FTC Safeguards Rule Changes on June 9, 2023

Critical Information for Dealerships, Auto Finance and Service Providers
Browse Our Free White Papers

Auto Data Privacy Laws

Click on a country to see its auto data privacy laws and regulations.

Hear what top privacy and vehicle compliance experts say:

Watch Our Workshops

Worldwide Privacy Regulations

Canadian Regulations
EU Regulations
United Kingdom Regulations

United States Federal Laws

See Federal laws directly below. Click on a state to see its individual laws.

Federal Standards for Safeguarding Customer Information

86 FR 70272

Federal Trade Commission important rule change effective 12/09/22 safeguards the Personal Information (including sensitive geolocation and phone data) that is frequently stored in vehicles dealerships own: lease returns, loaners, and trades

United States State-by-State Privacy Regulations

Alabama

Back to Top

Data Disposal Statute (Non-regulated Commercial)

AL Code § 8-38-10

Covered businesses must dispose of data containing personally identifying information when the records no longer serve a business purpose.

Implications for Auto Businesses:
Covered auto businesses must dispose of personally identifying information left on vehicles from previous customers or owners. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.

Alabama Data Breach Notification Act

AL S.B. 318

Covered businesses must implement a reasonable written information security program that includes administrative, technical and physical safeguards for the protection of customer information.

Implications for Auto Businesses:
Covered auto businesses must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of prior vehicle owners and drivers contained on vehicles. Covered auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use. Covered auto businesses may be required to provide notice of a data breach if they fail to comply if personally identifiable information of the prior vehicle owner or driver is left in the vehicle and then later accessed by an unauthorized third party.

Standards for Safeguarding Customer Information

ALA. ADMIN. CODE r. 482-1-126 (2003)

Alabama has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers:

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Alaska

Back to Top

Data Disposal Statute (Non-regulated Commercial)

AK Code § 45.48.500

Covered entities must take reasonable measures to ensure that any data they dispose of containing personally identifying information cannot be accessed or used by an unauthorized third party. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.

Implications for Auto Businesses:
Covered auto businesses ensure that any data they dispose from their vehicles containing personally identifying information is completely destroyed or otherwise rendered unreadable or indecipherable by other parties.

Data Breach Notice Statute

AK Code § 45.48.010

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Alaska Insurance Data Security Statute

3 AK Code § 26.705

Alaska has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Arizona

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Ariz. Rev. Stat. § 44-7601

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ariz. Rev. Stat. § 44-7501

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Arizona Insurance Privacy Statute

Arizona Revised Statutes Title 20

Arizona has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers:

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Arizona Insurance Data Security Statute

Arizona Revised Statutes Title 20

Arizona has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Right To Delete/Other

AZ HB 2865

If passed, Arizona’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Arizona law will require auto businesses to delete personally identifying information off their vehicles upon request.

Arkansas

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Ark. Code § 4-110-104

Covered entities must take reasonable steps to destroy customer records containing personally identifying information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Ark. Code § 4-110-104

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ark. Code § 4-110-104

Covered businesses must implement reasonable security measures to protect against a breach of personally identifying information.

Implications for Auto Businesses:
Auto businesses in Arkansas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

Arkansas Personal Information Protection Act

The Arkansas Personal Information Protection Act extends the definition of personally identifying information to include biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

Arkansas Insurance Data Security Statute

054.00.77 ARK. CODE R. § 1-13

Arkansas has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

California

Back to Top

California Consumer Privacy Act of 2018 as amended by California Privacy Rights Act of 2020

Cal. Civ. Code §§ 1798.100-1798.199.100

Covered entities must prepare comprehensive privacy notices that are presented to consumers when personal information is collected. Additionally, covered entities must publicly disclose and inform consumers of the existence and nature of consumers’ rights under the CCPA.

Implications for Auto Businesses:
Covered auto businesses must honor privacy consumer requests from California residents to access, delete, and opt-out of sharing or selling their information. Auto businesses must consider a number of CCPA-specific requirements when updating their privacy programs, such as the CCPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request. Additionally, auto businesses should incorporate regular biometric data deletion into their overall data management regime since the CCPA extends the definition of personal information to include biometric data.

Customer Records Disposal Statute

Cal. Civ. Code § 1798.81

Covered entities must take reasonable steps to erase or destroy customer records containing personal information when the business no longer has a lawful basis to retain the customer records.

Implications for Auto Businesses:
Covered auto businesses must permanently destroy the personal information of previous customers and vehicle owners when it no longer has a lawful basis for maintaining custody or control over such customer records.

