Data Ownership and Privacy

Data Ownership and Privacy

Donald W. Dunphy and Patrick O’Connor
August 2020

Why this report matters to fleet managers:
  • A lack of ownership or access to the data that fleet vehicles generate is viewed as directly detrimental to secure operations.

  • Owners are concerned about the collection of their personal data and privacy rights.

  • The Internet-of-Things opens the potential for data misappropriation without user permission.

  • Automakers’ stake in controlling data has an estimated value of $750 billion by 2030.

According to the AAA, Americans spend up to 70 billion hours per year driving. It estimates that per week, individual drivers travel more than 220 miles, an average of 11,498 miles each year. During that time behind the wheel, vehicle computer systems are learning about your driving habits, less-than-safe driving inclinations, how fast and often you speed, how hard you are braking, plus more.
These systems are also learning more intimate details about you. Through GPS systems, your vehicle can collect the locations of places you go, the restaurants you frequent often and the music you stream through online services such as Spotify and Google Play. Further, thanks to more advanced monitoring systems that integrate tech ordinarily found in FitBits and similar devices, your car can collect your weight fluctuations, monitor your heart rate, and more.
The process is so invisible, most of us don’t realize it’s happening, and, more worrisome, we may not have the right to claim ownership of our own data being compiled.

Privacy, Mobility and Profit

For commercial fleet owners, the privacy issues become even more complex. For example, the driver or vehicle owner may have to purchase the information their vehicles generated back from an automaker. Potentially, this means that proprietary information that can help fleets with decision-making – how individuals are driving, where are they going, and are they performing the tasks they are charged with – might be locked behind a paywall.  That same OEM could also turn a profit from the collected data, sold without your consent to advertisers, other third-party concerns or even your organization’s competitors. 
An added layer of complexity is now impinging upon the data privacy conversation. With everything else that COVID-19 has changed, so too has it altered the need to contact-trace to rein in virus spread. In a data-driven world, this is one more example of an outside entity needing to see yours.
From carsharing platforms and service providers to last-mile delivery companies and even video games with geolocation components, data is being collected, compiled, and in some cases, sold without an individual’s consent. Even with full consent, clarity is often buried within the fine print of terms and conditions of the user agreement.
Most of us are in a hurry to activate our new apps and discover their experiences. Andrea Amico is the founder of the app development company Privacy4Cars. “If I just bought an app, I want to start using it immediately, so I might scroll down the terms without reading and click the button. The catch is that your expressed consent to allow data to be repurposed would be within that text, and with that button-click of instant gratification, you may have signed away your recourse.”

Privacy Rights

As reported in Forbes magazine, DNA companies like 23 and Me and sell anonymized data sets derived from their genetic-testing products to third-party companies. Both companies state that they do not sell the data without consent, however the lingering question is whether the users of the products were fully aware of what they were agreeing to. Likewise, automobiles have become one of the key players in the Internet-of-Things (IoT) and this will only increase as semi- and fully-autonomous vehicles gain market share.
You don’t have to look far into the future to see the impact collected data has on the administration of fleets. Using telematics solutions, a fleet manager knows if drivers are following their routes, speeding, braking hard and idling excessively. Knowing these behaviors allows fleet managers to make informed decisions. But there’s a privacy risk here; fleet managers have unhindered access to that data. While the data provides valuable information for fleet management, personal data also gets swept up in the collection net.
“Fleet owners such as ACRA’s and NAFA’s members are working with consumer advocates and privacy stakeholders on federal legislation to preserve vehicle owners’ access to vehicle data, while at the same time following current or future personal data privacy protections.” states Greg Scott, Government Relations Representative for the American Car Rental Association (ACRA). “The U.S. Vehicle Data Access Coalition, of which NAFA is an active member, is devoted to preserving ‘access’ to data for vehicle owners, while leaving regulation of the ‘use’ of that data to state and federal privacy laws.”
However, Scott recognizes the distinction between personally identifiable information (PII) and vehicle generated data (VGD).
Amico adds, “PII is any information that can be reconnected to an individual or household. If I sell my car, and my home address is in that car – be it physically or within the collected data -- that is personal information. There’s even discussion going on about whether the vehicle identification number, which also can link a vehicle to a household, could be deemed personal information.”
“When it comes to data like tire pressure, the cylinder head, gasoline levels, and all that detail which fleet managers use to manage and maintain and keep fleets safe, I don’t think people have a problem with that data being collected,” Scott said. “Where they start caring is when you start using data that is personally identifiable to sell products to vehicle owners or uses.  The Coalition agrees that state and federal privacy laws should regulate the use of personal data and permit the owner or user to either consent to or reject the use of that data.”

