Best Practices to Facilitate Compliance with California’s Privacy Laws

By Stephane Khelifi, Sr. Director, Presales and Solutions

The California Privacy Protection Agency (CPPA) announced that it is conducting a comprehensive review of the privacy practices implemented by car makers (OEMs) and vehicle technology companies. The agency’s main concern revolves around collecting and using connected car data by the OEMs, which should be under the California Consumer Privacy Act (CCPA) adopted in 2018.

This development coincides with the agency being granted enforcement powers, marking its first investigation since July 1st. “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” said CPPA Executive Director Ashkan Soltani.

The California Consumer Privacy Act (CCPA)

The probe is being done under the comprehensive data privacy law, California Consumer Privacy Act (CCPA), which requires major firms to disclose the personal information collected from consumers and what is being done with it.

“California has more than 35 million vehicles registered in the state, and even more sharing our roads. The sheer number of vehicles makes it an area that affects all Californians who drive, rideshare, or even walk near a car equipped with these technologies”, commented Soltani.

The CCPA provides Californians with key privacy rights, including the right to know the personal information collected about them by businesses, the right to delete that information, and the right to stop its sale or sharing.

Best Practices for Privacy Compliance

With this announcement in mind, OEMs should adhere to certain guidelines to facilitate compliance with California’s privacy laws. Here are some best practices for privacy compliance:

Conduct Threat Analysis and Risk Assessments (TARA) during the design phase and adopt a risk management ‘mindset’. Assess privacy risks associated with each data collection feature and connected service to identify potential vulnerabilities early.

Establish a robust cybersecurity management system (CSMS) with automation and regulation workflows capabilities. Integrate privacy protections into the entire product lifecycle, including design, manufacturing, and post-sale software updates.

Minimize the collection of personally identifiable information (PII), such as names, emails, and home addresses. Avoid collecting precise geolocation data unless it is necessary for core functionality. Utilize pseudonymization and data anonymization techniques to remove direct identifiers whenever possible.

Provide clear and prominent notice to consumers regarding the data being collected and how it is used. Differentiate between necessary data collection and optional data gathering. Obtain explicit opt-in consent for sensitive data uses, such as location tracking.

Rigorously test products and services through fuzz testing and dynamic cyber models to uncover vulnerabilities and prioritize your response.

Supercharge Your Growth with Our DevSecOps Platform

C2A Security provides the only mobility-centric DevSecOps platform, designed to optimize your risk management efforts. Our advanced approach to automotive cybersecurity empowers companies to deliver secure products and create new software-based revenue streams while staying compliant and adhering to regulations and standards.

Try it out – schedule a demo today.