Shine The Light Law

Cal. Civ. Code § 1798.83

Covered entities must either allow their customers to opt-out of information sharing or make a detailed disclosure of how personal information was shared for direct-marketing purposes. Failure to do so may result in civil penalties ranging from $500-$3,000 plus attorney fees.

Implications for Auto Businesses:
Covered auto businesses must establish a procedure by which customers may request and receive, in writing or by email, the type of personal information that has been disclosed and the names and addresses of all third parties to which such information has been disclosed.

Data Breach Notice Statute

Cal. Civ. Code § 1798.82

Covered businesses must notify consumers and potentially the California Attorney General’s Office following a data breach involving a California resident’s personal information.

Implications for Auto Businesses:
Covered auto businesses may be required to send data breach notifications to its customers or previous vehicle owners if their unencrypted personal information is left in the vehicle and then later accessed by unauthorized third parties.

Reasonable Security of Personal Information

Cal. Civ. Code. § 1798.81.5

Covered businesses that own, license, or maintain personal information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, destruction, use, modification, or disclosure.

Implications for Auto Businesses:
Auto businesses that own, license, or maintain personal information about California residents must implement reasonable measures to prevent unauthorized disclosures or access to the personal information of prior vehicle owners or drivers stored in their vehicles. Auto businesses should also regularly purge any personal information left in vehicles in order to protect the same from unauthorized disclosure or use.

California Insurance Privacy Statute

CAL. INS. CODE § 791.01

California has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

California Insurance Data Security Statute

CAL. INS. CODE §§ 791.01

California has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

In-vehicle cameras

SB 296

California Senate Bill 296, titled In-vehicle cameras, will require drivers to be notified when photographs and video recordings are captured by in-vehicle cameras.

Implications for Auto Insurers: 

Auto manufacturers would be required to disclose which vehicles are equipped with one or more in-vehicle cameras. Auto manufacturers would also be prohibited from selling or using any images or video recordings collected through the operation of an in-vehicle camera for advertising purposes, or shared with third parties. Any manufacturers that violate this measure would be subject to a civil penalty up to $2,500 for each vehicle equipped with an in-vehicle camera sold or leased in violation of the requirements of the law.

Invasion of Privacy

Cal. Pen. Code Sec. 637.7

Cal. Pen. Code Sec. 637.7 makes it illegal to use an electronic tracking device to determine the location or movement of a person without their consent.

Implications for Auto Businesses:
Some vehicles may be equipped or upgraded to include factory or aftermarket tracking devices, including devices that collect, store, or transmit location data both on and off the vehicle. Location or movement data captured by covered devices and left on vehicles should be deleted to avoid unauthorized access or use to track vehicle location or movement data.

Colorado

Back to Top

Colorado Privacy Act of 2021

Colo. Rev. Stat. § 6-1-1301 to 1313

Covered entities must prepare comprehensive privacy notices that are presented to consumers when personal information is collected. Additionally, covered entities must publicly disclose and inform consumers of the existence and nature of consumers’ rights under the CPA.

Implications for Auto Businesses:
Covered auto businesses must honor privacy consumer requests from Colorado residents to access, delete, and opt-out of sharing or selling their information. Auto businesses must consider a number of CPA-specific requirements when updating their privacy programs, such as the CPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request.

Data Breach Notice Statute

Colo. Rev. Stat. § 6-1-716

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Colo. Rev. Stat. § 6-1-713.5

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Colorado must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Colorado Insurance Data Security Statute

3 COLO. CODE REGS. § 702-6:6-4-2

Colorado has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Connecticut

Back to Top

Connecticut Data Privacy Act of 2022

Conn. Gen. Stat. §§ 42-515 to -525

Covered entities must prepare comprehensive privacy notices that are presented to consumers when personal information is collected. Additionally, covered entities must publicly disclose and inform consumers of the existence and nature of consumers’ rights under the CTDPA.

Implications for Auto Businesses:
Covered auto businesses must honor privacy consumer requests from Connecticut residents to access, delete, and opt-out of sharing or selling their information. Auto businesses must consider a number of CTDPA-specific requirements when updating their privacy programs, such as the CTDPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request.

Data Disposal Statute (Non-regulated Commercial)

Conn. Gen. Stat. 42-471

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Conn. Gen. Stat. § 36a-701(b)

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Conn. Public Act No. 21-119

Covered businesses in Connecticut will have a strong incentive to implement a reasonable cybersecurity program. Public Act No. 21-119 will provide an affirmative defense against punitive damages to businesses that implemented reasonable cybersecurity measures and suffered a data breach.

Implications for Auto Businesses:
Covered auto businesses will be able to drastically mitigate the potential cost of a data breach by implementing a reasonable or recognized cybersecurity framework. Most recognized frameworks include controls for minimization unnecessary data retention and deleting stale personally identifiable information.

Connecticut Insurance Privacy Statute

CONN. GEN. STAT. §§ 38a-975

Connecticut has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Connecticut Insurance Data Security Statute

CONN. AGENCIES REGS. §§ 38a-8-124

Connecticut has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Delaware

Back to Top

Delaware Personal Data Privacy Act (effective January 1, 2025)

House Bill No. 154

Delaware’s privacy law applies to a wider range of businesses than consumer privacy laws in other states. Covered entities must prepare comprehensive privacy notices that are presented to consumers when personal information is collected. Additionally, covered entities must publicly disclose and inform consumers of the existence and nature of consumers’ rights under the DPDPA.

Implications for Auto Businesses:
Covered auto businesses must honor privacy consumer requests from Delaware residents to access, delete, and opt-out of sharing or selling their information. Auto businesses must consider a number of DPDPA-specific requirements when updating their privacy programs, such as the DPDPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request.

Data Disposal Statute (Non-regulated Commercial)

Del. Code Ann. § 5001C

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Del. Code Ann. § 6-12B-101

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Del. Code Ann. § 6-12B-101

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Delaware must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Delaware Insurance Data Security Statute

18 DEL. CODE REGS. § 905

Delaware has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Florida

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Fl. Stat. § 501.171

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Fla Stat. § 501.171

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Fla Stat. § 501.171

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Florida must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Florida Insurance Date Security Statute

FLA. ADMIN. CODE ANN. r. 69O-128.030

Florida has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Georgia

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Ga. Code § 10-15-2

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personal information that is deleted from their vehicles is completely destroyed or unreadable such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ga. Code § 10-1-910

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Georgia Insurance Privacy Statute

GA. CODE ANN. §§ 33-39-1

Georgia has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Hawaii

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Haw. Rev. Stat. § 487R-1 to R-3

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Haw. Rev. Stat. § 487N-1

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Idaho

Back to Top

Data Breach Notice Statute

Idaho Code § 28-51-104

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Illinois

Back to Top

Stolen Vehicle Recovery Hotline

625 ILCS 5/4-100

Manufacturers that sell vehicles in the State of Illinois must establish a stolen vehicle recovery hotline to share location data, including real-time vehicle location information, with IL law enforcement agencies for the exclusive purpose of tracking vehicles stolen in “vehicular hijacking incidents or that have been used in the commission of kidnapping, aggravated battery with a firearm, attempted homicide, or homicide”.

Implications for Auto Businesses
Car manufacturers must:

  1. Maintain a telephone number that is staffed and available 24/7 to assist law enforcement with locating stolen vehicles under the above identified circumstances. 
  2. Relay vehicle location information, including real-time vehicle location information, to law enforcement when a warrant or court order has been issued, with the consent of the vehicle owner, or there is a clear and present danger of death or great bodily harm to individuals resulting from the vehicular hijacking or kidnapping incident. 
  3. Waive all fees associated with initiating, renewing, reestablishing, or maintaining the vehicle location service if the stolen vehicle is equipped with functioning vehicle location tracking capabilities.

Biometric Information Privacy Act

740 ILCS 14/1

Illinois strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted when the purpose for its collection has been satisfied, or within three years, whichever is sooner.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Illinois Collateral Recovery Act

225 ILCS 422/110 (amended by P.A. 103-0371, § 10, eff. 1/1/2024)

This new amendment will require recovery agents to delete personal information from all repossessed vehicles beginning January 1, 2024.

Implications for Auto Businesses:
Automotive businesses who repossess vehicles in the State of Illinois must make arrangements with their forwarders and agents to make sure that the personal information of individuals whose vehicle has been repossessed is deleted prior to leaving recovery lots.

Data Disposal Statute (Non-regulated Commercial)

815 ILCS 530/30

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

815 ILCS 530/10

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

815 ILCS 530/45

Covered businesses that own, license, or maintain personally identifying information must implement and maintain reasonable security procedures and practices to prevent unauthorized access, use, modification, destruction, or disclosure.

Implications for Auto Businesses:
Auto businesses in Illinois must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Illinois Insurance Privacy Statute

215 ILL. COMP. STAT. 5/1001

Illinois has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Illinois Insurance Data Security Statute

ILL. ADMIN. CODE tit. 50, §§ 4003.10

Illinois has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Indiana

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Ind. Code § 24-4.9-3-3.5

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ind. Code § 24-4.9-3-1

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ind. Code § 24-4.9-3-3.5

Covered businesses must implement reasonable procedures, including taking necessary corrective action, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Indiana must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Iowa

Back to Top

Data Breach Notice Statute

Iowa Code § 715C.1-2

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Iowa Insurance Data Security Statute

IOWA ADMIN. CODE r. 191-90.37

Iowa has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Kansas

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Kan. Stat. § 50-6,139b

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Kan. Stat. § 50-7a01

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Kan. Stat. § 50-6,139b

Covered businesses must implement reasonable procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Kansas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Kansas Insurance Privacy Statute

KAN. STAT. ANN. §§ 40-2,111

Kansas has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Kentucky

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Ky. Rev. Stat. § 365.725

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Ky. Rev. Stat. § 365.732

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Kentucky Insurance Privacy Statute

806 KY. ADMIN. REGS. 3:230

Kentucky has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.

Louisiana

Back to Top

Database Security Breach Notification Law

L.a. R.S. §§ 51:3071 to 51:3077

Covered entities must implement reasonable procedures to protect and safeguard personal information of Louisiana residents from unlawful use or unauthorized disclosure or access. This law extended the definition of personal information to include biometric data (e.g., fingerprints, voice print, eye retina or iris, etc.).

Implications for Auto Businesses:
Covered auto businesses must permanently destroy the personal information left in vehicles from previous customers or vehicle owners when that information is no longer to be lawfully retained by the business. Additionally, covered auto businesses may be required to provide data breach notifications if unencrypted personal information of previous customers or vehicle owners is left in vehicles and then later acquired by an unauthorized person.

Maine

Back to Top

Data Breach Notice Statute

10 Me. Rev. Stat. § 1346

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Maine Insurance Privacy Statute

ME. REV. STAT. ANN. tit. 24-A, §§ 2201

Maine has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Maine Insurance Data Security Statute

ME. CODE R. § 980

Maine has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Maryland

Back to Top

Personal Information Protection Act (“Data Breach Notification Law”)

Md. Code Comm. Law § 14-3501 et seq.

Covered businesses must first conduct an investigation. In the likelihood that the covered business determines that a security breach has occurred and the personally identifying information can or will be compromised, it must notify the Attorney General no later than 45 days before all affected Maryland residents.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customer or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Massachusetts

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Mass. Gen. Laws Ch. 93I, § 2

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Mass. Gen. Laws Ch. 93H, § 3

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Mass. Gen. Laws Ch. 93H, § 2

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Massachusetts must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Massachusetts Insurance Privacy Statute

MASS. GEN. LAWS ch.175I

Massachusetts has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Right To Delete/Other

Mass. SD 1726

If passed, the Massachusetts law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Biometric Data (Commercial)

Massachusetts State Bill 2687

Massachusetts State Bill 2687 is a proposed biometric data privacy law pending in Massachusetts. Among the pending law’s requirements is the obligation for private entities to delete biometric data in their possession within 1 year after the purpose for the collection has been satisfied.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Michigan

Back to Top

Data Disposal Statute (Non-regulated Commercial)

MCL § 445.72(a)

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

MCL § 445.63

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Michigan Insurance Data Security Statute

MICH. ADMIN. CODE r. 500.551

Michigan has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.

Minnesota

Back to Top

Data Breach Notice Statute

Minn. Stat. § 325E.61

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Minnesota Insurance Privacy Statute

MINN. STAT. §§ 72A.49

Minnesota has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Minnesota Insurance Data Security Statute

MINN. STAT. §§ 60A.98

Minnesota has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Right To Delete/Other

Minn. HF1492

If passed, Minnesota’s law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Mississippi

Back to Top

Data Breach Notice Statute

Miss. Code § 75-24-29

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Missouri

Back to Top

Data Breach Notice Statute

Mo. Rev. Stat. § 407.1500

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Missouri Insurance Data Security Statute

MO. CODE REGS. ANN. tit. 20, § 100-6.110

Missouri has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Biometric Data (Commercial)

Missouri House Bill 2716

Missouri House Bill 2716 is a proposed biometric data privacy law pending in Missouri. Among the pending law’s requirements is the obligation for private entities to delete biometric data in their possession within 3 years of the individual’s last interaction or when the purpose for the collection has been satisfied, whichever occurs first.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Montana

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Mont. Code § 30-14-1703

Covered businesses must dispose of data containing personally identifying information when the records no longer serve a business purpose.

Implications for Auto Businesses:
Covered auto businesses must dispose of personally identifying information left on vehicles from previous customers or owners. The personally identifying information must be completely destroyed, erased, or otherwise rendered unreadable or indecipherable by any means.