GDPR: New Rules

On May 25, 2018, Europe adopted the General Data Protection Regulation (GDPR), a framework for data protection laws which, according to the GDPR website, was designed to modernize laws that protect the personal information of individuals. “GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from Chief Information Officers (CIO) to Chief Marketing Officers (CMO). CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable asset – data.”
One of the effects of GDPR is the inclusion of disclosure on website home pages. Most U.S. companies also adopted the new guidelines to comply, especially with their clients and suppliers.  The policy states that if any data-collecting entity is available to the European market where GDPR is in effect, no matter where in the world that might be, users must be made aware of potential data collection or be subject to severe penalties. (More information is available at

States Take on Data Protection

On October 1, 2019, Nevada put into effect an amendment which prohibits operators of websites or online services which collect certain information from Nevada consumers from selling the data without user permission.
Likewise, California launched its California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020, and its definition of personal information extends beyond what’s generated by an individual to include household information.
“GDPR is more comprehensive,” said John Verdi, Vice President of Policy for the Future of Privacy Forum. “It addresses lots of different collection, use, and sharing scenarios. The (state) laws primarily focus on providing consumers with the opportunity to opt out of the sale of their data.”
“CCPA requires employers to provide privacy notice to employees, including drivers,” said NAFA’s Legislative Counsel Patrick O’Connor.  He adds, “AB 25 (2019 legislation) exempts personal information collected from individual employees, contractors, or job applicants within the context of the person’s role as an employee or applicant from most CCPA obligations, including access, deletion and ‘Do Not Sell’ rights. Employers must still provide employees and applicants with notice of the categories of data they collect and the purposes for which the data will be used. Importantly, the exception for employee data will expire on January 1, 2021. This one-year sunset was added at the behest of labor groups to pressure stakeholders to continue negotiating a broader employee data privacy bill.”
“The laws apply to businesses only, and not to governments and only businesses of a certain size,” Amico stipulates. “The California law says you must have at least $35 million in revenue or 50% of the revenue needs to come from selling data or hold at least 50,000 records of personal information to fall under the law.” Amico says the law was designed to not create friction for small businesses.
Verdi added, “CCPA applies to nearly all businesses that operate in California, so if a business operates in the state but has no California customers – which is odd, but possible – the law would apply to them. If you think about the totality of companies operating in California, there are plenty of automotive companies, technology companies, the whole of Silicon Valley, you can grasp the reach of the law. Also, businesses that don’t have a presence in California but have any users who are in the state are covered by the law.”
Automotive vehicles, like websites and mobile phones, have proven to be goldmines of information. Uber and Lyft see themselves as data companies that facilitate travel, not as rideshare companies that leverage data. In many ways, this distinction has helped these companies weather drastic changes brought on by the COVID-19 pandemic, and helped them pivot when personal ridesharing was halted.   
Original equipment manufacturers (OEMs) also see a future where the information vehicles aggregate is more important than ownership. Consulting firm McKinsey & Company estimates that a car can generate about 25 gigabytes of data every hour and as much as 4,000 gigabytes a day, and the value to carmakers could be worth as much as $750 billion by 2030.
In September 2019, General Motors announced that Google’s Android operating system would be the driver for infotainment systems in GM’s cars, affording built-in access to Google Maps and the ability to use Google Assistant to make calls, send texts, tune the radio, and more. This one of the world’s largest automakers as a cornerstone of the internet. With this partnership, GM brings Google into one of the last places where the technology giant had not previously had a touchpoint.
Considering the financial stakes OEMs have in such arrangements, it is no surprise that automakers have asserted their position as the owners and gatekeepers of the information their products collect, much in the same way websites and apps do. Conversely, data ownership and privacy advocates believe the data belongs to the cars’ owners and/or lessees, and the information should be subject to data privacy laws such as CCPA. If purchaser/lessee ownership cannot be established, then at minimum these parties should have access to the data, the ability to have data deleted upon request, and an ability to opt out of being swept up in a data haul.

