What’s a “Connected Car”? “Connected Cars” are vehicles that use wireless communications to send data from the vehicle to external computers and/or service providers.
What are “telematics”? Vehicle telematics are computer systems that automatically combine a car’s data with global positioning satellite (GPS) tracking and wireless communications technologies to enable a wide range of services and applications that aim to improve safety, security and convenience.
Are telematics already in use? Telematics systems are already used by fleet managers, dealers, automobile insurers, financing companies and law enforcement agencies for monitoring, tracking and immobilizing vehicles remotely. Features available for individual car owners and users include vehicle health monitoring, driving skills assessment, automatic collision assistance, navigation and driving assistance, usage-based insurance, as well as remote monitoring and control functions geared at offering greater convenience.
What’s an “infotainment” system? “Infotainment” systems are the cellular and other wireless communications technologies that turn a car into a mobile communications device and internet hotspot. Infotainment services include hands-free voice and data communications, web browsing, social networking, and audio and video streaming via the car’s built-in interface. Infotainment services also include applications designed specifically for the car, such as traffic, parking and navigation-related applications.
Are all new cars “connected”? Most, if not all, new cars being sold in North America now have some sort of wireless connectivity. Fully Connected Cars are expected dominate the market in the next few years, with the overall number of vehicles with built-in connectivity expected to increase from 10% of the global market today to 90% by 2020.
What is Usage-Based Insurance (UBI)? Usage-Based insurance programs use telematics to track drivers’ behaviours and tailor insurance rates to individual customers. Premiums can be based on where, when and/or how the vehicle is driven, with lower rates or discounts offered to drivers who drive less, only in daylight hours, only on safer routes, and who do not engage in hard braking, fast acceleration or other behaviours that suggest higher risk driving.
What kind of data do Connected Cars collect? Telematics systems generate vehicle operations, driver behavior, and location data. Infotainment systems generate data from personal communications, such as voice, text, emails, social networking, contacts, schedules, and infotainment preferences. All of this data can be linked with customer identification and account data held by the Connected Car service provider.
Who is interested in this data? The data that cars produce is useful to a wide range of parties including automakers and their business partners; third party insurers, lenders, content and service providers; law enforcement agencies; debt collectors, fraud investigators and litigants.
What is the data collected by Connected Cars used for? The data has a range of possible uses, including safety, monitoring and customer relationship management. The data can also be mined for consumer research using data analytics. Data analytics takes aggregate data about consumers, combining it in ways that reveal things about individuals and that can generate remarkably accurate predictions of their behavior. This allows corporations (or governments) to categorize individual consumers by behavioural profile and target them for marketing or other purposes.
What are the privacy risks? The scope and depth of information that can be culled from Connected Cars goes beyond the data that can be collected from cell phones and mobile devices. Taken together, data generated from telematics and infotainment systems generate information that can be highly revealing of an individual’s personal life, values, interests, habits and preferences. Connected Cars hold the potential for profiling, monitoring and making decisions about individuals. Increasingly, industry players are looking to secondary uses of personal customer data, such as data-mining and market research, as the very basis of their business case for developing more Connected Car services. Yet unnecessarily collecting and storing personal data for secondary purposes entails a range of privacy risks including vulnerability to security breaches, malicious access and use, and state surveillance.
Is the data collected by Connected Cars subject to privacy legislation? Yes – automakers, insurers and other entities that collect, store, use or disclose personal data for commercial purposes are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) or its provincial counterpart statutes. Insurers are subject to provincial sector-specific regulation as well.
What obligations does Canadian privacy law impose on Connected Car-related industries? The law imposes obligations with respect to openness, accountability, accuracy, security, individual access, purpose specification, notice, choice, and limiting the collection, use and disclosure of personal data. Organizations can only collect, use or disclose personal information with the consent of the individual, except in certain specific situations. They must not force consumers to agree to unnecessary collection, use or disclosure of their data. The law also prohibits the collection, use or disclosure of personal data for purposes that a reasonable person would consider inappropriate in the circumstances.
Are UBI programs compliant with Canadian privacy legislation? UBI programs in Canada are generally compliant with data protection law because insurance regulators have put privacy protections in place. UBI is currently voluntary but over time it could become the industry standard. Even if the programs remain voluntary, there is a risk that insurers may at some point choose to penalize drivers who do not ‘voluntarily’ choose to participate. If stronger guidelines are not in place, drivers could one day be faced with the difficult choice between obtaining affordable insurance and surrendering their right to privacy. Click here for a table summarizing our report’s privacy analysis.
Are automakers providing Connected Car services compliant with Canadian privacy legislation? Our review of Connected Car terms of service and privacy policies shows that automakers are failing to meet their legal obligations under almost every principle of data protection law. A privacy pledge signed by a large group of major automakers in 2014 is promising but falls far short of Canadian legal standards in numerous respects. Deficiencies include inadequate openness, accountability, individual access, purpose specification, notice, consent, and limits on the unnecessary collection, retention, use and disclosure of personal data. Lack of consumer choice with respect to unnecessary data collection, use or disclosure is a major violation of Canadian privacy law. Click here for a table summarizing our report’s privacy analysis.
What recommendations does the report make? The most effective way to protect data is not to collect or retain it in the first place. Hard limits on the collection of personal data should be the starting point for data protection standards in the industry. With Connected Cars set to take over the global market, now is the time for industry stakeholders, regulatory bodies, government agencies, consumer advocates and experts in the field to come together and develop appropriate data protection standards for the North American automobile industry. Our report recommends:
- Establishing data protection regulations for the Connected Car industry.
- Developing national data protection standards for usage-based insurance.
- Involving privacy experts in the design stage of Intelligent Transportation Systems, including Connected Vehicle research projects.
- Adopting Privacy by Design Principles and Related Tools, including:
- Establishing a Privacy Management Program
- Identifying and Avoiding Unintended Uses
- Being Open and Transparent
- Respect for User Privacy: Keep it User-Centric
- Working with device manufacturers, OS / Platform Developers, Network Providers, Application Developers, Data Processors to integrate controls and data minimization techniques
To read the Executive Summary, click here.