New Jersey’s Data Deletion Law: Implications for Resold or Re-leased Vehicles

Jessica Birdsong, Matthew Cali, Christopher Capurso, Christopher Carlson, Blake Christopher, Brooke Conkle, Lauren Morgan Fincher, Samuel Fishel, Clayton Friedman, Nick Gouverneur, Troy Homesley, Natalia Jacobo, Namrata Kang, Michael Lafleur, Warren Myers, Philip Nickerson, Lane Page, Dascher Pasco, Stephen Piepgrass, Kyara Rivera Rivera, Timothy Shyu, Trey Smith, Ashley Taylor Jr., Daniel Waltz, Cole White, Michael Yaghi
Troutman Pepper Locke
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper Locke

[co-author: Stephanie Kozol]*

On July 28, the New Jersey Division of Consumer Affairs issued a reminder to more than 3,000 auto dealerships regarding their obligations under the New Jersey data deletion law, N.J.S.A. § 56:12-18.1. This law, enacted and effective in January 2024, requires dealerships to offer data deletion services for consumer information stored in vehicles accepted for resale or lease. Dealerships are now on notice of their compliance obligations under the law.

Elizabeth M. Harris, acting director of the Division of Consumer Affairs for New Jersey, explained the regulatory impetus for the new law. According to Harris, consumers are aware of data privacy concerns associated with discarded hardware, such as cell phones and laptops, but apparently are less aware that vehicles are increasingly storing the same types of data. The law aims to educate the public in this respect and provide consumers with options to protect personal information.

Key Points of the Legislation

  • Data Storage Concerns: Modern vehicles can store personal data through their infotainment systems, including call logs, text messages, and navigation history. This data can potentially be exposed to others if not properly managed during vehicle transitions.
  • Legal Requirements: Dealerships must offer data deletion services to prevent unauthorized access to this information. Failure to comply can result in civil penalties — $500 for a first offense and $1,000 for subsequent offenses — collected and enforced by the director of the Division of Consumer Affairs in a summary proceeding in New Jersey State Superior Court.
  • Operational Implications: Dealerships are advised to follow the Guidelines for Media Sanitization, developed by the National Institute of Standards and Technology (NIST), to ensure data is deleted. They may charge a reasonable fee for these services, provided the fee is disclosed to consumers beforehand and must also advise consumers that alternatively, they may delete their personal information themselves or through a vendor.

New Jersey’s law is one of the first of its kind, but it will not be the last. At the federal level, the Auto Data Privacy and Autonomy Act gained bipartisan support at the end of 2024. Several states have proposed similar legislation, which can take various forms. The Illinois Collateral Recovery Act, for example, requires a licensed repossession agency to erase all consumer personal information after repossession

These broader industry trends are discussed in Season 1: Episode 15 of the Moving the Metal: The Auto Finance Podcast. That episode highlighted the rapid evolution of privacy expectations, particularly concerning connected cars and the Internet of Things.

Strategic Considerations

Dealerships should consider the following strategies to effectively navigate these requirements:

  1. Training and Compliance: Ensure staff are trained on data deletion procedures and compliance requirements to minimize risks of noncompliance.
  2. Consumer Communication: Clearly communicate data deletion options and any associated fees to consumers. While it is possible to pass along the cost of deleting data to the consumer, any such fee must be clearly disclosed to avoid running afoul of other regulatory pitfalls, such as “junk fee” regulations of unfair, deceptive, or abusive acts and practices.
  3. Technology Integration: Invest in technology solutions that streamline data deletion processes and ensure compliance with manufacturer specifications. Manufacturers are increasingly integrating privacy into their vehicles, providing consumers and dealers with options to manage privacy preferences. Technology affords a seamless opportunity for compliance.

Regulators are increasingly sensitive to consumer privacy in connection with Internet of Things-connected devices. New Jersey’s law reflects a growing trend in this respect and provides regulators with yet another tool to impact consumer data privacy. Manufacturers and dealers must keep informed of evolving regulatory privacy obligations and engage in privacy by design to ensure efficient and effective compliance.

*Senior Government Relations Manager

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Troutman Pepper Locke

Written by:

Troutman Pepper Locke
Troutman Pepper Locke
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper Locke on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide