Embed Size (px)
Citation preview
PRIVAC Y AND CONNEC TED VEHICLES
White Paper
DRIVING AWAY WITH YOUR DATA
1
Common terminology used throughout this white paper includes the following:
• “Connected Vehicles” includes technol-ogy-enabled vehicles, parts, and applications.
• “Connected Vehicle Stakeholders” includes original equipment manufacturers (OEM), automotive suppliers, and third-party service providers.
• “Consumers” includes the vehicle owner, registered users, and passengers.
• “Personal Information” is identifying information that includes, but is not limited to, a consumer’s name, address, email address, or other information that directly links back to a consumer as well as information that can be reasonably linked to a specific consumer, computer, or device. This can include credit card numbers, telephone numbers, biometrics, and location information.
IN TRODUCT ION
Connected vehicles present a world
of opportunity for connected vehicle
stakeholders and consumers, allowing
for increased safety, convenience, and
entertainment. These vehicles often
require consumer data to properly
function, but how do we ensure that
the data collected, used, and shared
is properly protected? How do we
maintain the privacy of consumers
taking advantage of these technologies?
This white paper will discuss privacy
issues related to connected vehicles
and provide our recommendations on
how to operationalize privacy as the
connected vehicles that we use to get
to work, school, and home increasingly
become moving data repositories.
2
An ever-increasing number of vehicles today roll out of factories and onto our roadways equipped with a myriad of new technologies. These connected vehicles allow consumers to play music, use smartphone applications via a dashboard screen, navigate, contact roadside assistance, use voice commands to control settings, receive parking assistance, diagnose car troubles, and a variety of other tasks. Such technological innovations often rely on consumers’ personal information to function properly or perform optimally and, as connected vehicles evolve and become more popular, collecting and sharing data will become more prevalent as well. As seen with similar technologies, such as mobile phones and connected televisions, such information collection has the propensity to become a larger issue, which is why building privacy into connected vehicles is so important. Further, connected vehicles raise unique issues that must be considered when implementing a framework for privacy.
Several organizations have recognized the need for privacy in connected vehicles
and have already taken steps to outline privacy issues and best practices. This includes the Alliance of Automobile Manufacturers (Auto Alliance), who have established their Consumer Privacy Protection Principles (Privacy Principles)1 to provide member automobile manufac-turers2 with a framework with which to consider privacy and build privacy into their products and services. The Privacy Principles are based on the Fair Information Practice Principles (FIPPs), which form the basis for privacy law and policy throughout the world and serve as a model for best practices when designing and implementing a system or applica-tion. As discussed in the Accountability section, the Privacy Principles also present a model for industry self-regulation, with participating members agreeing to comply with the Privacy Principles for all new vehicles, technologies, and services subscriptions.
Additionally, the United States (U.S.) Government Accountability Office (GAO) released a vehicle privacy report in July 2017 titled Vehicle Data Privacy, Industry and Federal Efforts Under Way, but NHTSA Needs to Define Its Role,3 (“GAO Vehicle Data Privacy Report”). The GAO Vehicle Data Privacy Report examines vehicle data use and the extent to which automakers’ privacy policies align with their business practices. The report also evaluates federal roles and efforts relating to vehicle privacy, and advocates for clearer federal agency responsibilities for vehicle privacy.
These documents have paved a road for examining and implementing privacy in connected vehicles. However, a deeper analysis of the complex privacy issues and potential privacy-preserving solutions is required as connected vehicles proliferate in our garages and on our roads.
Background
1 Alliance of Automobile Manufacturers, Inc. (November 12, 2014, reviewed May 2018). Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services. Available at: https://autoalliance.org/wp-content/uploads/2017/01/Consumer_Privacy_Principlesfor_VehicleTechnologies_Services-03-21-19.pdf.
2 The Auto Alliance defines “participating members” as those companies that have adopted its Privacy Principles; however, the Auto Alliance’s approach serves as a framework for privacy for all connected vehicle stakeholders. A list of participating members can be found in the Privacy Principles Report. Available at: https://autoalliance.org/wp-content/uploads/2017/01/Consumer_Privacy_Principlesfor_VehicleTechnologies_Services-03-21-19.pdf.
