The Data Diva E283 - Merry Marwig and Debbie Reynolds

Show Notes

Merry Marwig, Vice President, Global Communications & Advocacy, Privacy4Cars
In this episode, Debbie Reynolds, the Data Diva, speaks with Merry Marwig, Vice President, Global Communications & Advocacy at Privacy4Cars, about privacy risks in connected vehicles and the expanding automotive data ecosystem.
Merry explains that modern vehicles function as sophisticated data platforms that continuously collect and transmit data on drivers, passengers, and vehicle activity. The conversation explores the types of data collected, including location data, behavioral data, infotainment usage, diagnostic data, and other signals generated through connected systems, as well as how that data is shared across manufacturers, dealerships, service providers, insurers, and third-party technology providers.

Debbie and Merry discuss the complexity of data flows within the automotive ecosystem, including the roles of controllers, processors, and third parties, and how these relationships create challenges for transparency, accountability, and consent. The discussion highlights how individuals often lack visibility into how their data is used and shared across multiple entities.
The conversation also includes a discussion of Debbie Reynolds, the Data Diva’s work on the Internet of Things Advisory Board report with the U.S. Department of Commerce, and how that work highlighted many of the same issues now seen in connected vehicles, including data sharing across ecosystems, lack of transparency, and challenges with governance and accountability in multi-party environments.

Debbie and Merry examine consumer awareness gaps, including the fact that most individuals do not fully understand the extent of data collection in vehicles or how their information is used. They also discuss what happens to personal data when a vehicle is sold, transferred, or serviced, and the importance of tools and processes that allow individuals to manage, delete, or control their data across the vehicle lifecycle.

The episode also covers regulatory developments impacting automotive privacy, the role of advocacy organizations in improving industry practices, and the importance of clear communication between companies and consumers. The discussion emphasizes the need for organizations to integrate privacy into product design and governance processes while balancing innovation and responsible data use.

By popular demand, Debbie Reynolds Consulting is now offering executive briefings on emerging data privacy risks and how companies can avoid them. To learn more, visit the Executive briefings page on my website.

Support the show

Become an insider, join Data Diva Confidential for data strategy and data privacy insights delivered to your inbox.

 💡 Receive expert briefings, practical guidance, and exclusive resources designed for leaders shaping the future of data and AI.

 👉 Join here: http://bit.ly/3Jb8S5p

Debbie Reynolds Consulting, LLC

Transcript

[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

[00:11] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast, where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.

[00:25] Now,

[00:26] I have a very special guest on the show, Merry Marwig. She is the vice President of global communications and advocacy for Privacy for cars. Welcome.

[00:37] Merry Marwig: So glad to be here. Debbie. Thanks for having me on your show.

[00:41] Debbie Reynolds: Well, I feel like you're not the typical guest that we have on the show for a couple reasons. So you're a Chicagoan just like me. We've known each other for many years.

[00:52] Even before you were privacy, we were working for cars.

[00:55] You've always been, like, a really strong advocate for privacy,

[00:59] and you've been an incredible support system to me and other people. So I feel like you're like a great cheerleader for all of us. We feel like privacy is almost like a battle that you fight inch by inch, and I think you really, really help motivate us to take those steps forward.

[01:17] So thank you for that. I really appreciate it.

[01:19] Merry Marwig: Well, thank you, Debbie. I find it so fun, and I've loved seeing your career flourish over the last. I think I met you in 2019,

[01:28] so seven years. So it's an honor to be on your show today, and I can't wait to talk with you about car privacy specifically.

[01:36] Debbie Reynolds: Oh, my gosh. Where do we start with cars?

[01:39] So Andrea Amico has been on the show.

[01:43] Many years ago, him and I collaborated on.

[01:47] I was one of 16Americans chosen for IoT advisory board with the U.S. department of Commerce. Did that for two years.

[01:54] And as soon as I got that appointment, Andrea was the first person to call me. He's like, whatever you need, just let me know. And then so I had to try to figure out my way around how to do everything in the advisory board.

[02:06] It's kind of like Survivor, but at, like, the government level. Oh, gosh.

[02:11] So once I navigated that.

[02:13] Merry Marwig: Yeah, once I navigated that job.

[02:16] Debbie Reynolds: Oh, thank you. Thank you. Once we navigated that, we were able to do some proposals, but we'll talk about that a little bit later.

