Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, today the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”
In 2020, California voters approved Proposition 24, the California Privacy Rights Act, which created the CPPA as an independent data protection authority to implement and enforce the CCPA. The CPPA and the California Attorney General both have powers to enforce the CCPA. The Attorney General can bring civil enforcement actions in court. The CPPA can bring administrative enforcement actions.
Our Top 5 Recommendations are:
- Implement / update contracts with service providers, affiliates and other parties to whom the company discloses personal information about drivers, riders and others, to avoid triggering or violating opt-out rights of such individuals (and implement an opt-out program if required);
- Update the company’s data subject request program as necessary;
- Revisit data deletion and retention policies given broad access rights for consumers and associated compliance costs and risks; and
- Prepare assessments concerning the use of “sensitive personal information” such as a consumer’s precise geolocation to support reliance on exceptions or offer opt-out rights to consumers.
Please see our California Privacy Law blog and resource page here.