Deleting Customer Data Stored in Vehicles: Best Practice or a Legal Requirement?

From locking up deal jackets to installing multi-factor authentication, navigating the nebulous world that is the revised Safeguards Rule and understanding its legal requirements, along with its practical demands, is challenging enough. Similarly, in the past year, your inbox has likely been inundated with emails from vendors proclaiming that their product or service is “essential for Safeguards Rule compliance.” One of these emails in particular has caused many dealers concern and it revolves around customer data stored in vehicles: “What about deleting customer data
stored in vehicles; is that required under the Safeguards Rule or any other law?” The short answer is no, but let’s elaborate.

Information in Vehicles and the federal Safeguards Rule
In order to determine whether such data stored in vehicles is subject to the Safeguards Rule, we need to understand exactly what kind of data the Safeguards Rule directly affects and what it is attempting to protect. The Safeguards Rule is concerned with protecting non-public personal information, or “NPI” for short. Under the Gramm-Leach-Bliley Act (“GLBA”), NPI is defined as “any record containing nonpublic personal information about a customer of a financial institution…that is handled or maintained by or on behalf of [the dealer] or [the dealer’s] affiliates.” This includes:
1. Information a consumer provides in order to obtain a financial product or service;
2. Information about a consumer resulting from any transaction involving a financial
product or service; or
3. Any information obtained about a consumer in connection with providing a
financial product or service.

You can see that the definition above focuses on “financial products or services.” In the dealership context, this would mean that NPI is data that is directly derived from a finance or lease transaction. As you can imagine, this directly implicates information collected during the financial transaction like customer social security numbers, dates of birth, and other credit-related information as well as the more general types of customer information like the customer’s name and physical address. Said in another way, the customer’s name and physical address is considered NPI in the limited scope that the customer is in finance and is not wholly considered NPI after that. Most personal data stored in vehicles comes from us connecting or pairing smartphones using USB cables or Bluetooth. As you probably already know, this data is usually limited to contact information, location information, text messages, and vehicle service history. Because the type of data that is typically stored in vehicles is not information derived directly from a financial transaction, it would be quite a stretch to suggest that the data typically stored in vehicles is NPI or derived from a finance or lease transaction because the transaction has already concluded. In fact, at no point in their 145-page document of Safeguards Rule guidance does the FTC contemplate the data stored in vehicles. Even if we take the alternative view that the information stored in vehicles is in fact NPI, dealers would be required to provide every loaner or rental customer with a GLBA model Privacy Notice (that two page document you give every credit applicant) prior to delivering the vehicle, which is certainly not a common practice nor even contemplated by any federal publications or guidance.

Information in Vehicles and the Dealer’s Liability
Some might argue that there is the possibility that failing to delete customer data stored in vehicles could expose the dealership to legal liability under invasion of privacy or general negligence theories. A 2020 U.S. District Court case explains otherwise. In this case, Avis Rental Cars (“Avis”) collected renters’ private data (i.e, device identifier, web browsing data, GPS history of past locations, call log, and text messages) when the renter paired their phone with the vehicle’s on-board infotainment system. The Plaintiff, a repeated user of Avis’s services, sued Avis because Avis allegedly refused to conduct routine deletion of the Plaintiff’s private data when the vehicle was returned and did not adequately disclose that the infotainment system collected and stored such
private data.

In determining whether Avis violated the Plaintiff’s right to privacy after failing to delete the Plaintiff’s private data stored in one of their rental vehicles, the Court dismissed the Plaintiff’s lawsuit because “[the law] does not recognize [Avis’s] conduct as violative of Plaintiff’s right of privacy.” Furthermore, the Court found that “[t]o the extent that Avis has lawfully obtained confidential information, and does not further disclose or use that information…the common law does not recognize such conduct as an invasion of Plaintiff’s right to privacy. Nor does the common law recognize a parallel right which requires Defendant to delete lawfully obtained information where Defendant has not disclosed that information to others.” In short, the Court stated that so long as
the customer’s information is (1) lawfully obtained and (2) not used or disclosed to others, there is no violation of substantive privacy rights. Therefore, the Plaintiff did not have standing to bring a privacy claim. See Greenley v. Avis Budget Grp., Case No: 19-CV-00421-GPC-AHG (S.D. Cal. Sep. 2, 2020).

While the data stored in vehicles might not be regulated or legally protected, it still might be considered a best practice to completely wipe vehicles clean of any prior owner’s data, especially on rentals and service loaners. The simple and most cost-effective way of doing so is to establish internal procedures at the dealership during the intake of trade-ins, lease returns, and other used vehicles purchased for resale. First and foremost, dealers can wipe any prior owner data during the reconditioning process before the vehicle is advertised for sale. Most dealerships use some type of reconditioning checklist that outlines the reconditioning process. Simply adding this step as part of the reconditioning process would ensure that a subsequent purchaser would not see any prior owner’s data. Additionally, the instructions on how to wipe data and reset infotainment settings is typically found in the vehicle’s owner’s manual.

Dealers may further limit any potential liability by adding language to their trade-in disclosure forms in which the prior owner warrants that they’ve deleted their data off their vehicle prior to trading it in. Similarly, dealers may also want to consider adding similar language to their loaner/rental forms; however, in this case, the customers would be warranting that they deleted any personal data off the vehicle prior to returning it to the dealership. This is extremely important considering that rentals and loaner vehicles are typically under the direct control of and owned by dealers, meaning there may be increased liability for customer data stored in such vehicles (and we know from the case above that at least one rental agency has been sued — albeit unsuccessfully, for this).

Ultimately, adopting these simple and cost-effective internal processes and form changes represents a conservative approach to this privacy issue. Nevertheless, any individual or vendor suggesting that deleting data from vehicles is a definitive legal requirement or is explicitly mandated under the FTC Safeguards Rule is likely misinformed. Need help managing your Safeguards Rule compliance? Contact ComplyAuto to learn more.

This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Consult your legal counsel for expertise related to your specific situation.