[02:23] Merry Marwig: And I want to give you a shout out because that document is just a game changer, and I really recommend anybody listening to your show read that. And so Debbie did an incredible job.

[02:32] And in fact, we'll talk about some of the recommendations she and the team discuss in that report.

[02:37] Debbie Reynolds: Oh, thank you.

[02:39] When the report came Out. You were one of the first persons that pinged me about it. You're like, oh, my God, this is incredible.

[02:45] So thank you. I really appreciate it.

[02:48] Merry Marwig: You bet.

[02:48] Debbie Reynolds: Aw.

[02:50] So,

[02:51] cars.

[02:52] So before we lead into this, I'll tell you how I got involved in cars and why this is, like, a big deal.

[03:00] So when I was on the IoT advisory board, my group was supposed to look at privacy in all sectors. All tech, all sectors, all everything. Right.

[03:11] And as we got more into looking at this from all these different angles,

[03:17] it became very evident to us the cars are very different than a lot of the other Internet of Things devices or products, and that it needed special attention.

[03:32] But I want you to tell the story. So why are cars different?

[03:37] Merry Marwig: That's a great question, Debbie. And, you know, I'll start off by saying that the average American has 22 Internet of Things, so IoT devices in their home. And when we think about IoTs, we think about smartphones, laptops, tablets, fitness trackers, smart TVs,

[03:56] smart speakers, smart thermostats, smart doorbells, smart lighting, robot vacuums, baby monitors, smart pet feeders, stuff like that.

[04:05] But one of the biggest IoTs that touches a lot of people's lives are, to your point, cars.

[04:12] And something that's different about a car versus all of those other types of IoTs I just mentioned is the expected lifespan.

[04:20] So, I mean, how often are you holding onto your smartphone? 2 to 3, 4 years, depending.

[04:26] Smart thermostats. How often are you changing those fitness trackers? I mean, people get new ones every single year, but your car has a much longer lifespan.

[04:36] So the average age of a car on the road right now is 12.6 years old.

[04:44] So a car that came into being in 2013,

[04:48] and I was trying to contextualize 2013 because sometimes I lose track of time, but that's an era where BlackBerry phones still existed, folks. So it's a long time ago.

[04:57] And unlike phones or laptops or other smart devices, cars routinely change hands during that lifespan. Right? So cars last a long time. They're usually resold, traded in. You rent cars, you maybe have a fleet car at your company,

[05:15] and those devices get traded or used by a lot of people.

[05:19] And so one thing I wanted to mention about how this is different is when you would get, like, a refurbished IoT device. So let's say you get, like, a refurbished phone or a refurbished laptop.

[05:32] Debbie, how many times have you gotten a refurbished device and it had the prior owner's personal data still on it, like a phone that had someone else's contacts still on it or their browser search history or search photos of their dog or their last parking spot so they could navigate back in the parking garage,

[05:50] wherever they were. When was the last time that happened to you?

[05:54] Debbie Reynolds: Oh, always. Always. They don't know how to sanitize those items.

[05:59] Merry Marwig: Basically I wanted to say that like in like a phone, like when you get a refurbished phone, like it's brand

[06:04] Debbie Reynolds: new to you, right?

[06:06] Merry Marwig: Like so retailers do have like those types of policies where they would wipe the data. Like a laptop, like you would never get reissue.

[06:13] So Debbie, I've got a question.

[06:15] If you've ever purchased a refurbished smartphone or a refurbished laptop,

[06:20] has that come to you like new? So like you didn't see the prior phone users contacts or all of their photos that they took before they turned in that refurbished device, Right?

[06:32] It's new to you, right?

[06:34] Debbie Reynolds: Exactly.

[06:34] Merry Marwig: So in in common other IoT devices, they have policies to wipe personal data before they resell it. This is actually duper common.

[06:46] 20 years ago NIST888 came out, which is the guidelines for media sanitization. Again 20 years old, where it gives direction on how to delete those, delete personal data off devices and sanitize it before it's put back on the market.

[07:02] But the crazy reality is that's not common practice for cars.

[07:08] So when you go to go buy a pre owned car,

[07:12] we've done studies at private supercars that show four out of five cars, used cars for sale today. So refurbished cars still have the prior driver or passenger's personal data on that.

[07:26] And usually when I tell people about that, they're like, oh yeah, I was in a rental car recently and I have like 20 people's, you know, iPhones still attached to the car.

[07:35] And I think it's just like unfortunately a very common experience.

