If rental companies do not routinely delete data between rental sessions, previous renters’ personal information can be exposed to subsequent renters and potentially misused.  -  Baker Donelson

If rental companies do not routinely delete data between rental sessions, previous renters’ personal information can be exposed to subsequent renters and potentially misused.

Baker Donelson

Many rental car companies permit customers to connect their personal devices to the vehicles' GPS and infotainment systems, allowing renters to enjoy features like hands-free calling, music streaming and navigation through their smartphones. As a result, these tracking technologies gather a substantial amount of personal information about the rental drivers. 

Collecting telematics data and renters’ personal information can provide valuable insights for businesses, enabling them to optimize fleet management and better understand consumer behaviors. However, rental companies operating in California must exercise caution when collecting such data, as in-vehicle data collection can lead to legal complications.

What is California’s Rental Passenger Vehicle Transactions law?

California's Rental Passenger Vehicle Transactions Law (commonly referred to as RPVTL) prohibits a rental company from using, accessing or obtaining any information about a renter’s use of a vehicle if that information was obtained using “electronic surveillance technology” — unless it qualifies as one of the limited exceptions related to locating missing vehicles, remote locking/unlocking or providing roadside assistance. 

According to the RPVTL:

  • “Electronic surveillance technologies” include technological methods or systems used to observe, monitor or collect information, including telematics, Global Positioning System (GPS), wireless technology or location-based technologies.
  • “Electronic surveillance technologies” do not include event data recorders, sensing and diagnostic modules, vehicles’ airbag sensing and diagnostic systems or other systems used to monitor vehicles’ performances or repair statuses.

Is “Electronic Surveillance Technology” Banned or Allowed for Specific Purposes?

The following “electronic surveillance technologies” are allowed in rental vehicles in California:

  • When the equipment is used by the rental company only for locating a stolen, abandoned or missing rental vehicle.
  • When it allows for remote locking or unlocking of the vehicle at the renter’s request, if the rental company does not use, access or obtain information relating to the renter's use of the vehicle that was obtained using that technology, except to lock or unlock the vehicle.
  • When it allows the company to provide roadside assistance, such as towing, flat tire or fuel services, at the renter’s request, if the rental company does not use, access or obtain information relating to the renter's use of the vehicle that was obtained using that technology except to provide the requested roadside assistance.
  • Using “electronic surveillance technology” for purposes beyond the abovementioned exceptions is prohibited. For instance, using data obtained from tracking technologies in rental vehicles to analyze renters’ behaviors for determining rental pricing or insurance premiums may be considered illegal.

If a rental car company uses electronic surveillance technology for the purposes allowed by the RPVTL, they must keep records of relevant information for at least 12 months. This includes details like the rental agreement, return date, the date and time the technology was activated, as well as any communication with the renter. If a renter asks for these records, the company must provide them, along with any explanatory codes needed to understand the records.

Consequences for violating the RPVTL

There is a private right of action under California's RPVTL. This allows individuals to file a lawsuit against rental companies if they believe their personal information was unlawfully collected or used in violation of the law. Successful plaintiffs may recover damages, attorneys’ fees and other related expenses.

Several recent class-action lawsuits have been filed under the RPVTL law against leading rental car companies concerning their collection of renters’ data. These cases stem from customers pairing their smartphones with rental vehicles’ infotainment or navigation systems.

The plaintiffs’ arguments in these cases are similar, claiming that after pairing their smartphones, the rental vehicles’ GPS technology and infotainment systems collected personal information (such as GPS data, device names and other details) from their phones. This data remains stored in the rental vehicle even after the vehicle is returned to the company. As many rental companies do not routinely delete data between rental sessions, previous renters’ personal information may be exposed to subsequent renters and potentially misused.

One class action filed in California against a major rental car company in 2019 settled confidentially at the end of 2020.  A similar case against another leading rental car company is ongoing.

Practical Advice for Rental Car Companies

California courts have been aggressive in protecting the privacy and integrity of consumer data and tend to interpret laws in favor of consumers. Defending class action lawsuits can be expensive. 

To proactively safeguard their interests, rental companies operating in California should consider the following factors before installing tracking devices in their vehicles:

Assess the sensors, telematics, GPS, location-based or wireless technologies, tracking devices and other technologies in your rental vehicles. Do they collect personal information from renters?

  • Determine the purposes for collecting personal information from renters. Is it for vehicle maintenance, troubleshooting or other reasons, including analyzing renters’ behaviors?
  • Delete renters’ personal data after each rental session.
  • Accurately disclose how the rental vehicle collects, uses, processes and stores renters’ personal information in the privacy policy.

Hannah Ji-Otto, of counsel at Baker Donelson in Nashville, where she guides clients through a broad range of information privacy challenges and complex technology transactions. She represents clients across all industries, including global manufacturers, healthcare organizations, online payment service providers, software providers, insurance companies, digital marketers, retailers and global e-commerce platforms.

 

0 Comments