
FTC Safeguards Rule Changes on June 9, 2023
Critical Information for Dealerships, Auto Finance and Service Providers

Auto Data Privacy Laws
Click on a country to see its auto data privacy laws and regulations.
Hear what top privacy and vehicle compliance experts say:
United States Federal Laws
See Federal laws directly below. Click on a state to see its individual laws.
Federal Standards for Safeguarding Customer Information
Federal Trade Commission important rule change effective 12/09/22 safeguards the Personal Information (including sensitive geolocation and phone data) that is frequently stored in vehicles dealerships own: lease returns, loaners, and trades
United States State-by-State Privacy Regulations
Alabama
Data Disposal Statute (Non-regulated Commercial)
Covered businesses must dispose of data containing personally identifying information when the records no longer serve a business purpose.
Implications for Auto Businesses:
Covered auto businesses must dispose of personally identifying information left on vehicles from previous customers or owners. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable security measures to protect against a breach of personally identifying information.
Implications for Auto Businesses:
Auto businesses in Alabama must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use
Alabama Insurance Data Security Statute
Alabama has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, Alabama’s Consumer Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Alabama law will require auto businesses to delete personally identifying information off their vehicles upon request.
Alaska
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable measures to ensure that any data they dispose containing personally identifying information cannot be accessed or used by an unauthorized third party. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.
Implications for Auto Businesses:
Covered auto businesses ensure that any data they dispose from their vehicles containing personally identifying information is completely destroyed or otherwise rendered unreadable or indecipherable by other parties.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Alaska Insurance Data Security Statute
Alaska has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, Alaska’s Consumer Data Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Alaska law will require auto businesses to delete personally identifying information off their vehicles upon request.
Arizona
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Arizona Insurance Privacy Statute
Arizona has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Arizona Insurance Data Security Statute
Arizona has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, Arizona’s law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Arizona law will require auto businesses to delete personally identifying information off their vehicles upon request.
Arkansas
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personally identifying information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable security measures to protect against a breach of personally identifying information.
Implications for Auto Businesses:
Auto businesses in Arkansas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Biometric Data (Commercial)
The Arkansas Personal Information Protection Act extends the definition of personally identifying information to include biometric data.
Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.
Arkansas Insurance Data Security Statute
Arkansas has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
California
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.
Implications for Auto Businesses:
Auto businesses in California must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Biometric Data (Commercial)
The CCPA extends the definition of personally identifying information to include biometric data.
Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.
California Insurance Privacy Statute
California has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
California Insurance Data Security Statute
California has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
The CCPA provides consumers the right to request that covered entities delete their personally identifiable information.
CPRA: The California Privacy Rights Act expands the CPRA requirements, including data minimization provisions that only allow personally identifying information to be retained for as long as necessary to fulfill a disclosed use.
Implications for Auto Businesses:
Auto businesses must have the ability to delete personally identifying information off their vehicles upon request. Auto businesses should also purge personally identifying information from their vehicles for data minimization.
Invasion of Privacy
Cal. Pen. Code Sec. 637.7 makes it illegal to use an electronic tracking device to determine the location or movement of a person.
Implications for Auto Businesses:
Some vehicles may be equipped or upgraded to include factory or aftermarket tracking devices, including devices that collect, store, or transmit location data both on and off the vehicle. Location or movement data captured by covered devices and left on vehicles should be deleted to avoid unauthorized access or use to vehicle location or movement data.
Biometric Data (Commercial)
California State Bill 1189 is a proposed biometric data privacy law pending in California. If passed, the law will require private entities in possession of biometric data to delete the data (i) within 30 days following a request by a data subject or their representative, (ii) within 1 year of the individual’s last interaction, or (iii) the date on which the purpose for the collection is satisfied, whichever is earliest.
Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition and upon request by a consumer or their authorized representative.
Colorado
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.
Implications for Auto Businesses:
Auto businesses in Colorado must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Colorado Insurance Data Security Statute
Colorado has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
Colorado’s Privacy Act law provides consumers the ability to request that businesses delete their personally identifying information. Not meeting the Colorado Privacy Act is automatically a deceptive act, subject to AG enforcement.
Implications for Auto Businesses:
Starting in July 2023, the Colorado law will require auto businesses to delete personally identifying information collected by vehicles upon request.
Connecticut
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Effective October 1, 2021, covered businesses in Connecticut will have a strong incentive to implement a reasonable cybersecurity program. Public Act No. 21-119 will provide an affirmative defense against punitive damages to businesses that implemented reasonable cybersecurity measures and suffered a data breach.
Implications for Auto Businesses:
Covered auto businesses will be able to drastically mitigate the potential cost of a data breach by implementing a reasonable or recognized cybersecurity framework. Most recognized frameworks include controls for minimization unnecessary data retention and deleting stale personally identifiable information.
