Addressing New Legal Speed Bumps for Contactless Rentals

Various seminars during October’s ICRS Experience highlighted the acceleration of customer-centric, contactless rentals in response to the coronavirus pandemic. As the industry continues to evolve to embrace connected cars and other technology solutions facilitating contactless rentals, operators should be aware of legal “speed bumps” and adjust course to comply with the law.

Last summer, we addressed several legal issues raised by contactless rentals in “Considering Contactless Rentals? Check Your State Laws First.”  This article focuses on additional issues, including: (a) alternatives to physical driver’s license inspection; (b) Americans with Disabilities Act; and (c) privacy.

Physical DL Inspection Alternatives

As previously noted, several states, including California, Colorado, Florida, and Illinois, have adopted laws to exempt contactless rentals from the requirement that rental operators physically inspect customers’ driver’s licenses before renting a vehicle. To take advantage of the exemption, the rental company typically must verify that the customer holds a valid driver’s license as part of a membership or master rental agreement.

In states that have not yet passed similar laws, and even in those that have, operators (and their insurance companies) may wish to investigate additional measures to verify identity or qualify renters who will access and drive their cars without a face-to-face interaction.  

One method to verify identity used in carsharing and other membership-based platforms is to set eligibility criteria in addition to the minimum age and credit/debit card requirements often used by operators. (Minimum age and credit/debit card requirements generally are permitted, with a few special rules in states like Maryland, Michigan, New York, and Pennsylvania.) 

For example, with remote rentals, an operator may choose to establish minimum motor vehicle record standards for customers — even though courts throughout the U.S. have generally held that a rental company has no duty to conduct a background investigation of a renter’s driving record.  

One challenge in establishing driving record requirements is where to draw the line — what should the minimum standard be? In practice this decision may be made by the operator’s insurer. Often the insurance company will define the membership standards for the policy it issues for the members, which helps to separate the operator from the decision setting the eligibility requirements.  

Another more recent development is to require customers take and upload a “selfie” via an app that uses facial recognition technology to verify the renter’s identity before the customer can access and use a car. Or, a rental company may install a kiosk or similar device that uses the customer’s biometric identifiers (like an iris or fingerprint scan) to verify identity. 

As with any new technology, operators should assess the legal landscape before making significant operational changes and investments. For example, several states, including Colorado, Florida, Illinois, and Maryland have recently passed laws that expressly permit driver’s license inspection by electronic or digital means, which may facilitate the use of new technology. 

Before implementing a process relying on use of facial recognition technology or biometric identifiers, however, a rental operator should determine whether additional measures are necessary to comply with applicable privacy laws, such as the California Consumer Privacy Act discussed below or the Illinois Biometric Information Privacy Act (BIPA).  

The BIPA imposes a number of restrictions on how businesses collect, retain, disclose, and destroy biometric identifiers, including the requirements that a business obtain the informed consent of a customer before collecting or obtaining a customer’s biometric information and develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information. 

Arkansas, Louisiana, New York, Oregon, Texas, and Washington also have passed laws protecting biometric information, and several other states are considering similar legislation.  

If operators choose to contract with a third party to operate a verification system using biometric identifiers, they should confirm whether the system gives them the ability to access customer biometric information, as that may trigger the BIPA and other biometric privacy laws — even if the operator does not actually access and use that information.

ADA Challenges

Another feature of contactless rentals is the use of web- or app-based transactions instead of delivering a paper rental agreement to the customer. Before implementing a website or app to facilitate contactless rentals, operators should keep Americans with Disabilities Act (ADA) issues in mind. There have been a host of lawsuits and demands by ADA plaintiffs and the law firms that specialize in their representation essentially claiming that websites and apps might not be completely accessible to the visually impaired or those with auditory or motor disabilities. 

For example, there have been a number of ADA lawsuits which include claims that various websites do not have captions for audio content and are therefore not fully accessible to people with auditory conditions. 

The ADA is a very broad federal statute which contains a number of provisions. Title III of the ADA relates to public accommodations, which are defined as businesses generally open to the general public that fall into one of 12 specific categories.  

