Data sharing between car manufacturers and insurance companies has become top of mind for regulators recently.

Here are some “To Do’s” we’re discussing with clients in and out of the automotive space:

Regulator: You can’t bury disclosures in multiple lengthy documents that overlap and are filled with cross references.

• To do: Review your terms and privacy disclosures together as a whole. Have you been “hoarding” docs? Can they be streamlined and simplified?

Regulator: You need to give the customer a meaningful opportunity to review terms of service and the data sharing component must be made obvious.

• To do: Besides Marie Kondo-ing your disclosures package, simplify the disclosure itself. Make it shorter and then give a copy to someone in your target audience to read. Do they comprehend what it means?

Regulator: If you engage in profiling that can result in a loss of access to a right or a service (e.g. create a risk score), you must disclose it and explain how it is calculated. You also must explain the consequences of the score.

• To do: Review your disclosure and make sure profiling is disclosed and adequately explained.

Regulator: Opt-in consent can’t be disguised as an integral part of a lengthy mandatory onboarding process. It must be clear that it is voluntary.

• To do: If something is voluntary, you need to make sure that is obvious. Test this with your audience too.

Regulator: Beware when incentivizing agents to enroll customers in a data sharing program. You need to make sure the enrollment remains voluntary.

• To do: Check what happens “on the ground.” If your enrollment is handled by third parties, provide them with guidance and audit them.

Regulator: If someone declines to enroll in voluntary data sharing, you can’t then present warnings that doing so will result in the degradation of service or an absence of safety features. You also shouldn’t nudge them to sign up with multiple emails after they decline.

• To do: Make sure no means no. Excessive nudging has been held by regulators (including the Federal Trade Commission in the U.S. and European Data Protection Board in the EU) as a “dark pattern” that can undermine true consent.

Regulator: If you sell/share information and make a profit or receive a revenue share, you need to disclose this in a way that is clear and not misleading. If you are sharing data for profit, you can’t say that you are sharing for the improvement of your product or for safety, functionality or operability. You also can’t use the download of a free app as consent to share information with third parties.

• To do: Make sure your data sharing is clear and provide an opt-in / opt-out where required. (The FTC, the California Privacy Protection Agency and other state regulators really care about this.)

[View source.]