Clark Hill 2023 Automotive & Manufacturing Industry Outlook: Cyber
Authors
Melissa K. Ventrone , Ilya Smith
The Continued Regulation of Geolocation Data
There is a myriad of geolocation data use-cases in automotive applications that provide direct benefits to and are controlled by consumers. This commentary focuses on the use-cases where geolocation data is collected after the point of sale for purposes directly benefiting the motorist. Whether helping drivers navigate unknown locations or facilitating public safety personnel reaching stranded motorists, certain geolocation use-cases in automotive applications provide valuable and immediate benefits to consumers. When consumers are provided agency to “turn on” or “opt out” of geolocation tracking, the added functionality provided by geolocation-enabled solutions is justifiable. Distinguishing the use of geolocation data for these consumer-functionality use-cases from targeted marketing practices is critical and strategic. When geolocation and other personal data are processed or used in ways that do not further requested services by consumers (I.e., are not tied to a legitimate business purpose or activated by consumers), the justification for its use wanes. Top of mind for privacy advocates, lawmakers, and regulators is the use of personal data for targeted marketing purposes and other derivative uses of personal data that are not tied to the purpose for which it was collected.
U.S. based privacy laws and regulations continue to be enacted to provide individuals with increased rights to control the use of their personal data and restrict the processing of the most sensitive of personal data, including geolocation data. At least three states—California, Connecticut, and Virginia—have classified geolocation data as “sensitive personal data” (SPI) requiring heightened levels of transparency and opportunities for consumers to control or limit the use of geolocation data. Indeed, the California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides data subjects with the specific right to limit use and disclosure of SPI. And other states are considering passing similar statutes in 2023.
Businesses should consider enhancing their data governance and consent management frameworks to provide consumers with choice in all tiers of the data lifecycle—from source and point of collection. With headwinds signaling more states restricting the use of geolocation data, it behooves companies to reevaluate geolocation use cases for appropriate notice, consent, and processing. These three considerations go hand in hand: transparent and specific notice permits consumers to exercise informed consent and capturing that consent provides the legal basis for processing SPI, like geolocation data, as a best practice and beyond.
Notice, Consent, and Processing Best Practices
- Privacy Notices and Terms of Use: in plain language, clearly articulate what and why personal data and SPI is collected and by who (including any third party collecting or processing of the geolocation data). For specific considerations see here. If collection and processing is conducted by a third party with no pass-through of SPI to the manufacturer, this should be stated, and the consumer directed to the privacy policy and terms for these third parties.
- Practice Data Minimization and Pseudonymization: consider policy against acquiring access to geolocation data that is not connected to a legitimate reason consistent with the consumer’s consent at time of collection. Collecting or processing or holding on to SPI “just in case” it is needed later is not a legitimate purpose. Even if there is a legitimate purpose, consider pseudonymization of the data to shrink legal exposure related to mishandling of the data and to limit data subject requests.
- Implement Consent Management and Data Governance Framework: new requirements to secure the opportunity of consumers to consent to and opt out of the processing of SPI throughout the data lifecycle means that a business subject to notice, consent, and opt out rules may have to readily provide to regulators (and per data subject requests in California) a written record with the appropriate scope of processing detail.
The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.