December 29, 2023
Illinois Requires Repossession Agents to Clear Personal Data from Vehicles
A new Illinois data privacy law specifically tailored to motor vehicle-secured financing transactions becomes effective on January 1, 2024, and is likely to lead to similar laws in other states. The law, Senate Bill 800, amends the Illinois Collateral Recovery Act and requires licensed repossession agencies to clear, erase, delete, or otherwise eliminate personal information collected or stored in a vehicle after repossession.
The law defines "personal information" as information that is associated with an owner, driver, or passenger of the collateral and that is collected and stored by electronic means in or by the collateral (this appears to include information saved to the cloud that is accessible—and erasable—from the vehicle) during the course of use of that collateral. The law specifically refers to several examples of covered personal information, including, but not limited to:
- contacts, addresses, and telephone numbers;
- garage door codes;
- map data;
- digital subscriptions; and
- biometric information (such as fingerprints allowing keyless entry to vehicles).
The new law also expressly covers information that is deemed "sensitive personal information" by the Federal Trade Commission, "personally identifiable information" under federal or Illinois law, and "individually identifiable health information" under the Health Insurance Portability and Accountability Act. To ensure that the law covers all bases, the Illinois legislature added a broad catch-all to cover "information that a licensed repossession agency reasonably believes would be deemed confidential or private by the person who is associated with the information."
A repossession agency that has cause to believe that a repossessed vehicle collects personal information must delete or otherwise clear this information from the repossessed vehicle as soon as practicable upon repossession of the vehicle and prior to release of the vehicle. (As an aside, the law does not make an exception to the requirement to delete information when the vehicle is released back to the consumer, perhaps upon reinstatement). The repossession agency must use a standardized electronic solution approved by the American Recovery Association to delete covered information.
We expect that the Illinois law is among the first of what will be a long progression of similar laws to be enacted in other states, as technological advancements increase the amounts and types of information collected and stored in or by vehicles and, as a result, the risk of identity theft or unauthorized access to personal information.