3 Government Accountability Office. (July 2017). Vehicle Data Privacy, Industry and Federal Efforts Under Way, but NHTSA Needs to Define Its Role. Available at: https://www.gao.gov/assets/690/686284.pdf.
Connected vehicles
raise unique issues that
must be considered
when implementing a
framework for privacy.
Privacy Principles:
TR ANSPARENCY
CHOICE
RESPECT FOR CONTEX T
DATA MINIMIZATION, DE-IDENTIFICATION, AND RETENTION
DATA SECURIT Y, INTEGRIT Y, AND ACCESS
ACCOUNTABILIT Y
3
TRANSPARENCY 4 What information is being collected? How is that
information used? Who is that informa-tion shared with? Though these may seem like simple questions, the answers aren’t always straightforward. As a consumer, one place to look for these answers is a connected vehicle stake-holder’s Privacy Policy or Privacy Notice. Privacy Policies/Notices 5 are common (and in most cases required), but how effective are they at actually answering the questions posed above? In the GAO Vehicle Data Privacy Report, the GAO noted that automakers’ written Privacy Notices were readily accessible from their public websites, but none of the notices were clearly written.6 Lengthy and confusing Privacy Policies/Notices full of legalese and technical jargon are not new or unique to connected vehicles—this is commonplace across industries and technologies such as mobile applications, social media sites, etc. The Auto Alliance’s Transparency Principle states, “Participating Members commit to providing owners and registered users with ready access to clear, meaningful notices about the Participating Member’s collection, use, and sharing of Covered Information.” In other words:
Clear Notices = Transparency = Trust
Earning a consumer’s trust is important for connected vehicles stakeholders. A consumer needs to trust a vehicle to want to own it, drive it, or ride in it. Connected vehicle stakeholders have earned some trust through safety standards, but now need to earn another level of trust by implementing strong privacy and security standards with respect to consumer personal information. The best way to establish this “next level” of trust is through transparency. As vehicles collect more data and become more connected, consumers may have growing concerns about trusting connected vehicles stakeholders with their personal information. One way to address these concerns is to find methods to effec-tively communicate with consumers about how their personal information is being collected, used, and shared.
The U.S. Federal Trade Commission (FTC) issued guidance titled Careful Connections: Building Security in the Internet of Things7 that applies to connected vehicles. In the section, “Innovate How You Communicate,” FTC outlines methods—such as using a set-up wizard to walk consumers through the process of implementing security features or letting consumers set up “out of band” communication channels, including email or texts, to
receive important information—which are good options for connected vehicle stakeholders to consider when deciding how to be more transparent with consumers about collection, use, and sharing of their personal information.
A paper presented during the USENIX Association Symposium on Useable Privacy and Security 2015 titled, A Design Space for Effective Privacy Notices8, provides an overview of what they termed “the privacy notice design space.” The design space comprises of four dimensions: timing (when a notice is provided), channel (how a notice is delivered), modality (what interaction modes are used), and control (how are choices provided). If connected vehicle stakeholders develop Privacy Policies/Notices using various options from these dimensions, it will result in clearer, more meaningful notices to consumers. Recommendations related to these dimensions on “how” to provide effective Privacy Policies/Notices are provided in the table on the next page.
Issues and Analysis
This white paper provides a high-level overview of the privacy issues raised by connected vehicles, including an analysis of the issue, the current state of how connected vehicle stakeholders implement the issue, and our recommendations for operationalizing privacy for each issue, using the Auto Alliance’s Privacy Principles as a framework for our analysis.
4 Transparency: Participating members commit to providing owners and registered users with ready access to clear, meaningful notices about the participating member’s collection, use, and sharing of covered information.
5 A Privacy Policy is an “internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage, and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.” A Privacy Notice is a “statement made to a data subject that describes how an organization collects, uses, retains, and discloses personal informa-tion. A privacy notice may be referred to as a privacy statement, a fair processing statement, or sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices.” International Association of Privacy Professionals (IAPP) Glossary of Privacy Terms. Available at: https://iapp.org/resources/glossary/.
