Automakers and Dealers Finding Exemptions in New, Stringent Data Privacy Laws

As vehicles become smarter, the amount of data they collect escalates. Thanks to onboard systems and sensors, vehicles today can collect information about driving habits, locations, purchasing and even the difference between multiple drivers using the same vehicle. The information, of course, is useful to dealers, automakers, third-party app providers, merchants, service centers, insurance companies, telecom solutions providers, emergency services and more. Much of this information is transmitted wirelessly to a variety of stakeholders, and privacy advocates are sounding the alarm.

Data privacy laws have been slow to catch up with twenty-first century technology, but the pace appears to be picking up. These laws are of concern to anyone who handles vehicle data, as compliance processes may wind up being costly. Two new laws, however — the California Consumer Privacy Act of 2018 (CCPA) which goes into effect next year; and Nevada’s existing Internet privacy law (SB 220) – appear to be considering some exemptions for the automotive industry.


The California Consumer Privacy Act of 2018 is one of the strongest consumer privacy laws ever passed in the country, and it will exist in the nation’s biggest automobile market. Once it goes into effect, it will apply to businesses with at least $25 million in annual revenue as well as any business that handles information from more than 50,000 individuals or any business that derives more than 50 percent of its annual revenue from selling consumer personal information. The law is making many businesses distinctly nervous.

To make the burden easier for automakers, auto dealers and their partners, however, the California State Senate is currently debating AB 1146, a bill that would exempt some vehicle information, including VIN, make, model, year, odometer reading, and the name and contact information of the registered owners shared between a “new motor vehicle dealer” and the vehicle’s manufacturer where such information is shared “pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall pursuant to specified federal law.” This information would be exempt from the right for consumers to “opt out” of. Companies that control vehicle data would still be required to notify consumers in case of a data breach.

Nevada’s SB 220

Nevada’s stringent revamped privacy legislation, SB 220, was passed earlier this year and goes into effect in October, and it applies to any business that collects personal information from consumers (a so-called “operator”) over a website or app. The information it covers includes name, home or other physical address, email address, telephone number, social security number, identifying information that allows a specific person to be contacted either in person or online, and any other personal information collected through a website or online service combined with an identifier that makes the information personally identifiable. It requires – among other things – consumers to be able to opt out of information collection.

It does, however, provide some relief for automakers and dealers, as the term “operator” is defined to specifically not include “a manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records or stores personal information that is either “retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle” or “provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.”

As with the California law, dealers and automakers operating in Nevada must comply with other aspects of the privacy law, such as prompt notification of data breaches.