Data Breach Notice Statute

Mont. Code § 2-6-1501; § 30-14-1704

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Montana Insurance Privacy Statute

MONT. CODE ANN. §§ 33-19-101

Montana has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Montana Insurance Data Security Statute

MONT. ADMIN. R. 6.6.7001

Montana has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Nebraska

Back to Top

Data Breach Notice Statute

Neb. Rev. Stat. § 87-803

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Neb. Rev. Stat. § 87-808

Covered businesses must implement reasonable procedures, including safeguards regarding disposal of personally identifying information, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Nebraska must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge, or provide customers the means to completely purge, any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Nebraska Insurance Data Security Statute

210 NEB. ADMIN. CODE § 77

Nebraska has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Nevada

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Nev. Rev. Stat. § 603A.200

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Nev. Rev. Stat. § 603A.220

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Nev. Rev. Stat. 603A.210

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Nevada must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Nevada Insurance Privacy Statute

NEV. ADMIN. CODE §§ 679B.560

Nevada has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

New Hampshire

Back to Top

Data Breach Notice Statute

N.H. Rev. Stat. § 359-C:19

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

New Hampshire Insurance Data Security Statute

N.H. CODE ADMIN. R. ANN. INS. 3701.01

New Hampshire has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

New Jersey

Back to Top

New Jersey Privacy Law

S.B. 332

Covered entities must prepare comprehensive privacy notices that are presented to consumers when personal information is collected. Additionally, covered entities must publicly disclose and inform consumers of the existence and nature of consumers’ rights under New Jersey’s state privacy law.

Implications for Auto Businesses:
Covered auto businesses must honor privacy consumer requests from New Jersey residents to access, delete, correct inaccuracies, and opt-out requests. Auto businesses must stop selling consumer data upon an individual’s request. Additionally, auto businesses should incorporate regular sensitive data deletion into their overall data management regime since this state privacy law defines “sensitive data” as personal data revealing sex life or biometric data that may be processed for the purpose of identifying an individual, and precise geolocation data.

Motor Vehicle Data Deletion

A-4723

Dealerships that obtain a vehicle from a consumer for resale or leasing, are required to propose the removal of the consumer’s personal information by either overwriting the data or restoring the vehicle to its original factory settings. Dealerships are permitted to impose a fee for this service, provided they inform the consumer of the charge before carrying out the service and that they have the option to erase their personal data on their own or by employing a third-party service.

For more information, visit https://privacy4cars.com/nj-law/.

Data Disposal Statute (Non-regulated Commercial)

N.J. Stat. § 56:8-162

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

N.J. Stat. § 56:8-163

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

New Jersey Insurance Privacy Statute

N.J. REV. STAT. §§ 17:23A-1

New Jersey has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

New Jersey Insurance Data Security Statute

N.J. ADMIN. CODE §§ 11:1-44.1

New Jersey has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Covered Employers Must Provide Written Notice to Track Employees

N.J. A3950

New Jersey AB 3950 requires covered employers to provide employees with written notice prior to tracking that employee’s person, device, or vehicle. Penalties may reach up to $2,500.00 per violation.

Implications for Auto Businesses:
Covered employers that utilize vehicle tracking technologies on employee-driven vehicles may need to modify their vehicle location tracking and data storage practices and obtain informed written consent from employee data subjects.

New Mexico

Back to Top

Data Disposal Statute (Non-regulated Commercial)

N.M. Stat. § 52-12C-3

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer reasonably needed by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer reasonably needed.

Data Breach Notice Statute

N.M. Stat. § 52-12C-6

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

N.M. Stat. § 52-12C-4

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in New Mexico must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

New York

Back to Top

Data Disposal Statute (Non-regulated Commercial)

N.Y. Gen. Bus. Law § 399-H

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

N.Y. Gen. Bus. Law § 899-AA

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

N.Y. Gen. Bus. Law § 899-BB

Covered businesses must implement reasonably technical, administrative, and physical safeguards to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
As an administrative safeguard, auto businesses in New York should implement policies to ensure the regular deletion of personally identifying information left on vehicles prior to redisposition of the vehicle. For a physical control, businesses should ensure the information is deleted before a new occupant has possession of the vehicle. For a technical control, auto businesses should use technology to ensure that ensure complete and permanent deletion.

Biometric Data (Commercial)

New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act

The SHIELD Act broadened the definition of personally identifying information to include biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

New York Insurance Data Security Statute

N.Y. COMP. CODES R. & REGS. tit. 11, §§ 421.0

New York has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Right To Delete/Other

Expansion of SHIELD Act

The NY legislature is considering expanding consumer rights under the SHIELD Act to include new rights, including the right to request a business delete personally identifying information.

Implications for Auto Businesses:
If the changes to the SHIELD Act become final, auto businesses must have the ability to delete personally identifying information off their vehicles upon request.

