The new privacy rules will impact your store

Image credit:

When a vehicle is a total loss or a customer requests an inspection before selling or buying a used vehicle, do you remember to always ask if they need help clearing their personal information?

If yes, is it a courtesy operation not included? A wave of regulatory changes in Canada and some recent and less recent precedents now in place are about to change all that. This will bring new challenges but also new revenue opportunities for the automotive service industry.


You’ve probably heard the phrase “cars are smartphones on wheels”. That’s an understatement. People’s home addresses, garage door codes, previous destinations, phone numbers and contacts immediately come to mind, but it goes much deeper than that.

Modern vehicles capture terabytes of data each year from two sources. First, the detailed time- and geo-time-stamped event logs collected by an ever-increasing number of installed sensors (OEM or aftermarket) such as GPS, internal and external cameras, gyroscopes, accelerometers, radars, weight sensors, microphones, etc. .

Second, data downloads and logs created from the devices that drivers and passengers (including minors) connect to the vehicle. For example, did you know that when you connect your smartphone to a vehicle via Bluetooth to make a hands-free call, or plug it into the USB port to charge your phone, listen to your music or use Apple CarPlay or Android Auto, this vehicle will automatically in the background — and often without warning (except for the occasional “Do you want to download your contacts?” pop-up on the infotainment screen) — start downloading a lot of information?

At each connection, contrary to popular belief, the car sucks up an unencrypted mini clone of the smartphone. Just like you wouldn’t unlock your cell phone and give it to a stranger, leaving personal information (PI) in cars isn’t just a bad idea and an imminent potential accident, it’s increasingly against Canadian privacy regulations.

Image credit:


Canada has a deep love affair with privacy. Personal information protection and electronic documents laws (PIPEDA) and other similar provincial laws have been around for 20 years.

These laws have always required that companies know what personal information is in their physical or electronic possession and that “personal information that is no longer necessary to fulfill the identified purposes must be destroyed, erased or made anonymous. Organizations should develop guidelines and implement procedures to govern the destruction of personal information. (see: Principle 5 – Limitation of Use, Disclosure and Retention)

Additionally, it clarifies that “care should be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.” (Section 4.7.5.)

The Office of the Privacy Commissioner of Canada has occasionally enforced this provision and set important precedents as to who (spoiler alert: not the consumer) is responsible for deleting stored IPs.

Most famously, a decade ago, Staples Business Depot was caught by a whistleblower reselling returned electronics without properly removing consumers’ personal information. The Privacy Commissioner ruled this a flagrant violation. When Staples accepted the return of laptops, portable players and other electronic devices, they argued, it became the new owner, assumed liability, but negligently resold those devices along with its IPs. customers always stocked. Staples has been heavily fined and subjected for years to costly and intrusive government oversight over its data sanitization practices.

The parallel with vehicles is disturbing: all vehicles equipped with Bluetooth or navigation are “hard drives on wheels”, and studies by Privacy4Cars show that more than four out of five vehicles are resold, still storing the POIs of previous occupants. .

Why for years the problem of data left in cars went unaddressed is a mystery (or, if you’re cynical, the result of big lobbying, consumer misinformation and a lack of teeth in regulations).


All of that is about to change. A growing number of recent studies and government inquiries have specifically focused on the privacy issues posed by cars.

Geolocation data has been the subject of particular attention. You may have heard of the recent Tim Horton app scandal and investigation. But have you stopped and thought that most vehicles on the road are picking up the exact same detail of information? September 22, Quebec Bill 64 went into effect, resulting in administrative fines of up to $10 million or 2% of the company’s worldwide revenue for violation (leaving PI to be one).

The passage of this bill and the appointment in August of a new Privacy Commissioner will likely prompt other provinces to take similar action or pass a vote on the Bill C-27which would set even higher standards and enforcement across the country.

For the first time in Canada, we are talking about Spielberg Jaws– teeth level for privacy rules. And yes, you will need a bigger boat!.

Image credit:

Impact on the secondary market

The first implication for the automotive service industry in Canada is an urgent warning to intensify privacy practices, including always disclosing to its commercial and retail customers that vehicles contain personal information and always offering help remove this personal information if the vehicle is to be sold. or given to a third party.

This is wise risk mitigation for your business not only from possible legal action but also reputational damage now that the issue of IP in cars is out in the open, also and more particularly for the ways of service thanks to the debate on the right to -reparation.

The second implication for automotive repairers and adjusters is that there is an opportunity within your corporate customers to offer PI removal as a service. Businesses will need a legally compliant way to remove personal information from cars, i.e. in a way that is robust, verifiable and accepted as a “reasonable security” standard.

Although none of the three estimation systems today have work time for data compensation, that doesn’t mean they shouldn’t: it takes work to run and document. properly. Your insurance company’s customers (for total loss) and the fleets and dealers you serve (for other cases) have an obligation to protect consumers’ personal information.

Your store should no longer treat data deletion as a mere courtesy, but as a standard and valuable service that your business customers need to be in good standing with Canadian laws.

Andrea Amico is CEO/Founder of Privacy4Cars in Kennesaw, Georgia and can be reached at [email protected] He co-chairs the Education and Compliance Committee of the International Automotive Remarketers Alliance, where he leads the compliance initiative with a focus on privacy and data security.

Alejandro L. Myatt