6 Government Accountability Office. July 2017. Vehicle Data Privacy, Industry, and Federal Efforts Under Way, but NHTSA Needs to Define Its Role. Available at: https://www.gao.gov/assets/690/686284.pdf.
7 Federal Trade Commission. January 2015. Careful Connections: Building Security in the Internet of Things. Available at: https://www.ftc.gov/system/files/documents/plain-language/pdf0199-carefulconnections-buildingsecurityinternetofthings.pdf.
8 USENIX Association Symposium on Usable Privacy and Security. July 2015. A Design Space for Effective Privacy Notices. Authors: Florian Schaub, Carnegie Mellon University; Rebecca Balebako, RAND Corporation; Adam L. Durity, Google; and Lorrie Faith Cranor, Carnegie Mellon University. Available at: https://www.usenix.org/conference/soups2015/proceedings/presentation/schaub.
4
Another important consideration for providing effective Privacy Policies/Notices is the actual content of the notice or the “what” to include. It is important to strike a balance between providing enough information so that the consumer has an accurate picture of how their personal information is collected, used, and shared while not providing so much detail that consumers have no desire to read the Privacy Policy/Notice because it’s simply too long and/or complicated. In addition to the level of detail, it is important that the Privacy Policy/Notice is written in clear, simple language, so that consumers are not bogged down with overly technical details or legalese. The table below outlines some recommendations on the “what” to include in a Privacy Notice:
TIMING/FREQUENCY CHANNEL MODALIT Y CONTROL /CHOICE
• At point of sale/time of
purchase/set-up (new and used
vehicles) before personal
information collection begins
• At time of collection, use, or
sharing of personal information
• Whenever there are changes
to collection, use, and sharing
practices or there is a change
in context (e.g., new driver or
passenger in the vehicle)
• Periodically (e.g., a couple
of times at the beginning of use,
quarterly, semi-annually,
or annually) as a refresher
• Ongoing/persistent (e.g., an
indicator on the dashboard
display whenever personal
information is being collected,
used, or shared)
• Upon request/on demand (e.g.,
located at a persistent location
with a link from a website
or application)
• In-car communications via a
dashboard display
• Notification/alert from
connected vehicle stakeholder’s
mobile applications
• Email/text message from
connected vehicle stakeholder
to consumer
• Owner’s manuals
• Other hardcopy/electronic
materials provided by connected
vehicle stakeholders (e.g., user
agreements, registration
forms, etc.)
• Connected vehicle
stakeholder’s website
• Visual notices (e.g., using text or
images on dashboard displays)
• Auditory notices (e.g., a
recorded reading of a privacy
notice that can be played
through the vehicle’s stereo
speakers or a sound/alarm that
can be played when personal
information collection, use, or
sharing begins)
• Haptic (e.g., vibration in the
steering wheel when personal
information collection, use, or
sharing begins)
• Requiring choice/consent
before service can continue
(e.g., requiring opt-in prior to an
Infotainment system initiating
service in a vehicle)
• Provide choice/consent options
without requiring interaction
(e.g., enabling data collection
through in-car sensors unless
the consumer opts-out of that
collection)
CONTENT
• Types of personal information
• Methods of collection
• Purpose for collection (i.e.,
how personal information
may be used)
• With whom personal information
may be shared, the circumstances
under which it may be shared,
and the purpose(s) for which it
may be shared
• When personal information
may be modified, deleted, or
de-identified
• How/where personal informa-
tion may be stored (and by whom)
• How personal information will
be secured (and by whom)
• Choices Consumers have about
their personal information
and benefits/consequences
of providing/not providing
personal information
• How consumers can access and
correct/delete their personal
information
• Whom to contact with questions
5
Connected vehicle
stakeholders can and
should improve upon
current practices to
allow for more nuanced
and meaningful
consumer choice.
CHOICE 9 Giving consumers choices allows consumers to be
involved in the collection, use, and sharing of their personal information. As such, connected vehicle stakeholders should strive to obtain consent from the consumer, where practical, prior to the collection, use, and sharing of his/her personal information.10 Currently, consumer consent is, at times, implied at the point of sale or application download; at other times, companies do seek explicit consent prior to collecting or sharing personal information. Connected vehicle stakeholders can and should improve upon current practices to allow for more nuanced and mean-ingful consumer choice.