[07:40] And so that's kind of what I wanted to talk about today, Debbie, is when we think about cars, especially as privacy pros,

[07:47] a lot of times we jump to like the latest technological advance. We live in an era, there's a lot of new technologies coming out for cars, but we've forgotten about some of the basics like process based privacy.

[08:01] So not the latest and greatest attack, like what are you doing to protect people's personal data or over the life cycle of that vehicle. And it doesn't just apply to consumers, Debbie.

[08:12] So just regular driving around. This also applies to corporate used cars, so fleet cars.

[08:17] So anyway, that's what I really wanted to kind of focus on today, the data sanitization issue. The cars locally and then I know we were going to talk a little bit later about what kinds of data.

[08:27] Right. So we could get into that too, especially your report.

[08:31] Debbie Reynolds: Yes, yes,

[08:33] I'll make a point. And then I have something I want to ask you.

[08:36] I tell people all the time, okay. I've been working with digital systems almost as long as they've existed. Okay. So don't let my hair fool you, okay? I dye my hair furiously.

[08:48] But data systems are made to remember data, not to forget it.

[08:53] So companies that have products or tools, they have to take another step.

[09:00] There is a step that has to happen at some point where the data that was on the device or in a tool,

[09:07] especially around privacy regulations or even customer expectations, needs to be removed, especially for things that will be repurposed and reused in some way.

[09:18] So, yeah, that was kind of my

[09:20] Merry Marwig: comment 100%, and I'm going to underline that too. It's about the life cycle of the device. So we started off talking about IOT's. Yes, IOTs and cars, same thing,

[09:29] lifecycle. What are you doing when you onboard with that system?

[09:33] I'd argue you need data disclosures. And what are you doing when you off board with that system? To your point,

[09:39] how are you managing the data on the car? So I'd really love to have more of a focus on that. And in addition to the types of technological advances we're seeing in cars today, let's focus on process now.

[09:52] Debbie Reynolds: Let's talk about this,

[09:53] the types of data. So this is the part of the discussion that really gets people's attention because they have no idea at all.

[10:03] Types of data that cars collect, for sure.

[10:05] Merry Marwig: And I would say that the types of data that car collect, manufacturers use sell share, third parties collect sell share,

[10:15] is truly staggering. Debbie,

[10:17] I want to give you a shout out. You created this awesome infographic and I hope you share it with the listeners of this podcast. I've shared that with people. And you can can literally wash people's jaw drop when they see this because it's truly staggering.

[10:30] So what kind of data are we talking about?

[10:33] Well, vehicle telemetry. So you've probably heard in a number of news articles, like harsh braking habits or fast acceleration are things that your car is tracking. Precise geolocation.

[10:47] We found actually in a FTC order that a manufacturer was tracking precise geolocation down to 4.5 inches of precision, which is pretty wild to me.

[10:59] Other things that kind of raise people's eyebrows are biometrics. So the weight sensors in your seats,

[11:05] usually that's used to help optimize the airport or airbag deployment.

[11:11] But you know what else is happening to that data?

[11:14] Then we've got connected phone data.

[11:16] So if you use Bluetooth, USB sync, you don't use Apple CarPlay,

[11:21] what have you, the car can suck in the your contact list, your calendar, appointments,

[11:27] your search content, all sorts of things can be taken to the car. Then you've got user accounts. But I would also say the wildest stuff on this infographic is things like citizenship data,

[11:41] sexual activity data, ethnicity, behavioral characteristics,

[11:46] psychological characteristics of like maybe how smart you are. Like what does that have to do with operating a car?

[11:55] And so that's a question I often ask myself. Like okay, some of this I get like biometric weight sensors. Yeah, I want my airbag to deploy properly for me. But what on earth is happening with my exercise data or my citizenship data?

[12:09] Like why is that happening? And I think there's a true lack of understanding. Debbie.

[12:15] A lot of consumers and employees of companies that drive fleets really have no idea that that level of data is being collected their car. And again getting back to that vehicle life cycle, they don't have visibility of what is or is not happening to that data to protect it when they are done using the car.

[12:36] Debbie Reynolds: One thing also that people don't understand,

[12:39] actually I knew someone higher up in a big car company who shall remain nameless. People think, okay, so your car is like a computer on wheels, right? So it collects data there.

