In January 2024, Governor Murphy signed Bill A4723. This law requires New Jersey auto dealers to delete a consumer’s personal data from a vehicle in certain circumstances. The law, which became effective immediately, states:
Whenever a motor vehicle dealer takes possession of a motor vehicle from a consumer for resale or lease, the motor vehicle dealer shall offer to delete the consumer’s personal information from the motor vehicle’s computer system in the motor vehicle, including, but not limited to, navigation history, paired phones, and garage door codes, by performing data clearing protocols in accordance with the Guidelines for Media Sanitization developed by the National Institute of Standards and Technology using techniques specified by the vehicle manufacturer to overwrite data or by using a menu option to reset the device to original factory settings.
Who Is Covered?
The law speaks specifically to “motor vehicle dealers.” This presumably includes new and used car dealers. However, in defining what kinds of businesses this law refers to, the law conspicuously omits recreational vehicle and motorcycle dealers.
What Are the Obligations of Motor Vehicle Dealers Under the New Law?
The law requires that dealers, at a minimum, “offer to delete” the consumer’s personal information. The consumer can accept the dealer’s offer or decline it. In either event, to ensure compliance with this law, dealers should consider adding language to trade-in and lease-end forms to document their offering to delete personal data from the vehicle and, if applicable, the consumer’s refusal for the service.
What Types of Transactions Does this Law Affect?
The law is limited to vehicles that dealers “take possession of…from a consumer for resale or lease.” This would include trade-ins and lease returns.
The law does not refer to rentals, test drives, or courtesy vehicles. Nonetheless, dealers may want to set up procedures to periodically delete data from cars in their fleet that are used for those purposes.
The law does not specify whether vehicles that dealers receive at auction are covered. There is no “consumer” in the transaction with the auction house. However, given the heightened sensitivity to privacy issues in today’s culture, it may be prudent to delete any consumer data on these vehicles before resale.
What Kind of Personal Information Is Covered?
The law suggests “personal information” and gives examples, such as “navigation history, paired phones, garage door codes….” Again, given society’s concerns over privacy, dealers should view “personal information” in its broadest scope. This would mean any personal information stored in on-board infotainment systems (via a Bluetooth connection) and in-vehicle databases. Since cars are essentially “computers on wheels” these days, this includes:
- Contact information (name, address, phone numbers);
- Navigation history;
- Geolocation data;
- Biometric data;
- Internet browsing history;
- Media data;
- Text and voice communication records;
- Keyless entry codes; and
- Payment information.
Did You Wipe All the Personal Data?
The law describes the two ways dealers can delete the consumer’s data under the law: Using techniques specified by the vehicle manufacturer or using a menu option on the vehicle to restore the on-board device to its original factory settings.
To comply with the law, dealers must follow the clearing protocols per the Guidelines for Media Sanitization. The National Institute of Standards and Technology (NIST) developed these guidelines. They standardize the data removal process to ensure that all data is safely cleared, purged, or destroyed.
This formalized process requires the dealer’s staff to be trained in media sanitization. Additionally, the guidelines require the dealer to identify the personal data stored in the vehicle, determine which category of data destruction is applicable (given the risk of confidentiality and the nature of the media), and remove the data stored in the vehicle.
Lastly, the dealer must then verify that the data was removed.
The Bad News? This Will Cost Dealers Money. The Good News? You Can Charge the Consumer
It will certainly take time and effort from service departments to “wipe” the personal data from the vehicle’s systems as mandated by the law. However, before the Governor signed the bill, the legislature added a section permitting dealers to charge consumers a “reasonable fee” to perform this data removal.
Dealers should make these costs clear to the consumer before the service, advise the consumer he can perform his service himself or with another vendor, and have the consumer acknowledge his selection in writing.
Penalties
If a dealer violates this law, the dealer can incur a civil penalty of $500 for the first offense and $1,000 for subsequent violations.
Consult Experienced New Jersey Auto Dealer Attorneys
The attorneys at Schiller, Pittenger & Galvin, P.C., represent auto dealers throughout New Jersey and New York. We represent dealers in purchasing and selling dealerships, consumer fraud actions, manufacturers’ disputes, compliance issues, and employment matters.
The firm also prepares partnership and stockholder agreements for dealers and floor plan financing agreements.
If you are an auto dealer and have questions about the new data deletion law, call the attorneys at the firm’s Scotch Plains office at 908-402-4770 or contact the firm here.