Drivers Look at Infotainment, but Law Doesn’t.

In the Law and Mobility Journal’s 2018 publication “Vehicle Rental Laws: Road Blocks to Evolving Mobility Models?”, the authors referenced a putative class action suit, Kramer v. Avis Budget Group, in support of the observation that “recently, vehicle infotainment systems…have come under scrutiny.” This blog post follows up on that case and that observation, summarizing the post-2018 vehicle infotainment-related lawsuits and describing what has come of that scrutiny: nothing.

The cases described below involve infotainment data collection. When one plugs one’s phone into a vehicle infotainment system, the system uploads data from the phone, and unless the customer deletes it, it stays indefinitely. Data includes text message, contacts, phone records, etc.

Kramer

The issue in Kramer (which became Greenley when Kramer voluntarily dismissed himself) was whether Avis’s failure to delete data from their vehicles’ infotainment systems and Avis’s failure to make the indefinite storage abundantly clear violated the California constitutional right to privacy. 

When Vehicle Rental Laws was published, Kramer was a putative class action. Since then, the action was dismissed in federal court on a motion to dismiss due to lack of standing, remanded to state court in 2019, and settled in 2022; despite four amended complaints, class certification was never granted.

The lack of standing is no doubt familiar to those readers following privacy litigation. Here, the plaintiff argued a) that Avis’s actions constituted “snooping” and “overbroad collection” (terms from the ballot initiative) in violation the California constitutional right to privacy, b) that that right is substantive, and c) that violation of a substantive right is “sufficiently concrete harm to create Article III standing.” The court disagreed, holding that there was no snooping and thus no violation.

The court’s reason was that Avis’s actions were in fact inaction. Avis did not actively access or retain any data. Rather, they “improperly ignored” (per the plaintiff) the data, and snooping means looking at data, not ignoring it. The overbroad collection argument was rejected because, per that court, unconstitutional collection requires also excess retention. Conclusorily, the court decided that an absence of steps taken to retain information meant there was no unconstitutional excess retention. Several cases were cited to support the notion that retention of lawfully collected data was lawful. 

This approach to the familiar standing problem is unusual. Most data privacy cases concern (the risk of) companies intentionally going out of their way to collect and transfer data that consumers often were unaware even existed (e.g., session replay software). This case concerned a company doing nothing yet still collecting data, with consumers knowing the data was uploaded, though not retained. 

Yet despite this contrast, it is a privacy violation for rental car companies, which scrub the insides of cars, to fail to scrub troves of personal and sensitive information when they could do so more easily than most customers. The FTC issued guidance to rental car companies about deleting data in order to protect privacy. Privacy International calledrental companies’ failure to delete infotainment data “a cause for concern” demanding a “wider [look] at the eco-system of data generated by…devices within vehicles.” “Seems fairly innocuous? Wrong,” they declared. Finally, the contextual theory of privacy suggests it is a privacy violation; sensitive information like contacts and call logs being accessible to strangers is not in accord with norms. 

The court’s reasoning is not concordant with intuition, and it is not concordant with the case law.

The court in Kramer used the text of the ballot initiative that created the California right to privacy in evaluating whether there was a violation. This is incorrect. Since 1994, there have been four elements to a claim: 1) the existence of a legally protected privacy interest and 2) a serious or egregious 3) violation thereof without 4) a good reason (a balancing test of plaintiff vs. defendants’ interests). The court entirely ignored these elements, choosing to fixate on an irrelevant textual analysis of the ballot initiative. Given the absolutely erroneous analysis on the part of the court, it is odd that plaintiffs did not appeal; it suggests that even they did not think much of the scrutiny they were trying to impose.

As to the class issue, a hearing on class certification was scheduled for September 30, 2022. The case settled a month later. Still, after four amended complaints, we can assume it was not going to happen and that the settlement was a small “go away” settlement. 

All this is to say that Kramer, which in 2018 was promising scrutiny, came to nothing except a demonstration of the judicial system’s failure to apply both intuitive notions of privacy and, for that matter, privacy law. 

