In a landmark ruling, a federal judge has refused to reinstate a class action lawsuit against four automakers—Honda, Toyota, Volkswagen, and General Motors—accused of violating Washington State's privacy laws by recording and intercepting customers' private text messages and mobile phone call logs through their vehicles' on-board infotainment systems.
The lawsuit, filed in 2020, alleged that the automakers' practice of collecting and storing this sensitive data without customers' knowledge or consent constituted a violation of the Washington Privacy Act (WPA). The WPA prohibits the interception of private communications without a warrant or other legal justification.
The automakers argued that their practice was necessary to provide certain features and services, such as hands-free calling and texting, and that customers had consented to the data collection by agreeing to the terms of service when they purchased their vehicles.
In his ruling, the judge sided with the automakers, finding that the plaintiffs had failed to show that the interception of their private communications had caused them any actual harm. The judge also noted that the automakers' practice of collecting and storing customer data was not unique to the automotive industry and was common practice among other technology companies.
This ruling has significant implications for the privacy of vehicle owners, as it suggests that automakers may have the right to collect and store a wide range of personal data without explicit consent. This could raise concerns about the potential for this data to be used for purposes other than those originally disclosed to customers, such as targeted advertising or surveillance.
We asked cybersecurity vendor experts for their thoughts, and here's what they had to say:
Claude Mandy, Chief Evangelist, Data Security, at Symmetry Systems:
"The dismissal of the class action lawsuit under the Washington state's privacy laws highlights some of the nuances between privacy laws across the various U.S. states specific to a private right of action that allows class actions. The class action was filed against the Washington state privacy laws because it allows private right of action by individuals for broader violations of privacy, unlike the CCPA in California which restricts this private right of action to data breaches. It is important to note that the class action lawsuit does not preclude fines and penalties being leveraged directly against the law makers by the regulators themselves, so we could yet see further on this story."
Callie Guenther, Senior Manager, Cyber Threat Research, at Critical Start:
"The ruling suggests a gap between existing privacy laws and the realities of digital data collection and highlights the complex balance courts must strike between protecting consumer privacy and adapting to technological advancements. The decision is particularly notable for setting a precedent that could influence future privacy cases involving vehicle infotainment systems and other smart technologies.
For the auto manufacturers involved, this is a significant victory. It implies that their current practices, at least under the specifics of Washington state law, don't constitute an illegal invasion of privacy. This could potentially influence their strategies in handling customer data and dealing with similar lawsuits in other jurisdictions.
For consumers and privacy advocates, however, this decision might be a cause for concern. It raises questions about the extent of privacy one can expect in the context of connected vehicles. As vehicles become more integrated with digital technologies, the boundary between user privacy and data utility becomes increasingly blurred. This case could prompt a call for clearer regulations or legislative updates to address these emerging challenges.
Overall, this ruling underscores the ongoing tension between technological innovation, consumer privacy rights, and existing legal frameworks."
The ruling could also have broader implications for the interpretation of data privacy laws in the digital age, as it suggests that courts may be more willing to uphold data collection practices that are deemed to be necessary for the provision of goods or services, even if they involve the interception of private communications.
As the use of technology in vehicles continues to grow, it is crucial that there are clear and enforceable privacy laws in place to protect the rights of vehicle owners. This ruling highlights the need for further legal and regulatory scrutiny of data collection practices in the automotive industry.
~~~
SecureWorld News received this review of the case from Rebecca Herold, CEO of The Privacy Professor consultancy and the Privacy & Security Brainiacs SaaS service. Herold is data privacy thought leader and a frequent speaker and contributor to SecureWorld events and news.
"There are many issues related to this decision, and so many points to discuss. I'll narrow my scope and focus on just three of what are dozens of key privacy and security points.
1. Based on the issued judgment, it seems that the only factor considered, since it was the only issue given to justify dismissing the case, was that there was no harm proven/injury to a 'person' proven, which is necessary for the Washington Privacy Act.
As a footnote in the judgment on page 3 indicates, 'Because the lack of an injury resolves this case, we need not address the district court's alternative holding that the WPA does not extend liability to manufacturing.' So, it seems that even if there was harm, the automakers could not be held liable under the WPA? I'm not a lawyer, but perhaps the WPA wasn't the best law to use for this class action lawsuit because of those two issues. Was that the only eligible law to use, with no others, including consideration of federal laws and regulations?
2. Let's consider now a claim made by the automakers, that recording and intercepting customers' private text messages and mobile phone call logs were necessary to provide features and services such as hands-free calling and texting.
Really? Did they really architect and engineer the technology within the cars so that hands-free calling wouldn't work unless the automakers could record and intercept all the customers' calls and texting? And then store and share all that data? From a system engineer's view, such capabilities could be engineered to work without requiring all the car user's calls and texts to be recorded, logged, shared, etc. However, if engineers were told to architect the cars to require such recording of all calls and texting to allow the capabilities to work, this could be technically implemented. Which would then be a way to justify recording all drivers' and passengers' calls and texts… which would then be used for other purposes beyond automobile functionality.
3. How many people read all the different terms of use and related legal documents when purchasing a vehicle? Why are automakers and dealers allowed to bury within their many different legal terms of use—and with these auto dealers, there are many different ones—that they have included a huge number of statements that are basically telling consumers they are agreeing, by purchasing the vehicles, to allow all their audio, video, digital, etc., data to be used by the manufacturers, to be collected, analyzed, shared, sold, and used in other ways? Would this have possibly been an unfair and deceptive business practice under Section 5 of the FTC Act?
I spent a couple of hours wading through pages and pages of the wide range of terms for the automakers and still didn't get through a majority of them. Why aren't automakers, and other manufacturers of data collection products, required to instead make this information available up front, in succinct, easy-to-understand messaging, before consumers have unknowingly agreed to a catalog of ways in which their personal data will and could be used? Perhaps because if consumers clearly knew and understood all the ways in which their personal data would be collected, used, and shared, many wouldn't continue with the purchase?
Ultimately, I see this ruling as possibly being the impetus for privacy groups to call upon lawmakers to update current regulations and laws, and change the basically same way they've been being constructed over the past decade. They need to expand them, to eliminate the ways in which a large portion of privacy laws and regulations currently allow for personal data to be wholesale collected, used, and shared in ways that do not violate how the current laws/regulations are written, while at the same time allowing manufacturers to engineer products in ways that compel consumers to share their personal data in order to make the products work, and to hide dozens of implied privacy consents within many different types of terms of use statements that it is unlikely most consumers will even know about. And for those who do have questions about them and concerns, for which retailers will brush aside their apprehensions with the typical, 'Oh, that's just a lot of legalese that we have to include, and no one pays attention to them anyway' statement. I was given this 'assurance' earlier this year by a retailer.
Note: I discussed how to get a new privacy law passed in my recent podcast episode with Tom Kemp, 'Need More Privacy? Write the Privacy Law We All Need! Maybe some readers will be inspired to pursue expanding existing privacy laws and regulations to require manufacturers and retailers to be more transparent about the collection and sharing of consumer data by their products, such as these types of automobiles."