The ADA prohibits discriminatory conduct and requires compliance with ADA standards and the implementation of reasonable modifications. In general, a business should take steps to communicate effectively with customers with disabilities.

The ADA does not specifically mention websites, but the ADA language is broad and requires that individuals with disabilities have equal access to participate in and benefit from products and services. Individuals with disabilities use different technologies to access and use websites including screen readers, braille terminals, magnification software, and other processes. 

Note that the Department of Justice has taken the position that Title III of the ADA applies to all publicly accessible websites used by places of public accommodation and those websites must be accessible to individuals with disabilities. There have been some differing views taken by the courts with respect to the application of the ADA in these circumstances. 

The Worldwide Web Consortium has established the Web Content Accessibility Guidelines (WCAG).  Those guidelines set forth recommended steps to facilitate access to individuals with disabilities. Although compliance with WCAG is not legally mandated, many courts have determined that the WCAG standards must be met to assure compliance under the ADA. As such, a number of companies have elected to hire accessibility experts to assist with website and app compliance consistent with those guidelines.

The main takeaway is that, as remote transactions increase, so will the importance of ADA access considerations. 

Calif. Privacy Updates — 2023 Looms

Privacy is, of course, a major consideration for businesses especially as the evolution to contactless transactions drives the collection of personal information and data, such as the biometric information discussed above, as well as location and other information collected through the connected car. Privacy laws develop constantly.  One example is the recently passed California Privacy Rights Act, which will modify the 2018 California Consumer Privacy Act (the CCPA) that was enacted in 2018. Legal developments in California may eventually have an impact on legislation in other states and at the federal level.  

In 2018 the California legislature passed the CCPA which imposed significant requirements for identifying, managing, securing, producing, and deleting customer and consumer privacy information.  In brief, the CCPA requires that consumers have the right to know through a privacy policy or notice what personal information is being collected and whether and to whom that information is being sold or disclosed. There needs to be an opportunity to opt out of the sale of that information.  

The CCPA applies to personal information of California residents and applies to businesses that have (1) gross revenues in excess of $25 million, (2) receive personal information of 50,000 or more residents, households, or devices on an annual basis or (3) derive 50% or more of their revenues from selling personal information of California residents. 

There is a broad definition of what constitutes personal information. The CCPA includes fines for violations which may be enforced by the California attorney general or individual consumers. 

The 2020 the California Privacy Rights Act makes a number of modifications to the CCPA. The following are some of the key points to keep in mind:

1. The substantive elements of the new Act apply to personal information collected after January 1, 2023. Note, however, the rule making process under the new agency (mentioned below) begins in the two-year run up to 2023.   Therefore, businesses are well advised to monitor developments.
2. The new Act modifies the definition of businesses covered by the Act. For example, the Act increases the threshold number of consumers or households from 50,000 to 100,000 and changes this threshold to personal information bought, sold, or shared (i.e., personal information merely received does not count towards this threshold).
3. The CPRA creates a new state agency, the California Privacy Protection Agency, which will have the obligation of implementing and enforcing the new Act.
4. The Act creates a new category called “sensitive personal information.” This type of information includes social security numbers, passport numbers, financial account information, race, ethnicity, and union membership as well as other categories. The Act gives consumers certain rights with respect to this sensitive information and requires businesses to provide a “clear and conspicuous link” to consumers who provide information regarding the limiting of the use of such sensitive personal information.
5. The new Act grants consumers the ability to correct inaccurate personal information and would expand the right to opt out of the “sharing” of personal information.  The sharing of information is defined as the transfer of personal information by the business to a third party for “cross-context behavioral advertising,” essentially targeted advertising based on a consumer’s activity across businesses and websites.

Businesses serving California consumers should get familiar with the new Act and prepare for its rollout in January of 2023.  

About the Authors

Leslie J. Pujo is an attorney with Plave Koch PLC in Reston, Va., focusing on mobility and vehicle use, as well as franchising. She can be reached at lpujo@plavekoch.com. Wesley D. Hurst is an attorney in the Los Angeles office of Polsinelli and leads the firm’s Mobility & Vehicle Use practice. He can be reached at whurst@polsinelli.com.