[12:52] But what people don't know is that that data can be transmitted and often is transmitted outside the car. And so this person told me,

[13:01] she was like, guess how long it takes to transmit some of this data out the car? And she's like three seconds.

[13:07] Like so every three seconds data about you out of your car is being transmitted out of the car.

[13:13] Merry Marwig: Right. And then what happens to it? That's why I'm a huge advocate for bringing transparency to that because I would argue most people are unaware. I read a stat somewh I can't remember it off the top of my head.

[13:26] But some somebody did a study about rental car users awareness of data practices and it was like something super high. Maybe 87% didn't understand about the data sharing practices. And that's what we've seen some of these enforcers deal with lately too is okay, so maybe you do have an awareness of these data practices.

[13:49] But what if you don't want a company selling or sharing your information with third part,

[13:55] like data brokers? What can you do?

[13:58] So in California there have been two enforcements about making that process easy to understand.

[14:03] But yeah, there's a lot of work to be done in the transparency all around the life cycle of the car itself and then your privacy choices related to it.

[14:14] Debbie Reynolds: I've been watching for years the legislation as different states have tried to pass different things around cars. Like in, I think in New Jersey they have something about car sanitization. I think in Illinois they,

[14:28] because a lot of people,

[14:30] for example, let's say your car was totaled in a accident or something,

[14:34] when it goes to the junkyard, someone can snatch the data out of the car and they're being using that for identity theft. And so these are all things that people don't think about.

[14:43] Like literally your car has enough information in it that people can get a loan,

[14:49] they can get a house.

[14:50] I mean some of these cars they have like if you have a loan on the car, it has your loan information in there.

[14:57] I mean it's just incredible the amount of data that's in these cars.

[15:02] Merry Marwig: Absolutely. And I will mention there's really two potential threat vectors there. There's the data stored locally on the car, like it's a hard drive.

[15:11] So you need someone with physical access to the car to delete that. Again, at the end of life cycle, whether you choose to trade in the car or whatever, in an unfortunate situation, your car gets totaled.

[15:21] You want to make sure your insurance company that now owns that the asset of a total car is deleting the personal data off the vehicle. But don't forget about that data sharing that we just talked about, where the car is sending information to a manufacturer or a third party who's then doing something with it.

[15:40] One thing I did want to mention was what happens with that data.

[15:45] So a lot of times we hear people say like, how is that data being monetized? Right.

[15:51] Well, we know like from some of these settlements that usage based insurance is kind of a big part of that where insurance companies will buy this data. So like how harsh you break what time you start driving, what time you end end driving.

[16:07] How fast were you driving on average? Did you have any sort of near collisions or what have you?

[16:13] One of the stories that totally blows my mind, it was there was this guy who got a new car and all of a sudden his insurance just skyrocketed. And he was like, what is going on?

[16:25] I'm driving the same as I always have.

[16:27] And he got access to a data broker report that showed every single day he had a near collision event. And he thought what? That's not true.

[16:38] And he Realized every day when he would pull up in his driveway,

[16:43] his cat would come out of the house and run up to the car to greet him. And the car was registering that closeness of the cat as a near collision every single day.

[16:53] And that was the basis of jacking up his rates.

[16:57] So on something like that,

[16:58] I really love to see some changes about accuracy in some of the data that's being sold and shared and like, what is actually happening.

[17:07] Something else we often see two is like targeted advertising based on your location, like showing you ads based on where you are, where, what direction you're traveling, time of day.

[17:19] And we also see some companies that have started like marketplaces where they can buy this sort of data from manufacturers and sell it to like repair shops or fleet operators who might want to sell you services.

[17:32] But one other thing I really wanted to mention to your listeners today, Debbie, is we think about monetization of what companies are doing with that data. But I also want to flip that concept on its head and think about the monetization of how you are paying.

[17:46] So when you buy a car today,

[17:49] you're paying real money, like, I don't know, $50,000 for a decently tricked out car today.

[17:56] But you're also paying with the data because you're not getting some sort of benefit from companies having that.

[18:03] So that is something that I think people are really unaware of and they should have their choices more transparently shown to them in the car buying process.

[18:13] What's going to happen to that data? What can they say no to? Can they turn it off? Can they buy a car that doesn't have these types of practices so that they are more informed and can make the best choice for them?

[18:24] So money and data.

[18:28] Debbie Reynolds: Absolutely. Yeah. Monetization is going to be a big deal in the future because once companies figure out that people don't want their data captured that way, they're going to have to incentivize,

[18:43] create some incentive for the person to do it. I'm like, if you sell my car data, like, why isn't my car free?

