Car rental firms told: Tell your customers about in-car data slurps

Car rental companies should offer customers explicit information on what happens to data that has been sucked up by connected cars, a civil rights group has said.

In a report published today, Privacy International criticised car rental firms for “relying on the small print in terms and conditions” when it came to dealing with data amassed by in-car entertainment systems.

These infotainment systems sync up to mobile devices via Bluetooth, and store a range of data such as location logs, as well as information from on-board systems for web browsing, making phone calls or streaming music. For connected cars, this information could make its way back to the manufacturer.

This has implications for consumer privacy, PI argued, as the data could be personal, and associated with an identifiable individual. As an example, it pointed to a case where a man in the US tracked down the kids who took his Jeep for a joyride via the info they’d left in his infotainment system.

The firms contacted by PI - Enterprise, and its two subsidiaries Alamo and National; Thrifty; and Sixt - said it was the drivers' responsibility to wipe their data from the systems.

Although some said they would update their privacy policies as part of prep for the General Data Protection Regulation, PI criticised them for a lack of transparency.

It said that if the rental firms were putting the onus on customers, they needed to be more upfront.

“Rental companies and car-share schemes must provide clear and explicit information to customers in relation to what data is retained on the infotainment systems and how to delete it,” the report said.

“They must be given details as to how to do this effectively and informed what data may remain on the car despite a factory reset.”

Enterprise also suggested in its response that the car manufacturer - not Enterprise - is the data controller.

However, Nissan - the maker of the car PI rented from Enterprise as part of the work - countered that, as the vehicle in question wasn’t a connected car, it couldn’t access or control the data if it didn’t have the vehicle. If the car was returned to Nissan, the firm said it would do a full factory reset.

Nissan added that the assertion that manufacturer is the data controller “is a quote from Enterprise only and not a fact”.

This apparent buck-passing is not surprising, as it isn’t clear-cut which party would be the data controller, but PI said that the lack of agreement over who is the data controller was “concerning”.

In recommendations to manufacturers, it said they should “provide the equivalent of a delete button enabling customers to quickly and easily remove their personal data from infotainment systems”.

The report also urged the Information Commissioner’s Office to issue “clear guidance” to rental firms over their obligations to rental customers. ®