Connecticut Insurance Privacy Statute
Connecticut has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Connecticut Insurance Data Security Statute
Connecticut has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
The CTDPA imposes a number of obligations on entities that conduct business in Connecticut and control or process the personal data of 100,000 or more consumers (or 25,000 if at least 25% of revenue is from sale of data). The CTDPA provides a number of protections for consumers, including avoidance of dark patterns, the right to delete personal information, and the right to opt-out of the sale and sharing of personal information. Covered businesses must limit the collection of PI to a declared purpose and implement reasonable measures to protect the integrity and accessibility of personal data. (Eff. July 1, 2023).
Implications for Auto Businesses:
Covered auto businesses must minimize and limit their collection, disclosure, and retention of personal data contained on vehicles “to the purpose for which such data is processed, as disclosed to the customer.” Further, covered auto businesses must have measures in place to destroy personal information once there is no longer a disclosed purpose to retain the personal information or upon request of a consumer or authorized agent.
Delaware
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.
Implications for Auto Businesses:
Auto businesses in Delaware must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Delaware Insurance Data Security Statute
Delaware has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Florida
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.
Implications for Auto Businesses:
Auto businesses in Florida must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Florida Insurance Date Security Statute
Florida has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, Florida’s new consumer data privacy bill will be among the most comprehensive in the country. Among other rights, the Florida law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Florida law will require auto businesses to delete personally identifying information off their vehicles upon request.
Georgia
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Georgia Insurance Privacy Statute
Georgia has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Hawaii
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Idaho
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Illinois
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.
Implications for Auto Businesses:
Auto businesses in Illinois must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Biometric Data (Commercial)
Illinois strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted when the purpose for its collection has been satisfied, or within three years, whichever is sooner.
Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.
Illinois Insurance Privacy Statute
Illinois has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Illinois Insurance Data Security Statute
Illinois has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, Illinois’ Consumer Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Illinois law will require auto businesses to delete personally identifying information off their vehicles upon request.
Indiana
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable procedures, including taking necessary corrective action, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Indiana must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Iowa
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Iowa Insurance Data Security Statute
Iowa has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Kansas
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Kansas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Kansas Insurance Privacy Statute
Kansas has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Kentucky
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Kentucky Insurance Privacy Statute
Kentucky has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Biometric Data (Commercial)
Kentucky House Bill 626 is a proposed biometric data privacy law pending in Kentucky. Among HB626’s requirements is the obligation for private entities to delete biometric data in their possession within 1 year after the purpose for the collection has been satisfied.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Louisiana
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Louisiana must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Biometric Data (Commercial)
Louisiana extended the definition of personally identifying information to include biometric data.
Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.
Maine
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Maine Insurance Privacy Statute
Maine has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Maine Insurance Data Security Statute
Maine has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Maryland
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Maryland must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Right To Delete/Other
If passed, Maryland’s law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.
Biometric Data (Commercial)
Maryland House Bill 259 is a proposed biometric data privacy law pending in Maryland. Among HB259’s requirements is the obligation for private entities to delete biometric data in their possession within 30 days following a request by an individual or their authorized representative or within 3 years after the purpose for the collection has been satisfied, whichever is earlier.
Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition and upon request by a consumer or their authorized representative.
Massachusetts
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Massachusetts must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Massachusetts Insurance Privacy Statute
Massachusetts has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Right To Delete/Other
If passed, the Massachusetts law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.
Biometric Data (Commercial)
Massachusetts State Bill 2687 is a proposed biometric data privacy law pending in Massachusetts. Among the pending law’s requirements is the obligation for private entities to delete biometric data in their possession within 1 year after the purpose for the collection has been satisfied.
Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.
Michigan
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Michigan Insurance Data Security Statute
Michigan has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Minnesota
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Minnesota Insurance Privacy Statute
Minnesota has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Minnesota Insurance Data Security Statute
Minnesota has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, Minnesota’s law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.
Mississippi
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Missouri
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Missouri Insurance Data Security Statute
Missouri has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Biometric Data (Commercial)
Missouri House Bill 2716 is a proposed biometric data privacy law pending in Missouri. Among the pending law’s requirements is the obligation for private entities to delete biometric data in their possession within 3 years of the individual’s last interaction or when the purpose for the collection has been satisfied, whichever occurs first.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Montana
Data Disposal Statute (Non-regulated Commercial)
Covered businesses must dispose of data containing personally identifying information when the records no longer serve a business purpose.
