CRA Security & Technology Explored – North America

By John Huetter

We recently covered PartsTrader’s reassurance to the collision repair industry that it doesn’t share customer repair data with vehicle history sites.

The company confirmed that it also blocks the parts vendors bidding to outfit an individual vehicle from such an action as well. It also described its experiences following the California Consumer Privacy Act taking effect Jan. 1. The info came in one of two interviews this week discussing the company’s privacy policies.

“There has been an increasing concern in the collision industry about the use and security of estimate data by various vendors,” PartsTrader wrote in a message posted June 9. “The main concern is around the sharing of data with vehicle history reporting companies.

“Let us be clear: PartsTrader does not and has never provided or sold data to CarFax, Auto Check or any other vehicle history reporting company.” (Emphasis PartsTrader’s.)

PartsTrader said this stemmed from a privacy policy in place since at least 2012.

On Friday, it described a separate document which held vendors to a privacy standard.

Under the PartsTrader terms of service, users can’t:

iv.  Contact any User for the purchase of vehicle parts once those parts have been included in a Request on PartsTrader, other than as provided under this Agreement.

v.  Use the Site other than to procure or supply Products used to repair motor vehicles.

vi.  Share data, screen shots or reporting from the PartsTrader Application outside User’s Company or other than for purposes of managing their own parts procurement or related business functions. (Emphasis added.)

Product director Scott Mason on Friday called Part (vi) here the “key one.” According to Mason, “that statement there” makes sure vendors aren’t “using information for other purposes than repairing or quoting on a vehicle.” They’re contractually bound from selling information to vehicle history sites, he said.

Society of Collision Repair Specialists Executive Director Aaron Schulenburg in July 2019 said repairers seem to be experiencing more issues with customer vehicles mysteriously flagged by vehicle history companies.

In the past, such incidents have been “one-off” and infrequent, but lately, the concerns and questions from SCRS members seem to have come in at a “very increasing pace,” Schulenburg said last summer.

PartsTrader Chief Innovation Officer Greg Horn said Tuesday he knew data leaking to history sites was a “big issue” in the industry, and he noticed upon joining the company that he didn’t see the topic on PartsTrader’s website.

He said he told PartsTrader, “‘We need to be really transparent about this’” and convey that no data had been sold to reporting companies. This prompted the June 9 message.

PartsTrader receives shop information after the data had been first encrypted and converted into the CIECA BMS format. The BMS data standard transmits less information than the obsolete but prevalent EMS format, which can reveal to a shop’s business partner more estimate information than the recipient actually needs.

“It’s only parts-related data,” Horn said Tuesday of the information received by PartsTrader. Items like repair times and customer information don’t make it over to the parts procurement company.

“The estimate data we use in our product is limited to the information required for sourcing parts,” PartsTrader wrote June 9. “This includes the information relating to the vehicle, the parts that are required and the insurer associated with the estimate. … Unlike other approaches in the industry the original files are not sent to PartsTrader.”

Details like the VIN and required parts are obvious. Horn explained Tuesday that PartsTrader needs the insurer’s name so it can modify the output to match that carrier’s requirements. He gave the examples of not showing aftermarket parts quotes or not showing uncertified aftermarket sheet metal parts if the insurer refuses to write for them.

CCPA

Another interesting privacy issue arose this year for larger auto body shops, insurers and vendors as the California Consumer Privacy Act takes effect. We talked a little with PartsTrader about this as well Friday.

Under the California Consumer Privacy Act, businesses doing $25 million or more in sales are by law in 2020 held to higher standards regarding customer data. Businesses that don’t make that kind of money but still handle 50,000 consumers a year also would qualify.

“Beginning January 1, 2020, this new law, in part, would grant a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling information and the categories of third parties with which the information is shared,” the California Autobody Association wrote in January. “(AB 375-2018). Several new laws passed to clarify and to ease CCPA compliance including a narrow opt-out and deletion rights in order to facilitate prompt and effective recalls and warranty work. (AB 1146AB 25AB 874AB 1355 and AB 1564)

According to the California Attorney General’s Office, the law gives customers “The right to delete personal information held by businesses and by extension, a business’s service provider.”

Horn said PartsTrader’s legal staff had reviewed the matter. “I think we’re in full compliance,” he said.

Mason said the service provider was well-positioned for the law because of its work for insurers with customer privacy concerns. He said PartsTrader finds itself continuously reviewed and audited on this point.

Horn said customers could contact either their collision repairer or insurer to start the process of having their data deleted by PartsTrader. Mason said a variation on the matter had already arisen, with an insurer making its own request for PartsTrader to delete customer information. The software provider deleted the customer identifier, he said.

We asked about the VIN, which could be considered personally identifiable. Mason said PartsTrader would delete it if a customer wanted, but “we haven’t had that request.”

Mason said PartsTrader instead has been receiving and complying with requests to delete customer names and license plate numbers. He noted that this information was never visible to vendors using PartsTrader anyway. PartsTrader only displays it to that vehicle’s collision repairer so that user can identify the vehicle they’re fixing.

Privacy resources

California businesses interested in the CCPA might also wish to check out Democratic California Attorney General Xavier Becerra’s proposed regulations to manage the law. His agency submitted them June 1, and the Office of Administrative Law has 90 days to review them.

Repairers concerned about consumer privacy in general should check out the free virtual Collision Industry Conference event scheduled for July 22-23. At 1:15 p.m. July 23, the “Data Access, Privacy & Security Committee” plans to “present a suggested set of guidelines which all companies in the collision industry should consider adopting and which should be assumed as expected best practices,” according to a CIC agenda. “The security and legal protection of repair facility and customer data, especially personally identifiable information (PII) is paramount. In addition, there is a moral obligation that comes with protecting repair facility information. These guidelines are meant to ensure that companies with access to such information are acting in the best interest of the shops, customers, and the industry.”

The committee CIC presented a first draft of proposed data “Golden Rules” during the November 2019 CIC:

1. Never use data against your customers/end users, but rather in their service.

2. Provide clarity and education on what kinds of data are to be used, why and how (e.g., anonymous vs. personalized), with a simple experience in the “terms and conditions” acceptance.

3. Do not misuse and do not allow potential third parties to misuse data, aggressively promote data security and respect of privacy, and be clear on “legal aspects.”

4. Give customers/end users the choice of what to share and what not to share and for which purposes (i.e., customers need to be in control of their own data); periodically remind customers that they can revise the parameters of data sharing.

5. Make gathered data available to customers/end users. (Minor formatting edits.)

More information:

California Attorney General California Consumer Privacy Act webpage

Agenda and registration for free (use promo code) June 22-23 Collision Industry Conference

CIC Data Access, Privacy & Security Committee “Golden Rules” slides

CIC, Nov. 5, 2019

PartsTrader privacy statement

PartsTrader, June 9, 2020

PartsTrader terms of service

PartsTrader privacy policy

PartsTrader, Aug. 22, 2012

Images:

PartsTrader reassured the collision repair industry that it doesn’t share customer repair data with vehicle history sites. It also said it restricts vendors from similar sharing with its terms of service. (NatalyaBurova/iStock)

A repairer might wish to seek confirmation that a service provider or business partner has established privacy rules both upon themselves and third parties further downstream. (Kostiantyn Filichkin/iStock)

The California Consumer Privacy Act took effect Jan. 1, 2020. (grafikazpazurem/iStock)

Credit to Repairer Driven News.