Auto Data Privacy Laws

Hear what top privacy and vehicle compliance experts say:

Watch Our Workshops

State by State Privacy Regulations

Alabama

Data Disposal Statute (Non-regulated Commercial)

AL Code § 8-38-10

Covered businesses must dispose of data containing personally identifying information when the records no longer serve a business purpose.

Implications for Auto Businesses:
Covered auto businesses must dispose of personally identifying information left on vehicles from previous customers or owners. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.

Data Breach Notice Statute

AL S.B. 318

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

AL S.B. 318

Covered businesses must implement reasonable security measures to protect against a breach of personally identifying information.

Implications for Auto Businesses:
Auto businesses in Alabama must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use

Right To Delete/Other

Ala. HB 216

If passed, Alabama’s Consumer Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Alabama law will require auto businesses to delete personally identifying information off their vehicles upon request.

Alaska

Data Disposal Statute (Non-regulated Commercial)

AK Code § 45.48.500

Covered entities must take reasonable measures to ensure that any data they dispose containing personally identifying information cannot be accessed or used by an unauthorized third party. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.

Implications for Auto Businesses:
Covered auto businesses ensure that any data they dispose from their vehicles containing personally identifying information is completely destroyed or otherwise rendered unreadable or indecipherable by other parties.

Data Breach Notice Statute

AK Code § 45.48.010

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

AK SB 116

If passed, Alaska’s Consumer Data Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Alaska law will require auto businesses to delete personally identifying information off their vehicles upon request.

Arizona

Data Disposal Statute (Non-regulated Commercial)

Ariz. Rev. Stat. § 44-7601

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ariz. Rev. Stat. § 44-7501

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

AZ HB 2865

If passed, Arizona’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Arizona law will require auto businesses to delete personally identifying information off their vehicles upon request.

Arkansas

Data Disposal Statute (Non-regulated Commercial)

Ark. Code § 4-110-104

Covered entities must take reasonable steps to destroy customer records containing personally identifying information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Ark. Code § 4-110-104

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ark. Code § 4-110-104

Covered businesses must implement reasonable security measures to protect against a breach of personally identifying information.

Implications for Auto Businesses:
Auto businesses in Arkansas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

Arkansas Personal Information Protection Act

The Arkansas Personal Information Protection Act extends the definition of personally identifying information to include biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

California

Data Disposal Statute (Non-regulated Commercial)

Cal. Civ. Code § 1798.81

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Cal. Civ. Code § 1798.82

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Cal. Civ. Code. § 1798.81.5

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in California must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

California Consumer Protection Act (CCPA)

The CCPA extends the definition of personally identifying information to include biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

Right To Delete/Other

California Consumer Protection Act (CCPA)

The CCPA provides consumers the right to request that covered entities delete their personally identifiable information.

CPRA: The California Privacy Rights Act expands the CPRA requirements, including data minimization provisions that only allow personally identifying information to be retained for as long as necessary to fulfill a disclosed use.

Implications for Auto Businesses:
Auto businesses must have the ability to delete personally identifying information off their vehicles upon request. Auto businesses should also purge personally identifying information from their vehicles for data minimization.

Colorado

Data Breach Notice Statute

Colo. Rev. Stat. § 6-1-716

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Colo. Rev. Stat. § 6-1-713.5

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Colorado must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Right To Delete/Other

SB 190

Colorado’s Privacy Act law provides consumers the ability to request that businesses delete their personally identifying information. Not meeting the Colorado Privacy Act is automatically a deceptive act, subject to AG enforcement.

Implications for Auto Businesses:
If passed, the Colorado law will require auto businesses to delete personally identifying information off their vehicles upon request.

Connecticut

Data Disposal Statute (Non-regulated Commercial)

Conn. Gen. Stat. 42-471

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Conn. Gen. Stat. § 36a-701(b)

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

CT SB 893

If passed, Connecticut’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Delaware

Data Disposal Statute (Non-regulated Commercial)

Del. Code Ann. § 5001C

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Del. Code Ann. § 6-12B-101

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Del. Code Ann. § 6-12B-101

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Delaware must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Florida

Data Disposal Statute (Non-regulated Commercial)

Fl. Stat. § 501.171

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Fla Stat. § 501.171

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Fla Stat. § 501.171

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Florida must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Right To Delete/Other

Florida HB 969

If passed, Florida’s new consumer data privacy bill will be among the most comprehensive in the country. Among other rights, the Florida law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Florida law will require auto businesses to delete personally identifying information off their vehicles upon request.

Georgia

Data Disposal Statute (Non-regulated Commercial)

Ga. Code § 10-15-2

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ga. Code § 10-1-910

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Hawaii

Data Disposal Statute (Non-regulated Commercial)

Haw. Rev. Stat. § 487R-1 to R-3

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Haw. Rev. Stat. § 487N-1

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Idaho

Data Breach Notice Statute

Idaho Code § 28-51-104

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Illinois

Data Disposal Statute (Non-regulated Commercial)

815 ILCS 530/30

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

815 ILCS 530/10

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

815 ILCS 530/45

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Illinois must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

740 ILCS 14/1

Illinois strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted when the purpose for its collection has been satisfied, or within three years, whichever is sooner.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Right To Delete/Other

Illinois SB 3299

If passed, Illinois’ Consumer Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Illinois law will require auto businesses to delete personally identifying information off their vehicles upon request.

