Used vehicles – a treasure trove of personal data and a data breach in the making (revisited) but a solution is now to hand


Protecting your customers’ privacy should be a standard level of care for all dealerships.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

Two years ago, in a publication not so far, far away (on behalf of the Scottish Motor Trade Association), we reported on the very real and ever-increasing risk of data breaches through the sale of used vehicles.

Since then, data protection is now a red hot topic that is set to expand exponentially in the years to come, and those businesses that either ignore it or get it wrong, do so at their peril and in pain of astronomical fines, which could in severe cases, result in prison sentences for company directors, not to mention private claims for compensation for damages suffered by individuals, together with legal costs, reputational damage and loss of consumer trust. In short, all the worst parts of business hell and damnation.

Suffice to say and without hyperbole, data protection is as serious as a heart attack, and any business that thinks otherwise is a “data breach walking”.

Surveys reveal that four in five vehicle owners fail to adequately remove personal data stored within their vehicle before selling it, placing them, their family, friends, and other contacts at the mercy of criminals and traders at risk of sanction by the Information Commissioners Office (ICO). 

Modern vehicles pair with smartphones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

If this data is not erased properly or at all and all electronic connections are not unpaired, then not only could such highly sensitive and valuable data be accessed by the new owner or others, but the previous owner could even track the vehicle, open its doors, and drive it away!

Responsible motor traders would not dream of handing over customers’ personal details to third parties without the customers’ consent, but that is precisely what is happening here if a vehicle is sold without the previous owners, and perhaps, even their own and/or employees’ personal data erased from the vehicles’ databases.

Patently, this has major implications for all concerned and could represent a serious data breach if a motor trader allows any vehicle to go out with any third party data stored in its database.

This applies equally to hire and loan cars, so all personal data must be removed after each user returns the vehicle.

So, motor traders are strongly advised to make it their practice to remove all personal data and unpair connected applications as part of their preparation before they sell/handover any used vehicle. By providing evidence to both the seller and the buyer that all data has been removed and access rights revoked, dealers can stay on the right side of the law, protect themselves from sanctions, and add extra value to the customer experience.

Connected Car FinanceReady to take the connected approach?

We’re here to ensure all used car dealerships deliver a better car finance experience for their customers. With over 4,000 approved dealer partners we ensure you are properly supported and connected with a range of flexible finance options, allowing you to lend and your customers to buy in complete confidence.

Thankfully, from a tech company based far, far away in the USA, a technical solution is now at hand for a very modern and technologically driven problem.

Lawgistics has been approached by Privacy4Cars, a leading authority on vehicle privacy and cybersecurity, who have developed an application (app) for just such a problem.

Privacy4Cars has become the de facto standard in North America for automotive businesses that want to efficiently and effectively delete personal information stored in cars while building compliance records in line with regulatory requirements. Privacy4Cars works with hundreds of auto auctions, serves almost half of the auto finance companies with portfolios of at least US$ 4 billion (including several OEM captives), most of the fleet management companies, and increasingly, as of last year, dealerships. For dealerships specifically, Privacy4Cars’ customers range from small independent stores to the top 50 groups.

Indeed, they were most interested to see that, we at Lawgistics, were across this problem some two years ago, and despite the distance and obvious differences in jurisdiction between us, our views on the point were nonetheless fundamentally aligned.

According to Mark Corsi, Vice President of International Sales and Partnerships: “Privacy4Cars can truly facilitate the process of deleting personal information from lease returns, trade-ins, vehicles bought wholesale, loaners, and test drives. Protecting your customers’ privacy should be a standard level of care for all dealerships. Ideally, the vehicle should be wiped as soon as it comes into inventory, especially with surprise inspections a possibility.”

Mark goes on to say: “If I was an owner of a dealership with a pre-owned department, I would be quite concerned about being fined. We know that violations of privacy laws can result in up to 4% of the global revenue of an automotive group. For example, if a dealership sold 50 vehicles a month at an average price of GBP 20,000,  that dealership has GBP 480,000 at risk per year. Importantly, just putting a disclaimer in the “fine lines” does not constitute legally valid consent from consumers, hence offers no real legal protection.

In theory, this can also apply to any vehicles loaned out by the dealership as well as test-driven vehicles as they too link to the driver’s phone. I have done this many times myself without giving it a second thought until I joined Privacy4Cars! This is not just a legal risk: deleting data is good customer service, and an important tool dealerships can use to win or retain customers.”

Privacy4Cars are new to the UK and came directly to Lawgistics, as even in the States, our reputation as experts to and champions of the motor trade precedes us. And this company could recognise that we are the foremost ”legal firm” to the motor trade in the UK and at the forefront of such initiatives.

Lawgistics are delighted to announce that we have brokered a special limited time offer with Privacy4Cars for the exclusive benefit of our membership in the UK, as follows:
  • a twelve (12) month agreement at an introductory price of just GBP 99.00 per month, which includes the first 40 VINs per month, with additional VINs in any given month to be charged at GBP 4.00 per VIN
  • no set up fees and no limits on how many users, how many VINs, and how many deletions are performed
  • for the first 30 days, service is FREE. Dealerships may cancel at any time in the first 30 days and will owe nothing and with no questions asked
  • after twelve (12) months, the introductory pricing expires and the company’s regular pricing will apply

It is entirely a matter for our membership to decide, on a business by business basis, if such service and terms are best for them and any agreement(s) entered into will be between the dealership and Privacy4Cars as appropriate, but be assured doing nothing here is just not a sustainable option, in any event.

For those fortunate enough to be in Dallas, Texas between the 26 and 29 January, Privacy4Cars will be at the National Automobile Dealers Association (NADA) Show 2023, which represents nearly 16,500 franchised new car and truck dealerships in the USA. Mark Corsi will be available to meet at the International Lounge. The broader team will be at Booth #4802, this is the booth of Impel, an integration partner of Privacy4Cars, and it is here the UK dealerships can book in advance a time to meet with Mark.

Howard TilneyHead of Strategy / Legal AdvisorRead More by this author

Related Legal Updates

Time to review your privacy policy?

Our members should be aware of whom they are sharing their data with, and ensure any third-party companies are registered with the ICO.

Data Protection is real and mistakes can cost your business

Most fines from the ICO are against large companies that send out unsolicited marketing messages.

Do you know what a personal data breach is?

If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.

Are you ready for the UK’s data landscape change?

The ramifications for not having the correct policy and procedures in place could be costly, not only by a fine from the ICO for not paying your fee, but also by being reported for data breach

Goodbye 2021, hello 2022!

Despite an excess of 100 different commission claims hitting the Lawgistics’ desks, not one single dealer has had to part with their money.

Used cars – a treasure trove of personal data and a data breach in the making

Modern cars pair with smart phones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

Police ordered to disclose information

Citing the provisions of the Data Protection Act 2018.

Get in touch

Complete the form to get in touch or via our details below:

01480 455500

Vinpenta House
High Causeway

By submitting this quote you agree to our Terms & Conditions and Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.