Shapiro and McKee

With respect to rental cars, this author did not find any other cases post-2018 regarding vehicle infotainment or telematics. In fact, only three cases pertaining to the technology were found, other than evidentiary questions in criminal law. I discuss these for completeness of the scrutiny on these systems.

In Shapiro, the defendant leased the car in question to the plaintiff. Plaintiff returned it, reporting a certain odometer reading, and defendant sued for odometer tampering. Plaintiff sued for invasion of privacy for the technology that allowed defendant to discover the tampering, namely BMW’s “Teleservice” service that sends information about the car to BMW and local dealers only when the car hits certain mileages. It did not track movement or location. In the unpublished decision, the court held that Shapiro had failed to show tracking.

In McKee and Goussev, plaintiffs sued General Motors and Toyota, respectively, over their infotainment systems, which allegedly automatically download and store a connected phone’s text messages and call logs without the ability to delete it. Plaintiffs considered this a privacy violation because the ability of “third parties to connect and access the stored information…deprived [him] ‘of the right and ability to engage in private’” communications.

The motions to dismiss were granted. Although GM and Toyota created their respective systems, in both cases the court found that companies did not and could not interact with the data, including retrieval.¹The plaintiffs sued under the Washington State Privacy Act. Discussion of the truly bizarre jurisprudence thereof is omitted. See e.g., State v. Bilgi, 19 Wash.App.2d 845, 496 P.3d 1230 (holding that because a recording technology is “not an actor with agency,” there was no violation when police used the technology.) Here, the court held that an infotainment system is not an entity and does not “act[] in agency capacity on behalf of GM.” No kidding. Thus, so says Washington, GM did not violate privacy. 

Plaintiff Michael McKee is an international economics and policy correspondent for Bloomberg TV. Plaintiff Evgeniy Goussev was a plaintiff in both Goussev and McKee. In both cases, they sought declaratory and injunctive relief. McKee’s profession, Goussev’s repeated litigation, and the sought after relief lead to a reasonable belief that the purpose of this litigation was to change the world of infotainment systems. They failed. Infotainment systems continue to collect lots of data.

Android Infotainment Antitrust Investigation

Germany’s antitrust agency has begun to investigate Google for anti-competitive behavior related to its Android-based vehicle infotainment system. Google allegedly blocks third party map services from using critical data and makes availability of its system to manufacturers subject to “very strict terms” that “could restrict competition even further.” The agency’s statement of objections was sent three days before this blog post was written, so the extent of scrutiny here is as yet unknown; another blog post updating this theme is something to look forward to.

Summary

As these four cases show, litigative attempts to shape vehicle infotainment systems have failed in recent years. Our authors’ hopeful remark about scrutiny has come to naught. In the meantime, the telematics and infotainment markets have only grown. Statista estimates the global vehicle infotainment market in 2021 was $41bn with predicted CAGR of 9% over the next six years. The web is inundated with guides to picking the best infotainment system. Car manufacturers are joining into the generative AI craze, with Mercedes implementing ChatGPT. Infotainment systems are “near universal.” This is in spite of the enormous risk to safety that they pose.

Nonetheless, the original article’s authors were correct in identifying growing scrutiny. It’s just not legal scrutiny. When I searched “rental car infotainment” on DuckDuckGo on June 20, 2023, six of the top responses are about privacy. Several news outlets have reported on the issue. Whether the public cares is ambiguous (contrast growth in news to prevalence) however. While the conclusion on that front is unclear, the plaintiff’s bar and the courts’ opinions are clear: not going to happen. 

For those concerned about the rental car issue, the best hope seems to be that public scrutiny in newspapers drives infotainment companies to create rental car specific versions of the software that do not store data or that rental car companies begin to compete on protecting privacy by deleting data. Otherwise, renters are, as in virtually every area of digital privacy, left with an individual need to protect ourselves. 

In any case, to summarize the update to the original paper, the prediction regarding scrutiny was not particularly borne out by the future. The case the paper referenced failed, few litigants have tried and none have succeeded since then, but the non-legal world may or may not be interested.