Data Ownership

John Verdi, Vice President of Policy for the Future of Privacy Forum, questions whether the ownership is the right issue, “Who controls the data or has access to the data are the questions that get us on the right track.” The issues are complex and require clear answers.

  • A fleet vehicle is seldom assigned to one individual, and in its lifetime, drivers may have left the organization.

  • Do these employees have a right to determine what happens to that data?

  • And what happened to the data when their employment is terminated?

  • For rental services, should lessees and short-term users have the personal data expunged at the end of the contract, be that for a year or just one day?

Cybersecurity is the justification often cited to support the OEMs’ assertion that they should be the sole gatekeepers, and dictate the commercial terms, of access to vehicle-generated data.  
Tomi Gerber, Vice President - Government & Public Affairs at Enterprise Holdings, states that her company believes there are technology-neutral ways to ensure cybersecurity while also protecting the vehicle owner’s right to have access and control of the data their assets generate. 
Gerber said that after extensive work with experts in information technology systems (ITS), wireless communications, and cybersecurity, Enterprise is confident the technology to meet both goals is available.
Much of the discussion tends to focus on locking down access to data for the cybersecurity of future autonomous vehicles. Gerber explains, “This isn’t only an autonomous vehicle issue, it is a connected car issue that affects vehicles right now.” Each manufacturer is developing its proprietary system for how vehicle-generated data is accessed and transmitted, making managing a diverse fleet of vehicles more complicated, and more expensive, for fleet owners who must negotiate commercial terms for access to their own fleet’s data. 
Therefore, Enterprise advocates for technology-neutral standards to be established industry-wide. Gerber explains, “Allowing vehicle manufacturers to become the sole gatekeeper of vehicle-generated data will ultimately stifle innovation and limit competition across the entire mobility services ecosystem; and less innovation with fewer choices always means higher prices for consumers.” 
When it comes to consumer data privacy, Donna Stamp, Assistant Vice President Global Privacy at Enterprise Holdings, said privacy remains critically important to the company. “Privacy laws are being developed to address the rules of what you can do with that data,” she said. 
Gerber concluded, Enterprise believes access to vehicle-generated data is vital to the future and the functionality of fleet management. Vehicle owners’ rights to access data can be protected while ensuring data privacy and the cybersecurity of vehicles.”

Privacy and the Future

Finding a way forward for fleet vehicle data ownership and privacy is important in the short-term, thanks to current reliance on fleet telematics and in-vehicle connectivity, along with the implications of take-home vehicle usage and more.
However, having rules and guidelines in place will be crucial as vehicle technologies continue to evolve. Autonomous and connected vehicles will move from possibility to inevitability, and the storehouse of information these cars and trucks accrue will be immense. Who has – and hasn’t - rights and access to that information will become the dominant question in the fleet and mobility industry.   
Fleet professionals must be educated and up-to-date on the issues to make informed decisions.  And these managers need to determine when to use their collective voice to influence policies and compliance issues.  Working with legislators and the fleet community can help ensure a fair outcome in that not-too-distant future. Anticipate the future, don’t catch up to it!

 Explore More Articles...