[18:50] Merry Marwig: Good question.

[18:51] Debbie Reynolds: Why am I paying $50,000? And then you're selling other stuff. You know what I mean? So.

[18:56] Merry Marwig: Yeah, exactly. And I don't want to get too deep on this, but I've heard people talk about like, the tax implications of that data.

[19:04] I'm like, who?

[19:06] This is starting to get to become a very thorny problem. So there's a lot to think about. But I do think telling consumers and users of corporate cars what is happening is a very Much needed business practice.

[19:18] So I'm going to underline that. Let's be transparent about what the data collection,

[19:24] use, selling and sharing practices really are.

[19:27] And actually you had something about that in the report that you wrote.

[19:32] Do you want to tell us about that?

[19:34] The Monroney label?

[19:36] Debbie Reynolds: Well, I'll try to give a very brief backstory of this. So I think the report has about 130 some recommendations for different sectors. Andrea and I, we were kind of brainstorming and he was like, well,

[19:52] why can't we propose that we put privacy information on car labels? The car sale label to Maroney sticker.

[20:00] And so I said, okay, this is really great. And so I kind of worked my magic to try to get it a proposal and stuff like this.

[20:06] So out of all the recommendations in the report,

[20:10] this was the only one that the lobbyists came after. They did not want this in the report. Okay. So I had to go no half measures. I had to go all the way.

[20:20] I'm sure you've probably seen this report, it's like over 100 pages.

[20:25] And I had to present it to the board. It's on a federal record. I have a video of it if anybody wants to see it.

[20:31] But basically we were like this. To me, the Moroni label has always been a consumer consent or consumer canvas to let people know what's happening with their cars.

[20:43] And eventually basically we had to get people to vote and eventually they voted unanimously to keep to put this recommendation into the report. And thankfully,

[20:53] you know, a lot of the, oh, this is something funny that happened the day before.

[20:58] So I had my feelers out to different agencies. So like the GEO knew about this, the FTC knew about it, the New York Times knew about it, all the stuff that was happening.

[21:08] And like the day before the report came out, the FTC issued that,

[21:12] that post saying that location data is sensitive data.

[21:16] And so I was like, boom. That's like the nail that we needed in that report to really drive the point home.

[21:23] So yeah, I was really, really happy with what happened. A lot of system. I think that was like the most reported recommendation in the report.

[21:31] Like a lot of reporters picked it up. A lot of like researchers have reached out to me about the report. So it's been pretty good.

[21:38] Merry Marwig: I love that aspect of the report. And again folks listening, you got to read this thing. I think it's on page like 96 or 95 that you've got those recommendations. But can you imagine from a consumer experience, Debbie, if what you recommended of putting privacy information,

[21:54] the new or Used car window sticker.

[21:58] So when you go to buy a car today,

[22:00] you could see stuff like safety ratings, fuel efficiency, and again, because personal data is now something that you are paying with when you buy modern connected cars today, you should be informed of that.

[22:15] I think the report said it could have like high level information and then a QR code to the full privacy notice. I think that's a great way to enable consumers to make choices based on that.

[22:26] Because I cannot tell you how many times people reach out to me saying I don't want the data sharing. What car should I buy? Like, you know what, go talk to your car dealership, your manufacturers and demand that they sell a car like the ones that you want.

[22:41] So I do think when consumers have that awareness, they're going to be able to make the better choices for them. So I would love to see that become a reality.

[22:49] And if I may, Debbie, just throw in a pitch. If you want to understand your car's data practices right now,

[22:58] what types of data the car may collect,

[23:02] what manufacturers or third parties may be doing with it, if they're selling or sharing it,

[23:07] go to vehicle privacyreport.com it's again, vehicle privacyreport.com you just place your vehicle identification number so the VIN number in there and it will pull up a VIN specific report for you where you can see, does the car collect identifiers, does it collect biometrics, is that shared or sold to data brokers,

[23:27] is it shared or sold with governments, all sorts of things. And then what actions you have,

[23:33] what actions you can take, what rights you may have based on the state that you live in. So I highly recommend you check that out.

[23:40] It's could be a preview of what something like, what what Debbie recommended could look like.

