The Connected Car: Who’s in the Driver’s Seat FAQs

What’s a “Connected Car”? “Connected Cars” are vehicles that use wireless communications to send data from the vehicle to external computers and/or service providers.

OEM Telematics Architecture

What are “telematics”? Vehicle telematics are computer systems that automatically combine a car’s data with global positioning satellite (GPS) tracking and wireless communications technologies to enable a wide range of services and applications that aim to improve safety, security and convenience.

Are telematics already in use? Telematics systems are already used by fleet managers, dealers, automobile insurers, financing companies and law enforcement agencies for monitoring, tracking and immobilizing vehicles remotely. Features available for individual car owners and users include vehicle health monitoring, driving skills assessment, automatic collision assistance, navigation and driving assistance, usage-based insurance, as well as remote monitoring and control functions geared at offering greater convenience.

What’s an “infotainment” system? “Infotainment” systems are the cellular and other wireless communications technologies that turn a car into a mobile communications device and internet hotspot. Infotainment services include hands-free voice and data communications, web browsing, social networking, and audio and video streaming via the car’s built-in interface. Infotainment services also include applications designed specifically for the car, such as traffic, parking and navigation-related applications.

Are all new cars “connected”? Most, if not all, new cars being sold in North America now have some sort of wireless connectivity. Fully Connected Cars are expected dominate the market in the next few years, with the overall number of vehicles with built-in connectivity expected to increase from 10% of the global market today to 90% by 2020.

What is Usage-Based Insurance (UBI)? Usage-Based insurance programs use telematics to track drivers’ behaviours and tailor insurance rates to individual customers. Premiums can be based on where, when and/or how the vehicle is driven, with lower rates or discounts offered to drivers who drive less, only in daylight hours, only on safer routes, and who do not engage in hard braking, fast acceleration or other behaviours that suggest higher risk driving.

What kind of data do Connected Cars collect? Telematics systems generate vehicle operations, driver behavior, and location data. Infotainment systems generate data from personal communications, such as voice, text, emails, social networking, contacts, schedules, and infotainment preferences. All of this data can be linked with customer identification and account data held by the Connected Car service provider.

Who is interested in this data? The data that cars produce is useful to a wide range of parties including automakers and their business partners; third party insurers, lenders, content and service providers; law enforcement agencies; debt collectors, fraud investigators and litigants.

Who has access to the data? The massive quantities of data generated by Connected Cars flow through a complex network of industry players that can include automakers, insurers, their service providers, aftermarket telematics providers, and third party suppliers and providers of specific products and services. Who can access the data generated by Connected Cars depends on how the technology and systems are designed. Who is allowed to access the data is governed by privacy law as well as the terms of use and privacy policies for each service or application.

What is the data collected by Connected Cars used for? The data has a range of possible uses, including safety, monitoring and customer relationship management. The data can also be mined for consumer research using data analytics. Data analytics takes aggregate data about consumers, combining it in ways that reveal things about individuals and that can generate remarkably accurate predictions of their behavior. This allows corporations (or governments) to categorize individual consumers by behavioural profile and target them for marketing or other purposes.

What are the privacy risks? The scope and depth of information that can be culled from Connected Cars goes beyond the data that can be collected from cell phones and mobile devices. Taken together, data generated from telematics and infotainment systems generate information that can be highly revealing of an individual’s personal life, values, interests, habits and preferences. Connected Cars hold the potential for profiling, monitoring and making decisions about individuals. Increasingly, industry players are looking to secondary uses of personal customer data, such as data-mining and market research, as the very basis of their business case for developing more Connected Car services. Yet unnecessarily collecting and storing personal data for secondary purposes entails a range of privacy risks including vulnerability to security breaches, malicious access and use, and state surveillance.

Is the data collected by Connected Cars subject to privacy legislation? Yes – automakers, insurers and other entities that collect, store, use or disclose personal data for commercial purposes are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) or its provincial counterpart statutes. Insurers are subject to provincial sector-specific regulation as well.

What obligations does Canadian privacy law impose on Connected Car-related industries? The law imposes obligations with respect to openness, accountability, accuracy, security, individual access, purpose specification, notice, choice, and limiting the collection, use and disclosure of personal data. Organizations can only collect, use or disclose personal information with the consent of the individual, except in certain specific situations. They must not force consumers to agree to unnecessary collection, use or disclosure of their data. The law also prohibits the collection, use or disclosure of personal data for purposes that a reasonable person would consider inappropriate in the circumstances.

Are UBI programs compliant with Canadian privacy legislation? UBI programs in Canada are generally compliant with data protection law because insurance regulators have put privacy protections in place. UBI is currently voluntary but over time it could become the industry standard. Even if the programs remain voluntary, there is a risk that insurers may at some point choose to penalize drivers who do not ‘voluntarily’ choose to participate. If stronger guidelines are not in place, drivers could one day be faced with the difficult choice between obtaining affordable insurance and surrendering their right to privacy. Click here for a table summarizing our report’s privacy analysis.

