to this privacy issue. Nevertheless, any individual or vendor suggesting that deleting data from vehicles is a definitive legal requirement or is explicitly mandated under the FTC Safeguards Rule is likely misinformed. David Estrada is Regulatory Compliance Specialist at ComplyAuto. You can contact ComplyAuto at info@complyauto.com and learn more about the services they provide at www.complyauto.com. This article should be used as a compliance aid only and is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it. DEALERS SHOULD WIPE ANY PERSONAL DATA FROM THE PREVIOUS OWNER’S VEHICLE DURING THE RECONDITIONING PROCESS BEFORE IT IS ADVERTISED FOR SALE, IN ORDER TO ADHERE TO THESE BEST PRACTICES. 27 new jersey auto retailer

RkJQdWJsaXNoZXIy MTg3NDExNQ==