[23:46] And why is something like that important? I when I was thinking about preparing for this talk today, Debbie, again, transparency is something I really love to see. And right now,

[23:56] when you try to understand your car's privacy practices or data practices,

[24:01] it's like an overwhelming amount of information that you have to sift through to get an understanding of that.

[24:09] So like for example, one car that I looked at,

[24:12] the report, the vehicle privacy report, there were 12 different documents,

[24:18] individual documents that you had to read in order to understand what was going on with your car. So that's like the main privacy policy, the main terms of service,

[24:27] the vehicle owner's privacy policy, the vehicle owner's terms of service, the connected service telematics privacy policy,

[24:33] the connected services telematics terms of service,

[24:36] third party provider, main privacy Policy, the third party provider main terms of service,

[24:42] another third party provider main privacy policy, their terms of service, another one's privacy policy, main terms of service. I mean it goes on and on and on.

[24:50] So in this example that I looked at,

[24:52] it would take you five and a half hours to read that if you were an average reader and in some cases you needed to have an 18th grade reading level to understand that.

[25:06] So postgraduate level. So it's thick legalese.

[25:11] Most of us don't have 18th grade level of education nor the time to really understand this. So are we being as transparent as we can? Is there a way to simplify this?

[25:22] And I really love what you suggested with the Monroney labels and the used car labels and I would love to see that actually come into fruition.

[25:31] Debbie Reynolds: Thank you so much. One thing that bothers me,

[25:35] we talked a little bit about this.

[25:38] Your example that you gave about the guy who said that he had near collision because his cat was running in front of the car. It's like the data that is being collected by the car does not have context,

[25:51] right? But there are decisions being made about people that wouldn't make any sense if they had that context. And that's to me that's a huge problem. What's your thought?

[26:04] Merry Marwig: I also agree, which is why I really love to see some different types of protections put in place for people. If we're going to live in this sort of data broker ecosystem ecosystem where we have the usage based insurance and stuff like that, how can we get visibility over what's going on?

[26:20] Why do you have to find out when your rates get jacked up?

[26:25] Why don't we tell people before they purchase whatever product, whether it's the car or the insurance, what's going to happen? I think a lot of people are not truly understanding the data collection practices of the car ecosystem and most people would probably say no if they truly understood it to your point.

[26:44] So yeah, I guess to anybody listening, if you live in California, know that there's that new data,

[26:50] the delete request, opt out platform, drop D R O P, it stands for something. I think it's delete request and opt out platform. So use that if you can and then go ahead and get your reports as well and see if the data is accurate.

[27:05] But again my view is that this should be transparent in the first place and I'd personally rather see this as an opt in type of thing instead of an opt out because again we've seen opting out has its own challenges as well.

[27:19] Debbie Reynolds: I want to talk A little bit about emerging regulations, policy developments that we're seeing around cars for sure.

[27:28] Merry Marwig: So something I wanted to say here is cars are often thought of as exempted, but they are not.

[27:36] Existing privacy laws, existing security laws apply to cars. They've just been overlooked in practice. This, okay,

[27:45] a great example is in GDPR in Europe.

[27:49] So GDPR does not have a special carve out for cars. And we've seen problems with this, especially in the data deletion context. Again like thinking of a car as a hard drive and not properly deleting someone's personal data between users.

[28:05] So under gdpr, if you don't have a lawful basis to process data, you gotta get rid of it. But we don't really see that happening at scale yet in Europe.

[28:13] And in fact I was reviewing some rental cars contracts over there and in some of these contracts the, the rental companies wrote that the renter is responsible for deleting their own personal data off a car, which they're their the data subject.

[28:30] So you cannot make a data subject responsible for their own data deletion. But in addition to the contract saying that you're supposed to delete your own data, it also said if you find someone else's personal data, the prior renters, you've got to delete that too or let somebody know.

[28:45] I was like, what?

[28:46] This is bonkers. So the good news, Debbie, so this is about emerging regulations and policy developments. The good news is two regulators in Europe, so one in uk, the ICO,

[28:58] and the second one,

[29:00] the Data Protection Authority in Estonia just recently came out and saying like, hey folks, guess what? The GDPR applies to cars. You have to delete personal data off of the car if you don't have a legal processing basis.

[29:13] And what, what basis would you have?

[29:16] So hopefully we start to see some uptick in Europe on that regard. At the top of this show, you did mention a couple US state based laws, so I'll just highlight those.

[29:26] In Illinois in 2024 they passed a repossession agency law where if a car is repossessed they have to delete the prior user's personal data off the car before it leaves a lot.