Are automakers providing Connected Car services compliant with Canadian privacy legislation? Our review of Connected Car terms of service and privacy policies shows that automakers are failing to meet their legal obligations under almost every principle of data protection law. A privacy pledge signed by a large group of major automakers in 2014 is promising but falls far short of Canadian legal standards in numerous respects. Deficiencies include inadequate openness, accountability, individual access, purpose specification, notice, consent, and limits on the unnecessary collection, retention, use and disclosure of personal data. Lack of consumer choice with respect to unnecessary data collection, use or disclosure is a major violation of Canadian privacy law. Click here for a table summarizing our report’s privacy analysis.

What recommendations does the report make? The most effective way to protect data is not to collect or retain it in the first place. Hard limits on the collection of personal data should be the starting point for data protection standards in the industry. With Connected Cars set to take over the global market, now is the time for industry stakeholders, regulatory bodies, government agencies, consumer advocates and experts in the field to come together and develop appropriate data protection standards for the North American automobile industry. Our report recommends:

  1. Establishing data protection regulations for the Connected Car industry.
  2. Developing national data protection standards for usage-based insurance.
  3. Involving privacy experts in the design stage of Intelligent Transportation Systems, including Connected Vehicle research projects.
  4. Adopting Privacy by Design Principles and Related Tools, including:
  • Establishing a Privacy Management Program
  • Identifying and Avoiding Unintended Uses
  • Being Open and Transparent
  • Respect for User Privacy: Keep it User-Centric
  • Working with device manufacturers, OS / Platform Developers, Network Providers, Application Developers, Data Processors to integrate controls and data minimization techniques

To read the Executive Summary, click here.

Read it now! The Connected Car: Who is in the Driver’s Seat? is available for download

 

FULL REPORT | EXECUTIVE SUMMARY | FAQS | PRIVACY ANALYSIS

The BC Freedom of Information and Privacy Association (FIPA) has released a year-long study on privacy, consumer choice and onboard vehicle technology. The Connected Car: Who is in the Driver’s Seat? was written by privacy lawyer Philippa Lawson and generously funded by the Office of the Privacy Commissioner of Canada.

The Connected Car: Who is in the Driver’s Seat? looks at how vehicles have changed from simple means of transportation to computers on wheels able to navigate, diagnose vehicle health, monitor driver behavior, accommodate usage-based insurance programs and provide customized on-board infotainment services.

The same technologies that allow for safer, more convenient and more entertaining cars enable the collection and processing of enormous amounts of data. Much of this data is personal information, and some of it reveals intensely private details of a person’s life. Some data can be used to track and profile customers for marketing and other purposes. The non-essential collection of data for data-mining and market research opens the door to a range of privacy risks that include security breaches, malicious access and state surveillance.

The Connected Car report finds that the usage-based insurance programs now offered in Ontario and Quebec generally comply with Canadian privacy law, but automakers providing Connected Car services are failing to meet their legal obligations. Too often, consumers are given limited choice when it comes to the use and disclosure of their personal data collected by Connected Cars. Click here to see a summary table of our privacy analysis.

FAQs CC
Frequent Asked Questions

Recent polls show that Canadians are concerned about privacy in the context of Connected Cars. A March 2015 poll conducted for the Canadian Automobile Association found that 50% of respondents thought that Connected Car technologies put their privacy at risk while offering little benefit to consumers and only 28% thought benefits outweighed privacy risks. Only 37% of respondents would agree to monitoring in exchange for an insurance discount, while 53% would not. At 74%, most respondents thought car makers should be required to design technology that would mean consumers wouldn’t have to choose between the benefits of technology and protecting privacy.

The good news is that Connected Cars are still at a stage in their development where there’s time to address these privacy challenges. With Connected Cars set to dominate North American markets in the coming years, now is the time to get serious about setting industry standards and putting them in place. FIPA looks forward to working with automakers, technology firms, policy makers, the insurance sector, government and the public is bringing these report recommendations to life:

  1. Establishing data protection regulations for the Connected Car industry.
  2. Developing Canada-wide data protection standards for usage-based insurance.
  3. Involving privacy experts in the design stage of Intelligent Transportation Systems, including Connected Vehicle research projects.
  4. Adopting Privacy by Design Principles and Related Tools, including:
  • Establishing a Privacy Management Program
  • Identifying and Avoiding Unintended Uses
  • Being Open and Transparent
  • Respect for User Privacy: Keep it User-Centric
  • Working with device manufacturers, OS / Platform Developers, Network Providers, Application Developers, Data Processors to integrate controls and data minimization techniques.

There has never been a better time to put privacy protection in your driveway.