On January 19, the Collision Industry Conference (CIC) Data, Access, Privacy, and Security Committee spoke with two attorneys about the importance of establishing end-user license agreements with suppliers and customer disclosures as best practices for stores when it comes to protecting customers. personally identifiable information (PII).
Lawrence H. Pockers, a Philadelphia-based attorney with Duane Morris, said disclosing PII opens stores up to privacy liability.
“Unauthorized disclosure of a customer’s PII, whether intentional or not, does not enter into the analysis here, at least with respect to comprehensive data privacy laws that have adopted to date,” he said. “And most bills pending in legislatures today create significant liability risk for repair shops.”
Some examples of class action lawsuits he gave were Greenley v Avis Budget Group and Mollaei v Otonomo. Plaintiffs in the first case argue that the car rental company failed to adequately protect drivers’ PII that was collected when they paired their devices with rentals. The second case, which was dismissed on January 18, alleged that the data broker had collected and sold PII without the owners’ consent.
In the Otonomo case, “the judge’s rationale was that while there wasn’t really much to decide the case, it was that the case was [about] an integrated component and therefore technically it was not attached to the vehicle and that was the rationale for the decision,” Pockers said.
Customers’ personal information may also be sold without the knowledge of store owners and employees. For example, at the July 2022 CIC meeting, Society of Collision Repair Specialists executive director Aaron Schulenburg said 86% of all quoted collision repair data could be available for sale, including everything from full name, home address, email, mobile number, VIN, and insurance company by a collision industry data aggregation company that provides or sells the data to at least one third party company to resell the information to industry.
Steven Bloch, a Stamford-based lawyer and partner at Silver Golub & Teitell, said the chain of custody of PII should be of utmost importance to stores.
“Understanding the information you share with your industry partners and vendors through your various licensing agreements and other dealings you do with them is of course first and foremost the protection of customer PII and that is actually the concern of traders.
“What are their responsibilities there? What are the rules of the road and how do they conduct their operations when it comes to protecting this PII customer? Stores are the entry point for this data and they are responsible under various developing laws and regulations. …Many laws contain intentional provisions. Many laws do not hold stores to this standard. There are standards of negligence or simply strict liability. Once this information has been breached or improperly disclosed without disclosure, authorization and consent of the customer, there is liability and exposure for the stores.
Disclosures to customers must indicate how the PII will be used and must be tied to a specific purpose, he added. Here are examples of license agreement language:
“We certainly recommend that all stores work with their legal professionals and other consulting analysts to review your current contracts and license agreements to determine what you have provided in terms of authorization to your industry partners and to your suppliers,” said Bloch. .
Bloch and Pockers said stores should compile a list of standard operating procedures and best practices that adhere to state laws and potential federal legislation for what should be included in customer disclosures and notices, guidelines to protect PII and obtain customer consent.
“There is no perfect solution and no way to prevent the use of data transaction along the supply chain when it ends up in the hands of data brokers inappropriately, but you must take all possible protective or preventive measures,” Bloch said. .
Committee co-chair Trent Tinsley added that workshops can also follow the collision industry’s ‘golden rules’ for data protection and sharing, which were drafted by the committee in 2020 and adopted. by CIC in 2021.
Bloch said the two law firms can work with stores to draft documentation about the use of customer data and ensure store owners understand the agreements they have with their business partners.
“We can arm you with the capacity, and potentially negotiate on your behalf, new license agreements or at least addenda or side agreements so that you are better protected with your business partners,” Bloch said.
Proposed data protection laws
The Washington Post reports that at least 15 states have introduced bills to protect consumer data.
According to The Post, Massachusetts, Iowa, Mississippi, Indiana, Oklahoma, Oregon, Tennessee, New York and Kentucky have introduced so-called comprehensive privacy bills that set limits on what data companies can collect and how they can use it.
And lawmakers in five states — Connecticut, Oregon, West Virginia, Virginia and New Jersey — are considering stronger child data protections.
Bills in New York, Mississippi, Maryland, Oregon, New Jersey, Virginia and Washington target protection of subsets of data, including health and biometric information, or seek to impose limits on third-party data brokers.
To date, only five states have passed privacy laws covering a wide range of consumer data: California, Colorado, Connecticut, Utah and Virginia, according to The Post.
Federal legislation could also be on the horizon based on a Wall Street Journal op-ed written by President Joe Biden in which he urged lawmakers to establish “serious federal protections for the privacy of Americans,” including including “clear limits on how companies can collect, use and share highly personal data”, stronger protections for “young people” and limits on targeted advertising.
Featured image credit: YOU ARE/iStock
Duane Morris attorney Lawrence H. Pockers and Silver Golub & Teitell partner Steven Bloch speak during a Collision Industry Conference (CIC) panel on January 19, 2023.
PowerPoint slide provided by CIC