[29:39] So again like wiping the hard drive before that car gets, gets resold,

[29:44] recycled, refurbished, whatever is back on the market.

[29:47] Another one I'd like to mention is New Jersey In 2024 they passed a law requiring car dealerships to offer to consumers to delete the data off the car if that car is meant for resale.

[30:00] And they also have a similar bill.

[30:03] So not a law yet for rental cars.

[30:06] And then Utah amended their Utah Consumer Privacy act to explicitly call out motor vehicle manufacturers. So again cars are not exempted. Let's make this ultra clear though to make sure that it's happening well for consumers.

[30:22] So in that bill they're going to require some new privacy controls for new motor vehicles inside the car itself.

[30:30] And then one of the last ones I wanted to mention was California's notice act collection regulation.

[30:37] So they have car specific example where they talk about rental cars and what sort of disclosures you should be giving. So not only the rental cars privacy disclosures but also the manufacturers or anyone else who's collecting data from you.

[30:53] So I'd like to see more California companies lean into the notice act collection because again transparency here. But yeah, so those are laws or regulations that are on the books.

[31:02] But if you're open to it,

[31:04] I would really love to talk about what I'd like to see happen that may not be out yet but inspiring any listeners.

[31:11] Debbie Reynolds: Oh yes please.

[31:13] Merry Marwig: So again I would really love so listeners if you have any power, whether it's consumer or your job, whatever. Again,

[31:20] pre purchase personal data disclosure should be the standard. If you're looking for inspiration, look at Debbie's Monroney label or used car label example in that IoT report that we've been referencing.

[31:32] I would love to see those privacy notices, those data practices be readable to an average reader in a standardized format.

[31:40] Because again, I mean requiring someone to have an 18th grade education level to understand what the heck is going on with their data collection in a car context is not reasonable.

[31:52] It's too long,

[31:54] it's too complex and there are too many different documented too much for an average consumer to make an informed choice, especially in a quick context like a rental car situation.

[32:05] I would love to see mandatory data deletion laws when the cars change hands. I mean like we said earlier,

[32:12] phone refurbishers delete data off phones before they resell them. Laptop refurbishers delete the prior user's data before they resell them. We need to see that in cars and then for total vehicles.

[32:25] You mentioned earlier about insurance companies.

[32:28] For sure if your car is not going to be resold because it's smooshed,

[32:33] it could be recycled though still so little parts of your car might be sent around for scrap. If the infotainment system or the navigation system is part of that,

[32:43] that should be wiped before it's ever resold as a recycled part.

[32:48] So talk to your insurance company,

[32:50] put in an event driven data request.

[32:54] I'M going to underline that in an event driven. So tell your insurance company in advance, if this thing happens,

[33:00] I would like you to delete my data. I don't want my personal data ending up on some online marketplace in an infotainment system that used to be part of my car.

[33:09] We haven't really talked about opt out laws yet, but this one is pretty wild. So right now we have a lot of universal opt out mechanisms that are for browser based user experiences.

[33:22] But like I said at the top of this call,

[33:25] the average American family has 22 IoT devices that connect to the Internet outside of a browser.

[33:34] So how are we going to do our universal opt out mechanism signals on those types of things,

[33:40] including a car.

[33:41] So I would love to see states, especially regulators, figure out how can we use that sort of OOM universal opt out mechanism for those types of experiences.

[33:53] We have developed one at Privacy for Cars. It's called opt out code. You can learn more about it@optoutcode.com it's super simple.

[34:02] Any sort of device, an IoT device, including a car that you can rename, you can use this opt out mechanism. So basically you just put a prefix on the name of your device called zero dollar sign s which stands for zero data sales.

[34:19] It's kind of a cute prefix, but what companies can do is when they read a device name, if it comes with that prefix, they're going to know, oh, this person has opted out.

[34:27] They don't want us to sell or share their data.

[34:29] So it's a super simple way to achieve that and would love to see that out in the marketplace and then in other laws. We talked about data broker transparency and accountability.

[34:41] So again, if you've got data that's not contextual or even incorrect, or think about this use case, Debbie. You sell a car,

[34:49] you no longer have it, but the account is still in your name. And then the next driver is driving with a lead foot and taking harsh turns and accelerating fast.

[34:59] And is that data getting appended to your score?

[35:03] Right. So how are we going to manage things like that?