Electronic Monitoring Law

New York State Bill 2628

Any employer who monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system . . . shall give prior written notice upon hiring to all employees.” Violators are subject to enforcement and penalties imposed by the New York Attorney General.

Implications for Auto Businesses:

Covered auto businesses—particularly fleet managers—may be required to comply with SB2628 to the extent the infotainment, telematics, or other systems contained in their fleet vehicles constitutes electronic monitoring of their employees’ conversations, transmissions, internet access, or device or system usage as contemplated by SB2628.

North Carolina

Back to Top

Data Disposal Statute (Non-regulated Commercial)

N.C. Gen. Stat § 75-64

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

N.C. Gen. Stat. § 75-61

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

North Carolina Insurance Privacy Statute

N.C. GEN. STAT. §§ 58-39-1

North Carolina has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

North Carolina Insurance Data Security Statute

N.C. GEN. STAT. §§ 58-39-130

North Carolina has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

North Dakota

Back to Top

Data Breach Notice Statute

N.D. Century Code. § 51-30-01

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

North Dakota Insurance Data Security Statute

N.D. ADMIN. CODE 45-14-02-01

North Dakota has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Ohio

Back to Top

Data Breach Notice Statute

Ohio Rev. Code § 1349.19

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ohio Rev. Code § 1349.02

Covered businesses should implement reasonably technical, administrative, and physical safeguards to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
As an administrative safeguard, auto businesses in Ohio should implement policies to ensure the regular deletion of personally identifying information left on vehicles prior to redisposition of the vehicle. For a physical control, businesses should ensure the information is deleted before a new occupant has possession of the vehicle. For a technical control, auto businesses should use technology to ensure that ensure complete and permanent deletion.

Ohio Insurance Privacy Statute

OHIO REV. CODE ANN. §§ 3904.1

Ohio has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Oklahoma

Back to Top

Data Breach Notice Statute

24 Okla. Stat. § 161

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Oklahoma Insurance Data Security Statute

OKLA. ADMIN. CODE §§ 365:35-3-1

Oklahoma has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Oregon

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Ore. Rev. Stat. § 646A.622

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Ore. Rev. Stat. § 646A.604

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Ore. Rev. Stat. § 646A.622

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Oregon must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

Oregon Consumer Information Protection Act, 646A-602

Oregon extended consumer data privacy protections to biometric data.

Implications for Auto Businesses:
Biometric data left on vehicles from previous drivers is subject to the same laws and regulations–including data disposal and breach notification laws–as other forms of personally identifying information. Auto businesses should incorporate regular biometric data deletion into their overall data management regime.

Oregon Insurance Privacy Statute

OR. REV. STAT. §§ 746.600

Oregon has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Oregon Insurance Data Security Statute

OR. ADMIN. R. 836-081-0101

Oregon has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Pennsylvania

Back to Top

Data Breach Notice Statute

73 Pa. Stat. § 2303

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Pennsylvania Insurance Data Security Statute

31 PA. CODE §§ 146c.1

Pennsylvania has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Rhode Island

Back to Top

Data Disposal Statute (Non-regulated Commercial)

R.I. Comm. Law § 6-52-2

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

R.I. Comm. Law § 11-49.2-3

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

R.I. Comm. Law § 11-49.2-2

Covered businesses must implement procedures to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Rhode Island must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Rhode Island Insurance Data Security Statute

230-20 R.I. CODE R. §§ 8.1-8.12

Rhode Island has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

South Carolina

Back to Top

Data Disposal Statute (Non-regulated Commercial)

S.C. Code § 37-20-190

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

S.C. Code § 39-1-90

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

H. 4812

If passed, South Carolina’s House Bill 4812 will expand the state’s data protection and privacy rights to include biometric data. The law would also allow consumers to request deletion of their biometric data.

Implications for Auto Businesses:
If the law passes, auto businesses in South Carolina must be prepared to fulfill consumer personal information deletion requests. In particular, auto businesses must be able to delete biometric data contained on vehicles upon request or otherwise in compliance with House Bill 4812.

South Dakota

Back to Top

Data Breach Notice Statute

South Dakota S.B. 62

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

South Dakota Insurance Data Security Statute

S.D. ADMIN. R. §§ 20:06:45:20

South Dakota has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Tennessee

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Tenn. Code § 39-14-150(g)

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Tenn. Code § 47-18-2107

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Right To Delete/Other

Tennessee Information Protection Act

If passed, the Tennessee Information Protection Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Tennessee Information Protection Act will require auto businesses to delete personally identifying information off their vehicles upon request.

Texas

Back to Top

Data Disposal Statute (Non-regulated Commercial)

Tex. Bus. Code § 72.004

Covered entities may not dispose of data containing personally identifying information without first completely destroying or erasing the personally identifying information.

