Massachusetts Is Trying To Protect Data Privacy In Cars

The modern world runs on data — collecting it, selling it, buying it, there’s a whole economy to tracking and measuring every little thing you do. Carmakers, of course, want in on those sweet data dollars. That’s why your car always knows where you are, and why Kia and Nissan want to know who, when, where, why, and how you like to bang. But now, there’s a force that’s trying to stand up for the car-owning, data-creating little guy: The state of Massachusetts.

Massachusetts has introduced two bills — one in the state House and one in the Senate — that aim to limit what data companies can collect on you. The bills are both called the Massachusetts Data Privacy Protection Act, and they’re a massive step forward in consumer protection — though not a perfect one.

PrivacySOS, a blog dedicated to data privacy in the era of the Patriot Act, dug into the Massachusetts bills and found plenty of benefits. They force companies to limit the data they ingest, store that data securely, and purge it when it’s no longer relevant to keep, and ensure that this is all only done with the explicit consent of the user — no more implied consent based on using an app, platform, or even a car’s infotainment.

But the wording of the bills themselves isn’t as strong as it could be. Under Section 2 of the bills, titled Duty of Loyalty, lawmakers have attempted to rein in corporate data collection. Their wording, however, leaves some loopholes wide enough to drive a Nissan through. Here’s an excerpt:

A covered entity may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to carry out one of the following purposes:—

provide or maintain a specific product or service requested by the individual to whom the data pertains;

initiate, manage, complete a transaction, or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting;

authenticate users of a product or service;

fulfill a product or service warranty;

The list of exemptions goes on from there, but “provide or maintain a specific product or service requested by the individual” is already a broad one. So long as a company can tie its data collection back to a specific service that you signed up for — say, your free trial of connected services in your infotainment — there doesn’t seem to be much this bill can do to stop it. The warranty section, too, seems ripe for abuse. After all, how can you know a warranty claim is valid unless you collect exacting data to be sure the product was used as intended?

The Massachusetts Data Privacy Protection Act is a good step towards securing your data, but it’s just that — a step. Further legislation, more strict rules, will always be needed. Still, the right-to-repair state continues to lead the way for legislation that protects individuals from the whims of car companies. More states should get on board.