[35:06] And then I also would love to see not only these types of privacy protections in place for consumers, but also employees who use fleet cars. So that would be my wish list.

[35:19] I know it's kind of big, but hopefully that inspired some of your listeners to think outside the box of what's currently available in terms of laws, regulations, and think about what else we could be doing to protect people in their cars.

[35:31] Debbie Reynolds: One more I want to mention probably one of my most favorite ones about cars in the states is the California law regarding in car cameras,

[35:44] basically saying people don't know that there are cars have in car cameras.

[35:50] That's the first thing actually I saw. Andrea has sent me a video of someone who was in a car and he had the app, he connected the app to the car and he was able to see the actual person in the car driving from connecting.

[36:10] So like the cameras in the mirrors, the cameras in the car, people, I think from movies, they think all cameras have like a red light on it and stuff like that.

[36:18] And that's just not the case.

[36:20] And oh, it's so funny. So an executive from a car manufacturer who shall not be named told me, oh yeah, but people know that there are car cameras in their car.

[36:30] I'm like, that's a lie.

[36:33] People don't know that. They do not know that. So that bringing transparency to that type of thing I think is really important.

[36:40] What do you think?

[36:42] Merry Marwig: 100%. Let's be transparent about what's actually happening and let consumers decide.

[36:47] I'll also mention with the cameras and remote capabilities of cars today, unfortunately, we get a lot of,

[36:53] of real world examples from people who have been harmed through the connected,

[36:59] the connected car apps, the remote apps. So for example,

[37:03] people have contacted us and told us they've been stalked using the connected car apps because they're. It's very easy to just connect to someone's car if they don't take ownership of their connected access.

[37:13] Pretty much anybody could claim ownership. And look at you, look where you're driving,

[37:18] what time you got to, wherever you're at, what time you left, like all sorts of wild stuff. But we also see people using it to harass people.

[37:27] So like for example, in a domestic abuse situation,

[37:31] someone's partner was honking the horn at like 4:29 in the morning and unlocking the car so that this person had to go out there and secure the vehicle.

[37:42] We've also seen people jack up the temperature so it's like overheating in the car,

[37:49] creating a safety issue, all sorts of stuff. And it's not just people who are in some sort of of domestic abuse situation. We're also seeing that with professionals like repo agents.

[37:59] So when a car gets repossessed,

[38:02] if the prior car user still has remote access to the car, they can follow the repo agent around.

[38:10] And we've heard stories where former owners show up at like gas stations and try to take the cars back or worse, where they've if taken to violence to take the cars back.

[38:22] It's very unsettling. So, yeah, that's a huge risk factor.

[38:27] We barely touched the surface on that. So you might have to have us back on your show to go deep in that one, Debbie.

[38:33] Debbie Reynolds: Yeah, yeah, that's definitely a deep one. But, Merry, if it were the world according to you and we did everything that you said, what would be your wish for privacy for cars or anything else in the world, whether that be regulation,

[38:46] human behavior or technology?

[38:49] Merry Marwig: I'm going to just say transparency again, because I think most people are reasonable and they would say, you know what? I do or do not want that. Let people make their choice.

[38:57] Right. But give them the correct information to make an informed choice. So transparency, transparency, transparency. I think that's the easiest lift. It's something we can get done right away.

[39:08] Let's just bring to light the data practices through proper, easy to understand disclosures across the entire life cycle of that vehicle. That's what I'd wish for.

[39:20] Debbie Reynolds: Yeah. Well, I share that wish with you and I feel like transparency shouldn't be as hard as it is, but it is somehow. But we'll get there for sure.

[39:29] Well, thanks so much for being on the show. This is amazing. And I really love and support all your work, not only with privacy of cars, but your community building and how much you really support everybody.

[39:42] And so. So you're a bright shining star in the privacy universe. So thank you so much.

[39:48] Merry Marwig: Thank you so much for having me on, Debbie. This was such a delight. And to everyone listening, thank you for tuning in as well. And if you want to connect with me, please find me on LinkedIn.

[39:57] I'm the only merry marwig M e R R y marwig that you're ever gonna find. So if you come across my page, that's me.

[40:04] Debbie Reynolds: Very good, Very good. Well, we'll talk soon. Talk to you later.

[40:07] Merry Marwig: All right. Thank you. Thanks, Debbie.

[40:09] Debbie Reynolds: Okay, bye. Bye.