With an ever-increasing quantity of personal data becoming hosted or connected to the cloud, and online attacks becoming increasingly sophisticated, the storage, processing, transmission and deletion of customers' personal data has become a significant financial risk. Europe's GDPR has highlighted the potential severity of non-compliance, with fines of up to €20 million, or 4% of annual global turnover for data protection breaches.
Consumer concerns are also growing. With the comparative ease of accessing significant quantities of digital data, leaks from large tech companies are becoming more common. The largest breach of 2018, government ID database ‘Aadhaar’, exposed the personal data of 1.1 billion Indian citizens.
Regardless of the reason behind a breach, the outcomes can be devastating: a loss of customer trust and consequently customers, severely negative publicity, significant fines over and above the cost of fixing the breach, and a costly (and potentially long-term) recovery. These changes have led to a shift in consumer expectations: there is now a growing movement for consumers to have ownership of (and access to) their data, alongside expectations of complete transparency relating to all of their data held by any organization.
Since 2018, Europe has been covered by GDPR as an umbrella law, harmonizing the data privacy laws within each country. Among the changes are increased territorial scope, increased penalties and stronger conditions for consent. To be fully compliant with GDPR, OEMs must ensure that they have robust data privacy policies in place, obtain consent from customers for use of their data, and consider the anonymization of data to ensure compliance.
Japan's Act on Personal Information Protection is updated every three years, the last update being in 2017. It bears similarities to GDPR, however is currently less stringent in terms of provision of personal data to third parties and particularly the severity of penalties. The next update will be in 2020 and is expected to encompass enhancement of individual rights, mandatory reporting of data breaches of a certain level and stricter penalties. Data privacy legislation does not have a significant impact on data monetization, as anonymized data satisfies current OEM usage.
The U.S. currently has no overarching federal law regulating the acquisition, storage or usage of personal data. Instead, the US Federal Trade Commission’s “Fair Information Practices” acts as guidance alongside a number of industry-specific laws, but in general, the consumer’s right to privacy is limited. The American Data Dissemination Act and the Data Care Act have been proposed at federal level to grant greater rights to consumers, however, progress through Congress has been slow and many states have drafted their own privacy bills, although most are only at an introductory or committee stage. New and proposed legislation will have some impact if passed: automakers will be obliged to inform users about the personal data being collected, how it will be used, which third parties it will be shared with and, on request, what data is held on them.
“The lure of additional revenue may lead OEMs to make costly mistakes” says Jack Palmer, Senior Specialist at SBD Automotive. “To avoid this, there are several key priorities for OEMs to safely navigate privacy concerns, such as obtaining consent to collect data, ensuring secure handling of data, communicating clearly and transparently with customers, and obeying privacy laws at a global level.”
SBD Automotive recently released the report, “Data Monetization – Strategies for the Connected Car” in which the topic of data privacy is covered in detail. Readers can understand how the implications of data privacy legislation around the world will impact their data utilization and monetization strategies. The report also offers insight into the strategies of OEMs and data services platforms in their bid to develop new revenue streams from the application of vehicle data.