UPDATE! State Privacy Laws and VPD
Just about a year ago, we posted “A Privacy Rights Road Trip: How Do State Privacy Laws Impact Vehicle Performance Data (VPD)?” in which we considered how the five states that had enacted data privacy laws at that time had addressed privacy rights in and to the type of personal data increasingly captured by our cars. On March 28, Iowa became the sixth state to enact a comprehensive data privacy law—meaning our privacy rights road trip needs an update.
It’s worth noting at the outset that, even though nearly twelve months have elapsed, and only one state has joined the mere handful of states with these laws on the books, there is momentum in the data privacy space. This is obvious when comparing the International Association of Privacy Professionals’ State Privacy Legislation Tracker from our first post:
With the tracker as it appears today:
And how does the latest data privacy law address VPD? Much like every state other than California, Iowa’s law doesn’t address VPD expressly. But that doesn’t mean VPD is entirely outside the scope of the law’s protections. The relevant provisions are summarized below:
VPD Provisions
The Iowa Act does not specifically define “vehicle information” or include any provisions specific to VPD. “Personal data” is defined to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include “de-identified or aggregate data or publicly available information S.F. 262, 90th Gen. Assemb., Reg. Sess. § 1(18) (Iowa 2023).
In addition, “sensitive data” is defined to include “precise geolocation data,” and the Act restricts processing of such data without providing the consumer notice and an opportunity to opt out. S.F. 262, 90th Gen. Assemb., Reg. Sess. §§ 1(26)(d), 4(2) (Iowa 2023).
The Act also covers “biometric data,” defined as “data generated by the automatic measurements of an individual’s biological characteristics, such as fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” S.F. 262, 90th Gen. Assemb., Reg. Sess. § 1(4) (Iowa 2023). Such data also is included within the definition of “sensitive data” when it is “processed for the purpose of uniquely identifying a natural person.” S.F. 262, 90th Gen. Assemb., Reg. Sess. § 1(26)(b) (Iowa 2023). While this may not have obvious implications in a discussion about VPD, recent litigation in Illinois involving Subaru’s driver monitoring feature suggests otherwise.
The Act specifically exempts from its scope “personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq.” S.F. 262, 90th Gen. Assemb., Reg. Sess. § 2(3)(n) (Iowa 2023).
In addition, the Act does not prohibit a controller of processor of protected data from collecting, using, or retaining data “to conduct internal research to develop, improve, or repair products, services, or technology” or to “effectuate a product recall.” S.F. 262, 90th Gen. Assemb., Reg. Sess. § 7(2) (Iowa 2023).
Privacy Law
Iowa Consumer Data Protection Act of 2023, effective January 1, 2025
Copyright Nelson Niehaus LLC
The opinions expressed in this blog are those of the author(s) and do not necessarily reflect the views of the Firm, its clients, or any of its or their respective affiliates. This blog post is for general information purposes and is not intended to be and should not be taken as legal advice.