Endpoints-on-Wheels: Protecting Company and Employee Data in Cars

Merry Marwig is the VP Global Communications & Advocacy at Privacy4Cars. Merry is a pro-consumer, pro-business privacy advocate who is optimistic about what data privacy rights mean for everyday people — and for the companies they do business with. At Privacy4Cars, she helps protect drivers’ and passengers’ personal data while creating business opportunities for automotive companies. In this episode… Modern cars are like computers on wheels, collecting and storing data just like smartphones or laptops. Unlike those devices, however, vehicle data is often left unencrypted and persists long after a car is sold, rented, or reassigned. This is especially problematic for businesses that use corporate cars, rental vehicles, fleet vehicles, or personal vehicles for work purposes. Sensitive information such as contact lists, text messages, navigation history, and even security credentials can remain stored in vehicles long after they change hands, posing significant privacy, security, and even physical safety risks. To take control of sensitive data, companies need to establish data deletion policies for all vehicles used in a business context. This includes requiring rental agencies and fleet management providers to delete stored data and offer certificates of deletion when cars are returned or decommissioned. Companies should also require automotive providers to provide VIN-specific data disclosures so drivers understand what data the vehicle collects and how it's used and shared. Additionally, companies need to consider how privacy regulations like GDPR and CCPA apply to vehicle data collection and use it to inform their internal policies and third-party contracts. In today’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Merry Marwig, VP Global Communications & Advocacy at Privacy4Cars, about the privacy and security risks of data collected and stored in vehicles. Merry explains how cars used for work, whether rental, fleet, or personal, retain unencrypted personal and company data that can be exploited when vehicles change ownership or are decommissioned. She shares real-world case studies involving sensitive information left behind in cars, including banking credentials, contact lists, and patient health records. Merry also outlines how data deletion policies and VIN-specific disclosures, required through contracts with automotive providers, help companies reduce privacy and security risks.