NJ, Other Regulators Rev Up Car Privacy Focus, Say Lawyers
“Regulators are increasingly sensitive to consumer privacy in connection with [IoT] devices,” Troutman Pepper lawyers blogged Thursday. They highlighted a New Jersey automotive data deletion law as reflecting a “growing trend in this respect.”
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
On July 28, the New Jersey Division of Consumer Affairs reminded auto dealerships of their obligation under a 2024 law to prevent unauthorized access to consumer data stored in cars. Consumers add their personal data to cars when they link smartphones to cars’ infotainment systems.
The division said it sent letters to more than 3,000 dealerships about the requirement to delete consumers’ personal data when accepting vehicles for resale or lease. Dealerships could face a $500 fine for a first offense and $1,000 fine for subsequent offenses, it said.
“Security experts have warned that syncing your phone to your car can put you at severe risk for a data breach, especially when you surrender a car for resale or at the end of the lease period,” said New Jersey Attorney General Matthew Platkin (D). “New Jersey law requires auto dealerships to take certain actions to address that risk, and we expect them to comply.”
The Troutman lawyers said, “New Jersey’s law is one of the first of its kind, but it will not be the last.” A similar federal bill gained bipartisan support in late 2024, they added. “Several states have proposed similar legislation.” The attorneys advised car manufacturers and dealers to “keep informed of evolving regulatory privacy obligations and engage in privacy by design to ensure efficient and effective compliance.”