Indiana

Data Disposal Statute (Non-regulated Commercial)

Ind. Code § 24-4.9-3-3.5

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ind. Code § 24-4.9-3-1

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ind. Code § 24-4.9-3-3.5

Covered businesses must implement reasonable procedures, including taking necessary corrective action, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Indiana must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Iowa

Data Breach Notice Statute

Iowa Code § 715C.1-2

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Kansas

Data Disposal Statute (Non-regulated Commercial)

Kan. Stat. § 50-6,139b

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Kan. Stat. § 50-7a01

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Kan. Stat. § 50-6,139b

Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Kansas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Kentucky

Data Disposal Statute (Non-regulated Commercial)

Ky. Rev. Stat. § 365.725

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Ky. Rev. Stat. § 365.732

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Louisiana

Data Disposal Statute (Non-regulated Commercial)

La. Stat. § 51:3074

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

La. Stat. § 51:3074

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

La. Stat. § 51:3074

Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Louisiana must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

La. Stat. § 51:3073

Louisiana extended the definition of personally identifying information to include biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

Maine

Data Breach Notice Statute

10 Me. Rev. Stat. § 1346

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Maryland

Data Disposal Statute (Non-regulated Commercial)

Md. Code § 14-3502

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Md. Code § 14-3504

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Md. Code § 14-3503

Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Maryland must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Right To Delete/Other

Md. 0930

If passed, Maryland’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Massachusetts

Data Disposal Statute (Non-regulated Commercial)

Mass. Gen. Laws Ch. 93I, § 2

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Mass. Gen. Laws Ch. 93H, § 3

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Mass. Gen. Laws Ch. 93H, § 2

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Massachusetts must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Right To Delete/Other

Mass. SD 1726

If passed, the Massachusetts law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Michigan

Data Disposal Statute (Non-regulated Commercial)

MCL § 445.72(a)

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

MCL § 445.63

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Minnesota

Data Breach Notice Statute

Minn. Stat. § 325E.61

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

Minn. HF1492

If passed, Minnesota’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Mississippi

Data Breach Notice Statute

Miss. Code § 75-24-29

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Missouri

Data Breach Notice Statute

Mo. Rev. Stat. § 407.1500

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Montana

Data Disposal Statute (Non-regulated Commercial)

Mont. Code § 30-14-1703

Covered businesses must dispose of data containing personally identifying information when the records no longer serve a business purpose.

Implications for Auto Businesses:
Covered auto businesses must dispose of personally identifying information left on vehicles from previous customers or owners. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.

Data Breach Notice Statute

Mont. Code § 2-6-1501; § 30-14-1704

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Nebraska

Data Breach Notice Statute

Neb. Rev. Stat. § 87-803

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Neb. Rev. Stat. § 87-808

Covered businesses must implement reasonable procedures, including safeguards regarding disposal of personally identifying information, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Nebraska must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge, or provide customers the means to completely purge, any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Nevada

Data Disposal Statute (Non-regulated Commercial)

Nev. Rev. Stat. § 603A.200

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Nev. Rev. Stat. § 603A.220

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Nev. Rev. Stat. 603A.210

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Nevada must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

New Hampshire

Data Breach Notice Statute

N.H. Rev. Stat. § 359-C:19

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

New Jersey

Data Disposal Statute (Non-regulated Commercial)

N.J. Stat. § 56:8-162

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

N.J. Stat. § 56:8-163

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

N.J. A3255

If passed, New Jersey’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

New Mexico

Data Disposal Statute (Non-regulated Commercial)

N.M. Stat. § 52-12C-3

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer reasonably needed by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer reasonably needed.

Data Breach Notice Statute

N.M. Stat. § 52-12C-6

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

N.M. Stat. § 52-12C-4

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in New Mexico must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

New York

Data Disposal Statute (Non-regulated Commercial)

N.Y. Gen. Bus. Law § 399-H

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

N.Y. Gen. Bus. Law § 899-AA

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

N.Y. Gen. Bus. Law § 899-BB

Covered businesses must implement reasonably technical, administrative, and physical safeguards to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
As an administrative safeguard, auto businesses in New York should implement policies to ensure the regular deletion of personally identifying information left on vehicles prior to redisposition of the vehicle. For a physical control, businesses should ensure the information is deleted before a new occupant has possession of the vehicle. For a technical control, auto businesses should use technology to ensure that ensure complete and permanent deletion.

Biometric Data (Commercial)

The SHIELD Act broadened the definition of personally identifying information to include biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

Right To Delete/Other

Expansion of SHIELD Act

The NY legislature is considering expanding consumer rights under the SHIELD Act to include new rights, including the right to request a business delete personally identifying information.

Implications for Auto Businesses:
If the changes to the SHIELD Act become final, auto businesses must have the ability to delete personally identifying information off their vehicles upon request.

