Previously, I discussed the compliance hurdles that will come with the California Consumer Privacy Act. This final blog of the series addresses data privacy challenges and highlights a few future laws that will be enacted soon.
In order to overcome these data privacy challenges, you can implement automated data scanning/discovery and correction tools, or data cataloging tools, to better understand all of the locations where personally identifiable information (PII) is located.
Another aspect to consider is whether or not your company should use some sort of device graph. A device graph is essentially an identity management system that maps/ links multiple devices to an individual. Consumers typically own several devices, and those same devices are often shared between multiple users, such as family members. With this in mind, the use and importance of a device graph have significantly increased for many companies, including automotive.
CCPA laws will certainly cause device graph users to rethink and re-work their collection setup. Omitting data across one of the user’s devices may not be enough if they are also using a second or even third device. If they request to opt-out, you will need to ensure that you are omitting the data being collected from all devices that the consumer uses. This is where the implementation of a customer master data management system comes into play. It can enable the deletion of personal data, via a master record, from all devices and sources, all at once. In this case, a device graph may help meet that goal, but it may still require some changes during setup.
One question that remains is, what data do automotive OEMs have to delete versus what data might be considered “essential to the operation of a vehicle?” Some examples revolve around autonomous driving, navigation records, vehicle diagnostics, and service reminders, to name a few. This remains an important open question given the amount of telemetry data that can now be collected from a vehicle, for the most part, without the customer’s knowledge or permission.
CCPA isn’t the first data privacy law, and it won’t be the last
As mentioned, similar data privacy laws have already been introduced in the EU. In 2020, expect to see other states and countries adopt this idea, in some cases, with small differences. Brazil will be implementing its new data protection law, Lei Geral de Proteção de Dados (LGPD), and Thailand will implement its Personal Data Protection Act (PDPA), both in 2020. Automotive OEMs, along with their technology partners and agencies, will need to fully understand the differences to ensure they are correctly complying in each region of the world.
Compliance is a massive undertaking, but working with an experienced partner can help you comply with current laws and prepare for what’s to come.