Paul Keller, Jeewon Serrato and Sue Ross from law firm Norton Rose Fulbright discuss the potential implications of the California Consumer Privacy Act for AV developers and self-driving taxi services
AVs use many technologies inside the vehicle that collect biometric data to improve the travel experience. These technologies include fingerprint readers, facial scanners, iris scans, voice recognition, and gesture recognition.
Organizations that collect or process such information will have a duty under privacy and data protection laws globally to keep that data private and secure. In the USA, in addition to biometric-specific state laws, such as the Illinois Biometric Information Privacy Act, California has recently passed a comprehensive privacy law. The California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, will regulate how biometrics are collected and handled. Given how other states are considering CCPA-like laws, the impact of these new laws and regulations should be closely examined.
Expanded definitions of personal information and sale
Under the CCPA, the definition of ‘personal information’ includes biometric information, audio, electronic, visual, thermal, or olfactory information, geolocation data, and even inferences drawn from other personal data to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, and abilities.
Biometric information under CCPA includes, but is not limited to: imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
CCPA has separate sets of requirements for organizations that ‘collect’ personal information and those that ‘sell’. The definition of a ‘sale’ of data under CCPA, however, is much more expansive than is traditionally understood. A sale under CCPA includes: selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer’s personal information to a third party for monetary or other valuable consideration.
CCPA requires that companies enable California residents to opt out of the sale of personal information by providing a “clear and conspicuous link on the business’s Internet home page, titled ‘Do Not Sell My Personal Information’”. If an AV manufacturer collected the personal information, it may now be required to alert its third-party partners or service providers that the consumer has opted out of the sale of the consumer’s personal information.
Opt-in requirement for minors
CCPA has special requirements for minors, requiring opt-in consent for those aged 13 to 16, and requiring parental consent for minors under 13, if the business has “actual knowledge” that the personal information that is being ‘sold’ is of a minor. If AV manufacturers have “actual knowledge” that minors could be passengers, they will need to consider how to obtain the required consent before they ‘sell’ the personal information to third parties.
Notice requirement for resale
The CCPA prohibits businesses who ‘bought’ personal information from reselling the information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. For example, if the consumer riding in an AV downloads a third-party app and the app had collected certain personal information directly from the consumer but also combined it with other data, then before it shares the information it has collected with any third parties (e.g. the AV manufacturer), the app must provide explicit notice of the data transfer to the consumer and offer the consumer an opportunity to opt-out.
Enforcement and litigation
The CCPA will be enforced by the California Attorney General. A violation can result in fines up to US$2,500 for each violation or US$7,500 for each intentional violation. There is no maximum cap.
A private right of action is available if personal information is subject to “an unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”. Consumers must show that one of the following data elements were included in the breach: (a) name in combination with either the social security number, driver’s license number or other California identification cards number, financial account number with password, medical information or health insurance information; or (b) a username or email address in combination with a password or security question and answer that would permit access to an online account. There is no ‘actual harm’ requirement. Consumers can seek damages between US$100 US$750 per consumer per incident or actual damages, whichever is greater.
For any organization collecting or processing personal information, such as biometrics, a privacy risk assessment is needed to analyze the impact of new and emerging laws such as the CCPA.
About the authors:
Paul Keller is a partner in Norton Rose Fulbright’s New York office; Jeewon Serrato is the global law firm’s US head of data protection, privacy and cybersecurity; and Sue Ross is a senior counsel, also based in New York.
For more on privacy and cybersecurity in connected and autonomous vehicles, check out the ADAS & AV Legal Issues & Liabilities Congress in Novi, Michigan, on October 22 and 23. The conference will feature a panel discussion and a presentation on the Collection, Use, and Sharing of Vehicle Data, as well as the various other legal issues, implications and liabilities arising from ADAS and future autonomous vehicles. Visit www.adaslegal-issuesandliabilities.com for more information.