Implications for Auto Businesses:
Covered auto businesses must dispose of personally identifying information left on vehicles from previous customers or owners. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Montana Insurance Privacy Statute
Montana has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Montana Insurance Data Security Statute
Montana has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Nebraska
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable procedures, including safeguards regarding disposal of personally identifying information, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Nebraska must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge, or provide customers the means to completely purge, any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Nebraska Insurance Data Security Statute
Nebraska has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Nevada
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Nevada must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Nevada Insurance Privacy Statute
Nevada has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
New Hampshire
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
New Hampshire Insurance Data Security Statute
New Hampshire has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
New Jersey
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
New Jersey Insurance Privacy Statute
New Jersey has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
New Jersey Insurance Data Security Statute
New Jersey has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
If passed, New Jersey’s law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.
Covered Employers Must Provide Written Notice to Track Employees
New Jersey AB 3950 requires covered employers to provide employees with written notice prior to tracking that employee’s person, device, or vehicle. Penalties may reach up to $2,500.00 per violation.
Implications for Auto Businesses:
Covered employers that utilize vehicle tracking technologies on employee-driven vehicles may need to modify their vehicle location tracking and data storage practices and obtain informed written consent from employee data subjects.
New Mexico
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer reasonably needed by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer reasonably needed.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in New Mexico must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
New York
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonably technical, administrative, and physical safeguards to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
As an administrative safeguard, auto businesses in New York should implement policies to ensure the regular deletion of personally identifying information left on vehicles prior to redisposition of the vehicle. For a physical control, businesses should ensure the information is deleted before a new occupant has possession of the vehicle. For a technical control, auto businesses should use technology to ensure that ensure complete and permanent deletion.
Biometric Data (Commercial)
The SHIELD Act broadened the definition of personally identifying information to include biometric data.
Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.
New York Insurance Data Security Statute
New York has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
The NY legislature is considering expanding consumer rights under the SHIELD Act to include new rights, including the right to request a business delete personally identifying information.
Implications for Auto Businesses:
If the changes to the SHIELD Act become final, auto businesses must have the ability to delete personally identifying information off their vehicles upon request.
Electronic Monitoring Law
Any employer who monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system . . . shall give prior written notice upon hiring to all employees.” Violators are subject to enforcement and penalties imposed by the New York Attorney General.
Implications for Auto Businesses:
Covered auto businesses—particularly fleet managers—may be required to comply with SB2628 to the extent the infotainment, telematics, or other systems contained in their fleet vehicles constitutes electronic monitoring of their employees’ conversations, transmissions, internet access, or device or system usage as contemplated by SB2628.
North Carolina
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
North Carolina Insurance Privacy Statute
North Carolina has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
North Carolina Insurance Data Security Statute
North Carolina has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
North Dakota
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
North Dakota Insurance Data Security Statute
North Dakota has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Ohio
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses should implement reasonably technical, administrative, and physical safeguards to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
As an administrative safeguard, auto businesses in Ohio should implement policies to ensure the regular deletion of personally identifying information left on vehicles prior to redisposition of the vehicle. For a physical control, businesses should ensure the information is deleted before a new occupant has possession of the vehicle. For a technical control, auto businesses should use technology to ensure that ensure complete and permanent deletion.
Ohio Insurance Privacy Statute
Ohio has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Oklahoma
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Oklahoma Insurance Data Security Statute
Oklahoma has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Oregon
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Oregon must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Biometric Data (Commercial)
Oregon extended consumer data privacy protections to biometric data.
Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.
Oregon Insurance Privacy Statute
Oregon has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Oregon Insurance Data Security Statute
Oregon has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Pennsylvania
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Pennsylvania Insurance Data Security Statute
Pennsylvania has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Rhode Island
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Rhode Island must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Rhode Island Insurance Data Security Statute
Rhode Island has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
South Carolina
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Right To Delete/Other
If passed, South Carolina’s House Bill 4812 will expand the state’s data protection and privacy rights to include biometric data. The law would also allow consumers to request deletion of their biometric data.
Implications for Auto Businesses:
If the law passes, auto businesses in South Carolina must be prepared to fulfill consumer personal information deletion requests. In particular, auto businesses must be able to delete biometric data contained on vehicles upon request or otherwise in compliance with House Bill 4812.
South Dakota
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
South Dakota Insurance Data Security Statute
South Dakota has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Tennessee
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Right To Delete/Other
If passed, the Tennessee Information Protection Act will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Tennessee Information Protection Act will require auto businesses to delete personally identifying information off their vehicles upon request.
Texas
Data Disposal Statute (Non-regulated Commercial)
Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.
Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable procedures, including taking necessary corrective action, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.
Implications for Auto Businesses:
Auto businesses in Texas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.
Biometric Data (Commercial)
Texas strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted within one year from when the purpose for its collection has been satisfied.
Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.
Right To Delete/Other
If passed, the Texas law will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.