Where bargaining power may be limited or negligible, it raises the question of whether consumers really have a choice in whether their personal information is collected, how their personal information is used, and with whom their personal information is shared. As such, consent should be meaningful—usability of a vehicle or its services should not hinge on whether personal information is provided unless that information is necessary for functionality. For example, requiring location information to use Global Positioning System (GPS) mapping services would likely be necessary for the mapping service’s functionality; however, collecting location information to use an entertainment streaming service would likely not be necessary for that service’s functionality, and therefore, a consumer deciding not to share such information should not have an impact on the service’s usability.
Where possible, connected vehicle stakeholders should obtain consent from consumers prior to collecting, using, and/or sharing their personal information and whenever there are changes to such information collection, use, and sharing. Connected vehicle stakeholders should strive to obtain
informed consent, providing easily understood and digestible information to consumers on what data will be collected, how their data will be used, and how it will be shared in a user-friendly format. This may be in the form of mobile application alerts, messages on the vehicle dashboard, or other methods of communication.
Opt-in consent (where a consumer affirmatively allows their personal information to be collected, used, or shared) is preferred over the passive opt-out consent model (where consent is implied unless the consumer takes action to communicate otherwise).
Finally, connected vehicle stakeholders should strive to allow for tiered consent where possible, where consumers can choose what personal information they provide, how it is used, and whether and how it is shared. This allows consumers additional autonomy in the data collection process and provides flexibility to both the consumer and connected vehicle stakeholders. For example, Facebook allows users to choose sharing settings prior to posting updates, allowing a user to share a post publicly, only with their friends, or even just with a subset of their friends, and allowing them to choose what exactly they want to share and with whom they want to share it. Per the GAO Vehicle Data Privacy Report, while all the selected automakers reported obtaining consent prior to collecting information, they offered few options besides opting out of all connected vehicle services to those consumers who did not want to share their data. Connected vehicle stakeholders should strive to use tiered consent mecha-nisms, where possible, to allow consumers more options and greater control over their personal information, allowing consumers to choose exactly what personal information is shared and how it is used.
9 Choice: Participating members commit to offering owners and registered users with certain choices regarding the collection, use, and sharing of covered information.
10 U.S. Government Accountability Office, 2017, Vehicle Data Privacy: Industry and Federal Efforts Under Way, but NHTSA Needs to Define Its Role, GAO-17-656, Washington, DC. https://www.gao.gov/assets/690/686284.pdf.
6
RESPECT FOR CONTEXT 11 In general, personal informa-tion should only be used and
shared in ways that are compatible with the reason the information was origi-nally collected. Unlike other technolo-gies—such as certain “free” mobile applications, where users have a general understanding that they are “paying” for an application with their data—vehicles come at a financial cost, and therefore consumers might not understand that their personal information is being used for the connected vehicle stakeholders’ benefit.
Connected vehicle stakeholders should take this dynamic into consideration and attempt to limit the use and sharing of personal information to only the reasons that a consumer would reason-ably expect: for purposes that benefit the driver and passengers. Connected vehicle stakeholders should strive to communicate specific reasons for collecting, using, and sharing informa-tion before personal information is collected in Privacy Policies/Notices, as described in the Transparency section of this white paper. All uses of personal information collected from the connected vehicle should then be compatible with those described in such Privacy Policies/Notices. If connected vehicle stakeholders change the way they use or share personal information, those changes should be communicated to consumers in a clear and concise manner prior to the change. Further, consumers should be required to opt-in to new uses of personal information and understand the repercussions of not doing so (such as decreased functionality).
DATA MINIMIZATION, DE-IDENTIFICATION, AND RETENTION 12
The Auto Alliance’s Principle of Data Minimization, De-Identification, and Retention commits connected vehicle stakeholders to only collecting informa-tion needed for “legitimate business purposes”; however, the GAO found in its July 2017 Vehicle Data Privacy Report that automakers have not yet clearly defined what qualifies as a “legitimate business purpose” for collecting consumer information.13 A legitimate business purpose is not legally defined, and therefore its definition can be as broad or as narrow as connected vehicle stakeholders prefer.