North Carolina

Data Disposal Statute (Non-regulated Commercial)

N.C. Gen. Stat § 75-64

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

N.C. Gen. Stat. § 75-61

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

North Dakota

Data Breach Notice Statute

N.D. Century Code. § 51-30-01

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Ohio

Data Breach Notice Statute

Ohio Rev. Code § 1349.19

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ohio Rev. Code § 1349.02

Covered businesses should implement reasonably technical, administrative, and physical safeguards to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
As an administrative safeguard, auto businesses in Ohio should implement policies to ensure the regular deletion of personally identifying information left on vehicles prior to redisposition of the vehicle. For a physical control, businesses should ensure the information is deleted before a new occupant has possession of the vehicle. For a technical control, auto businesses should use technology to ensure that ensure complete and permanent deletion.

Oklahoma

Data Breach Notice Statute

24 Okla. Stat. § 161

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Oregon

Data Disposal Statute (Non-regulated Commercial)

Ore. Rev. Stat. § 646A.622

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ore. Rev. Stat. § 646A.604

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ore. Rev. Stat. § 646A.622

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Oregon must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

Oregon Consumer Information Protection Act, 646A-602

Oregon extended consumer data privacy protections to biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

Pennsylvania

Data Breach Notice Statute

73 Pa. Stat. § 2303

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Rhode Island

Data Disposal Statute (Non-regulated Commercial)

R.I. Comm. Law § 6-52-2

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

R.I. Comm. Law § 11-49.2-3

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

R.I. Comm. Law § 11-49.2-2

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Rhode Island must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

South Carolina

Data Disposal Statute (Non-regulated Commercial)

S.C. Code § 37-20-190

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

S.C. Code § 39-1-90

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

H. 4812

If passed, South Carolina’s House Bill 4812 will expand the state’s data protection and privacy rights to include biometric data. The law would also allow consumers to request deletion of their biometric data.

Implications for Auto Businesses:
If the law passes, auto businesses in South Carolina must be prepared to fulfill consumer personal information deletion requests. In particular, auto businesses must be able to delete biometric data contained on vehicles upon request or otherwise in compliance with House Bill 4812.

South Dakota

Data Breach Notice Statute

South Dakota S.B. 62

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Tennessee

Data Disposal Statute (Non-regulated Commercial)

Tenn. Code § 39-14-150(g)

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Tenn. Code § 47-18-2107

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

Tennessee Information Protection Act

If passed, the Tennessee Information Protection Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Tennessee Information Protection Act will require auto businesses to delete personally identifying information off their vehicles upon request.

Texas

Data Disposal Statute (Non-regulated Commercial)

Tex. Bus. Code § 72.004

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Tex. Bus. Code § 521.053

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Tex. Bus. Code § 521.052

Covered businesses must implement reasonable procedures, including taking necessary corrective action, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Texas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

Tex. Bus. Code § 503.001

Texas strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted within one year from when the purpose for its collection has been satisfied.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Right To Delete/Other

HB 371

If passed, the Texas law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Utah

Data Disposal Statute (Non-regulated Commercial)

Utah Code § 13-44-201

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Utah Code § 13-44-101

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Utah Code § 13-44-201

Covered businesses must implement reasonable measures to prevent unlawful use and disclosure of personally identifying information collected or maintained in the regular course of business and to destroy records containing personally identifying information when the records are no longer being retained by the business.

Implications for Auto Businesses:
Auto businesses in Utah must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses must also regularly purge any personally identifying information left on vehicles unless the information is being lawfully retained.

Vermont

Data Disposal Statute (Non-regulated Commercial)

9 Vt. Stat. § 2445

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

9 Vt. Stat. § 2430

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Virginia

Data Breach Notice Statute

Va. Code § 18.2

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Biometric Data (Commercial)

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA–which provides consumers a right to delete their personally identifying information–expressly includes biometric data within its regulatory framework. Therefore, customers will have the right under the VCDPA to request deletion of their biometric data.

Implications for Auto Businesses:
Auto businesses should have a system to readily dispose of biometric data left on vehicles upon consumer request.

Right To Delete/Other

Virginia Consumer Data Protection Act

The VCDPA provides consumers the right to request that covered entities delete their personally identifiable information.

Implications for Auto Businesses:
Auto businesses must have the ability to delete personally identifying information off their vehicles upon request.

Washington

Data Disposal Statute (Non-regulated Commercial)

RCW § 19.215.020

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

RCW § 19.255.010

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Biometric Data (Commercial)

RCW § 19.375.020

Washington strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted when the purpose for its collection has been satisfied.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Right To Delete/Other

SB 5062

If passed, the Washington Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Washington Privacy Act will require auto businesses to delete personally identifying information off their vehicles upon request.

West Virginia

Data Breach Notice Statute

W. VA. Code § 46-2A-101

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Wisconsin

Data Breach Notice Statute

Wis. Stat. § 134.98

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Wyoming

Data Breach Notice Statute

Wyo. Stat. § 40-12-501

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.