Utah
Cybersecurity Affirmative Defense Act (or “Reasonable Cybersecurity Measures Required By Statute”)
Utah HB80 creates an affirmative defense to certain causes of action arising out of a data breach. In general, covered businesses must implement a written cybersecurity program that meets the requirements of the law in order to assert the statutory affirmative defense. Among other requirements, the written cybersecurity program should account for “the storage and disposal of personal information.
Implications for Auto Businesses:
Covered auto businesses must implement a written cybersecurity program to take advantage of Utah’s statutory affirmative defense. In doing so, auto businesses must account for data that is collected and stored on vehicles, including providing for the timely destruction of the data once it no longer serves a legitimate business purpose.
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Reasonable Cybersecurity Measures Required By Statute
Covered businesses must implement reasonable measures to prevent unlawful use and disclosure of personally identifying information collected or maintained in the regular course of business and to destroy records containing personally identifying information when the records are no longer being retained by the business.
Implications for Auto Businesses:
Auto businesses in Utah must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses must also regularly purge any personally identifying information left on vehicles unless the information is being lawfully retained.
Utah Insurance Data Security Statute
Utah has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Vermont
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Vermont Insurance Data Security Statute
Vermont has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Virgnia
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Biometric Data (Commercial)
The VCDPA–which provides consumers a right to delete their personally identifying information–expressly includes biometric data within its regulatory framework. Therefore, customers will have the right under the VCDPA to request deletion of their biometric data.
Implications for Auto Businesses:
Auto businesses should have a system to readily dispose of biometric data left on vehicles upon consumer request.
Virginia Insurance Privacy Statute
Virginia has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Virginia Insurance Data Security Statute
Virginia has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Right To Delete/Other
The VCDPA provides consumers the right to request that covered entities delete their personally identifiable information.
Implications for Auto Businesses:
Auto businesses must have the ability to delete personally identifying information off their vehicles upon request.
Washington
Data Disposal Statute (Non-regulated Commercial)
Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.
Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Biometric Data (Commercial)
Washington strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted when the purpose for its collection has been satisfied.
Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.
Right To Delete/Other
If passed, the Washington Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.
Implications for Auto Businesses:
If passed, the Washington Privacy Act will require auto businesses to delete personally identifying information off their vehicles upon request.
West Virginia
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
West Virginia Insurance Data Security Statute
West Virginia has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Wisconsin
Data Breach Notice Statute
Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.
Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.
Wisconsin Insurance Privacy Statute
Wisconsin has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.
Implications for Auto Insurers:
Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.
Wyoming
Wyoming Insurance Data Security Statute
Wyoming has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.
Implications for Auto Insurers:
Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.
Canadian National Laws
Canada Consumer Privacy Act
Canada Consumer Privacy Act – protects consumers control over their data and promotes improved transparency regarding how organizations use data containing personal identifiers
Personal Information Protection and Electronic Documents Act
Personal Information Protection and Electonic Documents Act – governs how organizations use, collect and disclose personal information in the course of personal business
Quebec
Quebec Bill 64, An Act to modernize legislative provisions as regards the protection of personal information
A privacy regulatory change took effect in Canada that will directly impact the remarketing operations of auto consignors and their suppliers — chiefly among them auto auctions, recovery agents, and vehicle inspectors, in addition to fleet, rental and carsharing companies. Quebec Bill 64 introduces GDPR-like regulation with big teeth meaning remarketers must step up their in-car PI data disposal practice or risk millions of dollars in fines.
European Union Laws
Standards for Safeguarding Customer Information
Protection of natural persons personal data and the free movement of such data.
Study on the provision of information to consumers about the processing of vehicle-generated data
Implications for Auto Businesses : The goal of this study was to assess how car manufacturers and car dealers comply with their obligations of providing clear and transparent information on the processing of vehicle-generated data that consumers need (and want) to make a fully informed purchasing decision.
While car manufacturers have dedicated websites for their connected services, the websites rarely provide details on data processing practices. There is also an inconsistency among car manufacturers when it comes to offering a dedicated connected services privacy policy; and if a manufacturer does offer one, it is not always easily found which conflicts with their obligations under EU consumer laws.
The car manufacturers’ inability to disclose their data processing practices online carries into the in-person dealership experience. Mystery shoppers found the salespeople to be “not very knowledgeable about any of the key processing topics.” Mystery shoppers were also rarely given literature about connected services or directed online for that same information. But again, the online information was lacking, not easily accessible or downloadable, and/or not easily understood.
United Kingdom Laws
UK General Data Protection Regulation
GDPR with technical changes in order account for its status as a national law of the United Kingdom.
Data Protection Act 2018 (“DPA”)
National data protection law, supplements the UK GDPR regime.