Because of this, connected vehicle stakeholders must first develop a clear definition of what constitutes “legiti-mate business purposes” and then only collect, use, and retain personal information for those purposes. Further, connected vehicle stakeholders should ensure that only the minimum amount of data necessary to achieve those purposes is collected from consumers. That information should be de-identified using industry best practices, with data only being used in the aggregate or after it is anonymized, wherever possible. De-identification can occur by either removing direct identifiers (names, email addresses) or indirect/quasi-iden-tifiers (dates, demographic information).14
De-identification can present its own challenges. For example, in 2006, Netflix published 10 million movie rankings by 500,000 customers as part of a challenge to the public to create a better recommendation system for
Netflix users.15 The published data was anonymized by removing personal identifiers and replacing names with random numbers to protect the privacy of the recommenders. However, two researchers at the University of Texas at Austin were able to de-identify some of the data by comparing rankings and timestamps with public information in the Internet Movie Database (IMDb).16
Other de-identification challenges include singling out a consumer (e.g., only one consumer in the sample set has a certain type of vehicle), linkage of data between consumers (e.g., two consumers have the same home address), or an inference made on a consumer (e.g., the type of vehicle the consumer drives and where the consumer lives can lead to an infer-ence on the consumer’s salary).17 De-identification in the health field is a particular challenge, as protected health information (PHI) can include numerous data points and singling out, data linkage, and inferences can easily be made. These examples illustrate the difficulties in ensuring that data sets are truly de-identified; because of this, connected vehicle stakeholders should ensure that they minimize the personal information collected to only that which is necessary.
Further, connected vehicle stakeholders should implement retention policies to ensure that information is only maintained for the minimum amount of time necessary to achieve those defined legitimate business purposes.
11 Respect for Context: Participating members commit to using and sharing covered information in ways that are consistent with the context in which the covered information was collected, taking account of the likely impact on owners and registered users.
12 Data Minimization, De-Identification, and Retention: Participating members commit to collecting covered information only as needed for legitimate business purposes. Participating members commit to retaining covered information no longer than they determine necessary for legitimate business purposes.
13 Government Accountability Office. July 2017. Vehicle Data Privacy, Industry and Federal Efforts Under Way, but NHTSA Needs to Define Its Role. Available at: https://www.gao.gov/assets/690/686284.pdf.
14 Nelson, Gregory S. Practical Implications of Sharing Data: A Primer on Data Privacy, Anonymization, and De-Identification. Available at https://support.sas.com/resources/papers/proceedings15/1884-2015.pdf.
15 Schneier, Bruce. Why “Anonymous” Data Sometimes Isn’t. 7 December 2007. Available at: https://www.wired.com/2007/12/why-anonymous-data-sometimes-isnt/.
16 Schneier, Bruce. Why “Anonymous” Data Sometimes Isn’t. 7 December 2007. Available at: https://www.wired.com/2007/12/why-anonymous-data-sometimes-isnt/.
17 Trimble, Allison and Kang, Soo. Breaking Down Big Data: Challenges of Meeting De-identification Standards. 25 September 2017. Available at: http://www.accdocket.com/articles/challenges-de-identification-standards-big-data.cfm.
7
DATA SECURITY, INTEGRITY, AND ACCESS
Data security, integrity, and access go hand-in-hand. The best way to ensure the integrity of Personal Information is to:
• Ensure personal information is secure and protected from manipulation
• Collect personal information directly from consumers and allow consumers to securely access, update, and correct the information, as needed
The Auto Alliance’s definitions for Data Security18 and Integrity and Access19 state that “reasonable measures” should be implemented; however, reasonable measures are only defined to include standard industry practices and a few limited examples.
Information collected by connected vehicles represents a plethora of data on consumers, and a lack of integrity or a breach in the information collection from a connected vehicle in real time can present safety risks as well. For example, incorrect sensor readings can lead to immediate braking. Therefore, vehicle data security must be continually monitored and strengthened.
