My Car Made Me Do It: Tales from a Telematics Trial

by Patrick Law Group, LLC
Contact

Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that collected extensive metadata—average speeds and distances, routes routinely traveled, seat belt usage and other types of data.  But to what end?  Was the purpose of the monitor to learn more about my driving practices and to encourage better driving habits?  To share my data with advertisers wishing to serve up a buy-one, get-one free coupon for paper towels from my favorite grocery store (just as I pass by it) on my touchscreen dashboard?  Or to build a “risk profile” that could be sold to parties (AirBnB, banks, other insurance companies) who may have a vested interest in learning more about my propensity for making good decisions?  The answer could be, “all of the above.”

Wireless technology integrated into vehicles is nothing new—indeed, diagnostic systems, cellular connections and in-dash navigation have been the norm for years.  However, the breadth of data collection and manner in which data is monetized are evolving quickly.  Telematics actually are very akin to a social media platform in terms of the sheer volumes of data collected and the purposes for which data can (and could) be used.  To be sure, many use cases stand to benefit drivers—predicting oil changes and locating the nearest gas stations--for example.  Future functionality may even detect texting while driving or sleeping drivers. 

Opportunities abound, and at least one company’s early success is proof of the sheer potential of telematics data mining.  In the past three years, Otonomo has carved out a niche for itself by brokering sales of mined telematic data to parties such as insurance companies and general retail businesses.  Otonomo’s technology efficiently packages telematics data into a user-friendly, anonymized platform that takes into account worldwide regulations governing telematics. 

Not surprisingly, several automobile manufacturers predict the sale of automobile analytics as a key profit center in coming years.  What is surprising, however, are the lack of legal “rules of the road” that exist today in the United States.  While laws do clarify that an automobile’s event data recorders are owned by the automobile owner (and provide that these “black boxes” may be obtained only by court order), other laws governing telematics are few and far between.  A driver’s consent often occurs upon registration of embedded GPS platforms or other navigation tools, but according to Government Accounting Office research, these types of notices often are lacking in terms of explaining how data is used and whether it is shared.  The Federal Trade Commission maintains jurisdiction over consumer data and related privacy issues, but there are not yet rules specific to telematic data collected by the automobile industry.

Much like the credit card industries’ promulgation of Payment Card Industr Data Security Standard (PCI DSS) rules, the automotive industry, in 2014, responded with its own Privacy Principles for Vehicle Technologies and Services, which include the following:

  • Transparency: a commitment to provide both owners and registered users of vehicles with access to “clear, meaningful notices” as to what data is collected, used and shared.
  • Choice: a commitment to provide owners and registered users with certain choices “regarding the collection, use and sharing” of information.
  • Respect for Context: a commitment to use and share information in a manner consistent with the context in which information was collected.
  • Data Minimization, De-identification, and Retention: a commitment to collect information only as needed for legitimate business purposes, and to retain it no longer than needed for such legitimate business purposes.
  • Data Security: a commitment to implement reasonable measures to protect information against loss and unauthorized access or use.
  • Integrity and Access: a commitment to implement measures to maintain the accuracy of information, along with a means for owners and registered users to correct information.
  • Accountability: a commitment to take reasonable steps to ensure that any parties receiving the information adhere to the principles.

To date, twenty automakers have signed on to the principles, including Honda, Toyota, Nissan, Subaru and Hyundai. 

Congress has also responded to concerns over privacy and security in automobiles.  In early 2017, Representatives Joe Wilson (R-SC, 2nd District) and Ted Lieu (D-CA, 33rd District) introduced the SPY Car Study Act.  The Act does not introduce any new laws or regulations, but does require the National Highway Traffic Safety Administration (NHTSA) to investigate technological threats to automobiles.  More specifically, Congress tasked the NHTSA with identifying:

  • Measures necessary to separate critical software systems that affect a driver’s control of a vehicle from other technology systems;
  • Measures necessary to detect and prevent codes associated with malicious behaviors;
  • Techniques necessary to detect and prevent, discourage or mitigate intrusions into vehicle software systems and other cybersecurity risks in automobiles;
  • Best practices to secure driver data collected by electronic systems; and
  • A timeline for implementation of technology to reflect such best practices.

Otonomo has indicated that the current market for automobile telematics data focuses on user experience and convenience, but, in reality, no future use case is off the table.  And as with many technologies and, in particular, IoT platforms, drivers must weigh the benefits and dangers of use.  The calculus would look something like this:

  • Benefits (current and future):
    • Traffic and navigation services save drivers time and reduce risk of further traffic accidents;
    • Automobile diagnostics can not only remind drivers of to-do’s such as oil changes, but also alert drivers to issues such as dangerous behaviors (texting or sleeping while driving, blood alcohol level); and
    • Automobile insurance discounts may be a “reward” for drivers supplying metadata.
  • Risks:
    • Customer “lock-in”—could data as to driving habits (miles driven, speeds, use of turn signals) keep a customer from changing insurance carriers, if prospective carriers refuse coverage based on a driver’s metrics?
    • Will lenders factor risky driving behaviors into decisions as to whether credit or loans are extended?
    • Will current insurers raise premiums based on activities tracked via collection of metadata?

Indeed, the answer to this calculus may vary across geographies and cultures.  In the United States, there is not an across-the-board approach to privacy and data protection; rather, protections are extended across particular industries (ex: HIPAA for healthcare data).  U.S. citizens have proven more likely to provide the types of information contemplated if they receive some benefit from such sharing.  The European Union, on the other hand, has adopted a stringent, uniform approach to data protection, which is wide-ranging and extends across all industries.  It follows that EU citizens may be more sensitive than other geographies to sharing information.  It is likely that automobile manufacturers will need to take such variations into account when implementing telematics systems.  Regardless of geography, drivers should not only look to the manner in which data is being used today, but also contemplate tomorrow, as the expansion of use case is likely a “not if, but when” scenario.  For this reason, the answer to why a person drives more cautiously may be the same as to why his or her grocery bill mysteriously increased last month: “My car made me do it!”      

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patrick Law Group, LLC | Attorney Advertising

Written by:

Patrick Law Group, LLC
Contact
more
less

Patrick Law Group, LLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.