Providers in the mobility space take note.

The Estonian Data Protection Inspectorate, Andmekaitse Inspektsioon, conducted a short term vehicle rental sweep that could be important in light of a declared connected vehicle sweep in California.

Here are some key takeaways.

Privacy Disclosures Must be Clear

  • The language in Estonia was not understandable, clearly formulated or easily accessible.
  • It used definitions and complex terms.
  • It referred to other documents that were not always available.
  • This wouldn’t be good enough in California either. The California Privacy Protection Agency recently announced that privacy disclosures are among its top enforcement priorities.)

Data Retention Must be Specific (Or at Least Not Vague)

  • It is not enough to say “data is stored as long as it is mandatory or permitted according to legislation or necessary to achieve the goals stated in the data protection conditions”
  • This is the case for new U.S. laws as well

Delete Data For Real

  • It is not enough to remove some direct identifiers or pseudonymize the data. You need to make it anonymous or delete it.

Read more here.