The data should also be continually protected and encrypted, as to not leave the collection and transmission of data open to the public or unautho-rized individuals. Where the safety of the consumer in the vehicle is involved, security should be at the highest threshold. While the security of media and navigation devices in the vehicle are important, compromised media and routing data may have less of an effect on the consumer. However, navigation systems frequently store home and work addresses, and the security of those data points is paramount as this information can be sensitive. In instances of safe-ty-critical systems, such as passenger safety sensors, security should be implemented in such a way as to not
unnecessarily degrade performance (e.g., communications latency), but should still provide reasonable protections to ensure the data is not compromised.
When possible, connected vehicle stakeholders should adhere to these guidelines:
• Collect information directly from the consumer (versus through a third party) to ensure accuracy of the information.
• Allow consumers to access their information to periodically review their data and make any necessary updates or changes to ensure its accuracy.
• Ensure strong security protocols and authentication mechanisms are implemented so information is not compromised, modified, or manipulated.
• Provide various options to consumers to securely access their personal information, through in-dash displays or via the connected vehicle stakeholder’s website or mobile application. Additionally, allow for more traditional methods, such as a call center representative.
• Account for vehicle transfer of ownership (e.g., allowing for easy wiping of data before sale) and other issues (e.g., remote wiping capability in the event of a severe crash or theft).
• Allow consumers the ability to disable or delete data collected about them without reducing or losing certain functionalities in their connected vehicles. Examples of this include allowing for manual passphrase entry when consumers do not want to use biometrics, such as a fingerprint, to authenticate and allowing consumers to turn off an application’s ability to access location data for functions that do not require that information, such as alerts about nearby gas stations or convenience stores.
18 Data Security: Participating members commit to implementing reasonable measures to protect covered information against loss and unauthorized access or use.
19 Integrity & Access: Participating members commit to implementing reasonable measures to maintain the accuracy of covered information and commit to giving owners and registered users reasonable means to review and correct personal subscription information.
Information collected
by connected vehicles
represents a plethora
of data on consumers,
and a lack of
integrity or a breach
in the information
collection from a
connected vehicle in
real time can present
safety risks as well.
8
The challenges of data security do not end upon receipt of the connected vehicle to a consumer. As evidenced by recalls, there can be defects in a vehicle that are unknown until a later date. Connected vehicle stakeholders should have teams continually looking for flaws and vulnerabilities in systems and have reporting tools for consumers and white hat hackers to notify connected vehicle stakeholders of identified vulnerabilities. When issues are identified, like a recall for a physical part, security fixes should be pushed out to all consumers, whether wirelessly or through dealer installation. Wireless security updates must address consumer safety and privacy concerns, such as preferences used to customize system features and the ability to opt-out of information collection, use, and sharing.
ACCOUNTABILITY 20
The final issue to consider is accountability: Who should be
in charge of ensuring that privacy protections are properly considered and built into connected vehicles? The Auto Alliance, an automotive industry advocacy group, developed its Privacy Principles to provide an approach to consumer privacy that member automakers can choose to adopt. This self-regulatory approach has been employed in other industries, such as the advertising industry, to ensure that industry standards are in place where gaps exist in laws or regulations.21
Self-regulation can set an industry’s tone for ensuring that privacy is protected. For example, the Auto Alliance’s member companies can advertise to consumers that they have
pledged to uphold the Privacy Principles when designing and implementing vehicle technologies, giving consumers greater confidence that their privacy will be protected. This can provide addi-tional motivation to non-member companies to adhere to the Privacy Principles as well or risk alienating potential customers, creating a priva-cy-centric race-to-the-top. The industry or trade association who sets the standards—in this case, the Auto Alliance or other automotive industry organizations—should also ensure that they hold member companies account-able when the standards are breached or otherwise not adhered to. Additionally, those members that do agree to the Auto Alliance’s Privacy Principles are subject to the Federal Trade Commission Act22, which prohibits “unfair and deceptive trade practices,” if the Privacy Principles are not upheld.
Further accountability may lie in increased legislation and enforcement. The GAO Vehicle Data Privacy Report found that there is no one agency with clearly defined roles and responsibilities for regulating vehicle data privacy. Rather, the FTC and U.S. Department of Transportation’s (DOT) National Highway Traffic Safety Administration (NHTSA) have coordinated on privacy issues involving connected vehicles, with the FTC having authority to protect consumer privacy and the NHTSA having broad authority over the safety of passenger vehicles.23 Further delineation of roles and responsibilities for protecting and enforcing connected vehicle privacy would provide consumers and connected vehicle stakeholders with
greater clarity regarding the Federal Government’s oversight powers.