Implications for Auto Businesses:
Covered auto businesses must ensure that any data containing personally identifying information that is deleted from their vehicles is completely destroyed or erased such that the information cannot be subsequently accessed or re-imaged by a third party.

Data Breach Notice Statute

Tex. Bus. Code § 521.053

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Tex. Bus. Code § 521.052

Covered businesses must implement reasonable procedures, including taking necessary corrective action, to protect and safeguard personally identifying information from unlawful use or unauthorized disclosure or access.

Implications for Auto Businesses:
Auto businesses in Texas must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses should also regularly purge any personally identifying information left on vehicles in order to protect the same from unauthorized disclosure or use.

Biometric Data (Commercial)

Tex. Bus. Code § 503.001

Texas strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted within one year from when the purpose for its collection has been satisfied.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Right To Delete/Other

HB 371

If passed, the Texas law will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the law will require auto businesses to delete personally identifying information off their vehicles upon request.

Utah

Back to Top

Cybersecurity Affirmative Defense Act (or “Reasonable Cybersecurity Measures Required By Statute”)

Utah HB80

Utah HB80 creates an affirmative defense to certain causes of action arising out of a data breach. In general, covered businesses must implement a written cybersecurity program that meets the requirements of the law in order to assert the statutory affirmative defense. Among other requirements, the written cybersecurity program should account for “the storage and disposal of personal information.

Implications for Auto Businesses:
Covered auto businesses must implement a written cybersecurity program to take advantage of Utah’s statutory affirmative defense. In doing so, auto businesses must account for data that is collected and stored on vehicles, including providing for the timely destruction of the data once it no longer serves a legitimate business purpose.

Data Disposal Statute (Non-regulated Commercial)

Utah Code § 13-44-201

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

Utah Code § 13-44-101

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Reasonable Cybersecurity Measures Required By Statute

Utah Code § 13-44-201

Covered businesses must implement reasonable measures to prevent unlawful use and disclosure of personally identifying information collected or maintained in the regular course of business and to destroy records containing personally identifying information when the records are no longer being retained by the business.

Implications for Auto Businesses:
Auto businesses in Utah must implement reasonable measures to prevent unauthorized disclosures or access to the personally identifying information of past drivers contained on vehicles. Auto businesses must also regularly purge any personally identifying information left on vehicles unless the information is being lawfully retained.

Utah Insurance Data Security Statute

UTAH ADMIN. CODE r. 590-216-1

Utah has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Vermont

Back to Top

Data Disposal Statute (Non-regulated Commercial)

9 Vt. Stat. § 2445

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

9 Vt. Stat. § 2430

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Vermont Insurance Data Security Statute

VT. CODE R. IH-2002-3

Vermont has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Virgnia

Back to Top

Data Breach Notice Statute

Va. Code § 18.2

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Biometric Data (Commercial)

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA–which provides consumers a right to delete their personally identifying information–expressly includes biometric data within its regulatory framework. Therefore, customers will have the right under the VCDPA to request deletion of their biometric data.

Implications for Auto Businesses:
Auto businesses should have a system to readily dispose of biometric data left on vehicles upon consumer request.

Virginia Insurance Privacy Statute

VA. CODE ANN. §§ 38.2-600

Virginia has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Virginia Insurance Data Security Statute

VA. CODE ANN. § 38.2-613.2

Virginia has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Right To Delete/Other

Virginia Consumer Data Protection Act

The VCDPA provides consumers the right to request that covered entities delete their personally identifiable information.

Implications for Auto Businesses:
Auto businesses must have the ability to delete personally identifying information off their vehicles upon request.

Washington

Back to Top

Data Disposal Statute (Non-regulated Commercial)

RCW § 19.215.020

Covered entities must take reasonable steps to destroy customer records containing personal information when the personal information is no longer being retained by the business.

Implications for Auto Businesses:
Covered auto businesses must completely and permanently destroy personally identifying information left on vehicles from previous customers or owners when that information is no longer being lawfully retained.

Data Breach Notice Statute

RCW § 19.255.010

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Biometric Data (Commercial)

RCW § 19.375.020

Washington strictly regulates the collection, storage, and retention of biometric identifiers and information. Biometric data must be deleted when the purpose for its collection has been satisfied.

Implications for Auto Businesses:
Vehicles may contain the stored biometric data of previous drivers, including retina, face, and hand scans for features like distracted driver detection and custom driver settings. Auto businesses that are unknowingly storing–and failing to delete–biometric data left on vehicles may be exposed. Auto businesses should have a system to readily dispose of biometric data left on vehicles prior to resale or redisposition.

