Working with 15 auto makers around the world, Otonomo has developed apps and anonymization tools that give consumers greater control over what information they share with car companies. Recently, the company helped its European customers prepare for and comply with the General Data Protection Regulation (GDPR) in the European Union. GDPR was something of a model for the California law, which attorneys said is the most stringent in the United States.
While the law itself is new, the underlying friction between privacy rights and vehicles has been brewing for a while. Rosner foresaw the headache on the horizon.
A friend had purchased a certified pre-owned vehicle from a local car dealership. She typed "home" into the embedded navigation system and immediately received directions to the home of the car's former owner. A few more clicks, and she accessed a trove of information on the previous owner's location history.
Whether the responsibility for erasing that data lies with the former owner, the dealership or the auto maker remains uncertain. But it's paramount such issues be addressed, said Rosner, who has compiled a "privacy playbook" at Otonomo that guides automakers through issues of data privacy and consumer trust.
"Privacy is a fundamental human right," she said. "Our data is us. In 2020, it should be a human right to control how your data is used."
But at the same time California codifies some rights into law, many auto makers say data access is essential to making some features work. In some extreme cases, data sharing is a requirement to purchase a vehicle. What happens if a consumer declines to divulge his or her data but still wants a car? It's at least plausible that denying the purchase is a CCPA violation.
"The CCPA gives consumers a right to nondiscrimination, meaning that businesses are not permitted to discriminate against consumers who exercise their CCPA rights," said Gail Gottehrer, an attorney who focuses on privacy issues and emerging technology. "An example of a discriminatory action would be denying goods or services to a consumer."
As electrification and driver-assist systems proliferate, the need for data access increases. Driver monitoring cameras that ensure drivers keep their eyes on the road, for example, are becoming a crucial component of these driver-assist systems. But they may involve cars collecting personally identifying information and creating profiles of individual drivers.
More broadly, vehicle data can be used for a greater good. Sharing information among vehicles might prevent crashes. Should individual drivers be permitted to withhold data that could mitigate traffic jams or even save lives?
"I do see driving a car as a life-or-death proposition, and that's something different than privacy on our phones. That wireless connection is capable of notifying you that a car down the road has crashed or slid on black ice," Roger Lanctot, an analyst with global automotive consulting company Strategy Analytics Ltd., said.
"My concern is that we have become so obsessed with privacy that we wall ourselves off from information that might be critical to driving safely."
As the auto industry has seen with emissions standards, California's laws can hold significant influence on setting a standard followed throughout the country. Ms. Gottehrer said companies doing business in California may be covered by CCPA, even if they do not have a physical location in the state.
That means, bottom line, that auto makers and dealerships need to quickly understand how the changing legal landscape affects their use of data, explain to consumers how the companies handle this information and let them know how they can opt out.
"Remember that car companies sell cars to dealers, so fundamentally they're (business-to-business) with the exception of Tesla," Mr. Lanctot said. "So mastering these kind of communications to vehicle owners is clearly a challenge. I'm inclined to cut them some slack, but they're coming to the end of that slack."