Additionally, there are currently several bills in Congress that seek to increase privacy protections associated with personal information that connected vehicles collect.24 Enacting such laws and establishing proper enforcement mechanisms within the Executive Branch agencies will further ensure that connected vehicle stakeholders are accountable for protecting consumers’ privacy.
20 Accountability: Participating members commit to taking reasonable steps to ensure that they and other entities that receive covered information adhere to the Principles.
21 Internet Based Advertising Accountability Program (IBA).” Council of Better Business Bureaus, Inc. https://bbbprograms.org/programs/iba/. Accessed May 21, 2019. “2020 NAI Code of Conduct.” Network Advertising Initiative. https://www.networkadvertising.org/sites/default/files/nai_code2020.pdf. Accessed May 21, 2019.
22 Federal Trade Commission Act, 15 USC § 45.
23 Government Accountability Office. July 2017. Vehicle Data Privacy, Industry and Federal Efforts Under Way, but NHTSA Needs to Define Its Role. Available at: https://www.gao.gov/assets/690/686284.pdf.
24 United States Congress, House of Representatives. Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (SELF-DRIVE Act). 115th Cong. H.R. 3388. Available at https://www.congress.gov/115/bills/hr3388/BILLS-115hr3388rfs.pdf. United States Congress, Senate. American Vision for Safer Transportation through Advancement of Revolutionary Technologies Act (AV START Act). 115th Cong. S. 1885. Available at https://www.congress.gov/115/bills/s1885/BILLS-115s1885rs.pdf.
9
In conclusion, we recommend that connected vehicle stakeholders take a comprehensive look at their current implementation of privacy protections and expand their efforts to ensure broad reach across the following areas:
Transparency: Design effective Privacy Policies/Notices to communicate to consumers how their personal information is being collected, used, and shared.
Choice: Obtain consent from consumers prior to the collection, use, and sharing of their personal information.
Respect for Context: Limit the use and sharing of personal information to only those reasons that consumers would reasonably expect: for purposes benefitting the driver and passengers. Communicate specific reasons for collecting, using, and sharing information before personal information is collected through Privacy Policies/Notices.
Data Minimization, De-Identification, and Retention: Develop a clear definition of what constitutes “legitimate business purposes” and then only collect, use, and retain information for those purposes. Ensure that only the minimum amount of personal informa-tion necessary to achieve those
purposes is collected from consumers and retain personal information for the minimum amount of time necessary.
Data Security and Integrity and Access: Ensure personal information is secure and protected from manipulation. Collect personal information directly from consumers and allow consumers the ability to securely access, update, and correct their personal information.
Accountability: Develop mechanisms to ensure that connected vehicle stake-holders are held accountable for protecting consumer privacy. This may include industry self-regulation, delineation of federal agency roles and responsibilities, and legislation.
Conclusion
10
T R A N S P A R E N C Y
C H O I C E
R E S P E C T F O R C O N T E X T
D A T A M I N I M I Z A T I O N , D E - I D E N T I F I C A T I O N , A N D R E T E N T I O N
D A T A S E C U R I T Y , I N T E G R I T Y , A N D A C C E S S
A C C O U N T A B I L I T Y
BOOZALLEN.COM© 2019 Booz Allen Hamilton Inc. | C.05.050.19
About Booz Allen
For more than 100 years, business, government, and military leaders have turned to Booz Allen Hamilton to solve their most complex problems. They trust us to bring together the right minds: those who devote themselves to the challenge at hand, who speak with relentless candor, and who act with courage and character. They expect original solutions where there are no roadmaps. They rely on us because they know that—together—we will find the answers and change the world. To learn more, visit BoozAllen.com.
For more information, please contact:
Liz Tribelli Senior Associate [email protected]
Dianna Carr Lead Associate [email protected]
Lindsay Madejski Lead Associate [email protected]
Christina Lauderdale Associate [email protected]