Right To Delete/Other

SB 5062

If passed, the Washington Privacy Act will provide consumers the ability to request that businesses delete their personally identifying information.

Implications for Auto Businesses:
If passed, the Washington Privacy Act will require auto businesses to delete personally identifying information off their vehicles upon request.

West Virginia

Back to Top

Data Breach Notice Statute

W. VA. Code § 46-2A-101

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

West Virginia Insurance Data Security Statute

W. VA. CODE §§ 114-62-1

West Virginia has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose.  

Wisconsin

Back to Top

Data Breach Notice Statute

Wis. Stat. § 134.98

Covered businesses must notify consumers and potentially regulatory entities following a data breach involving a customer’s personally identifiable information.

Implications for Auto Businesses:
Covered auto businesses may be required to provide notice of a data breach if personally identifiable information of previous customers or vehicle owners is left on vehicles and then accessed by unauthorized third parties.

Wisconsin Insurance Privacy Statute

WIS. STAT. § 610.70

Wisconsin has adopted NAIC Model Regulation 670. Under Model Regulation 670, an individual may access their personal information recorded by an insurance institution, agent, or support organization. This right of access includes, for example, the right to access information concerning the entities to whom the recorded personal information was shared in the last two years, as well as the right to copy, correct, or delete the personal information.

Implications for Auto Insurers: 

Covered auto insurers that obtain personal information through in-vehicle devices and other technologies, or from third party service providers and telematics companies, must have a reasonable and reliable means of accessing, altering, and permanently erasing personal information upon request.

Wyoming

Back to Top

Wyoming Insurance Data Security Statute

044-55 WYO. CODE R. § 1-12

Wyoming has adopted NAIC Model Regulation 673. Model Regulation 673 imposes standards on insurance entities to safeguard customer information. For example, Model Regulation 673 requires covered entities to conduct assessments regarding the foreseeable risks of unauthorized disclosures of or access to customer information and implementing sufficient safeguards to control those risks.

Implications for Auto Insurers: 

Covered auto insurers may obtain customer data in a variety of direct and indirect means, including in-vehicle devices, auto repossessions, re-disposition following a total loss, or through third party service providers and telematics companies. Covered entities must take reasonable technical and administrative measures to protect this customer data from unauthorized or inadvertent disclosure, including by completely erasing the data once it has been re-disposed from the prior owner and no longer serves a legitimate business purpose. 

Canadian National Laws

Back to Top

Canada Consumer Privacy Act

CPPA

Canada Consumer Privacy Act – protects consumers control over their data and promotes improved transparency regarding how organizations use data containing personal identifiers

Personal Information Protection and Electronic Documents Act

PIPEDA

Personal Information Protection and Electonic Documents Act – governs how organizations use, collect and disclose personal information in the course of personal business

Quebec

Back to Top

Quebec Bill 64, An Act to modernize legislative provisions as regards the protection of personal information

Quebec Bill 64

A privacy regulatory change took effect in Canada that will directly impact the remarketing operations of auto consignors and their suppliers — chiefly among them auto auctions, recovery agents, and vehicle inspectors, in addition to fleet, rental and carsharing companies. Quebec Bill 64 introduces GDPR-like regulation with big teeth meaning remarketers must step up their in-car PI data disposal practice or risk millions of dollars in fines.

European Union Laws

Back to Top

Standards for Safeguarding Customer Information

GDPR

Protection of natural persons personal data and the free movement of such data.

Study on the provision of information to consumers about the processing of vehicle-generated data

Preliminary Study

Implications for Auto Businesses : The goal of this study was to assess how car manufacturers and car dealers comply with their obligations of providing clear and transparent information on the processing of vehicle-generated data that consumers need (and want) to make a fully informed purchasing decision.

While car manufacturers have dedicated websites for their connected services, the websites rarely provide details on data processing practices. There is also an inconsistency among car manufacturers when it comes to offering a dedicated connected services privacy policy; and if a manufacturer does offer one, it is not always easily found which conflicts with their obligations under EU consumer laws.

The car manufacturers’ inability to disclose their data processing practices online carries into the in-person dealership experience. Mystery shoppers found the salespeople to be “not very knowledgeable about any of the key processing topics.” Mystery shoppers were also rarely given literature about connected services or directed online for that same information. But again, the online information was lacking, not easily accessible or downloadable, and/or not easily understood.

United Kingdom Laws

Back to Top

UK General Data Protection Regulation

UK GDPR

GDPR with technical changes in order account for its status as a national law of the United Kingdom.

Data Protection Act 2018 (“DPA”)

UK DPA

National data protection law, supplements the UK GDPR regime.