Wiping In-Vehicle Data: NJ Dealers Now Required to Offer to Delete Certain Information

By /

By Hao Nguyen, Esq.
Chief Legal Officer

In January of this year, the Governor of New Jersey signed Bill A4723, which now requires that dealers offer to delete a consumer’s personal information from their vehicle in certain circumstances. It’s a lengthy requirement, so we will break it down in the following sections in the form of a “question and answer” discussion.

When is this law effective?

This bill was signed by the Governor of New Jersey in January and is effective immediately.

Does this apply to me?

It depends. The new law speaks specifically to “motor vehicle dealers,” which is any business that engages in selling or leasing motor vehicles to consumers. Furthermore, the law states that “motor vehicles” are “all vehicles propelled otherwise than by muscular power, excepting such vehicles as run only upon rails or tracks, low-speed electric bicycles, low-speed electric scooters, and motorized bicycles.”  It logically follows that both new and used vehicle dealers are affected.

However, in defining what kinds of businesses this law refers to, the law conspicuously omits recreational vehicle and motorcycle dealers. 

Do I have to remove personal data on every vehicle?

The law requires that dealers must at the very least “offer to delete” the consumer’s personal information. The consumer has the opportunity to accept your offer or decline it. In either event, to ensure that you remain compliant with this law, we recommend that you add language to trade-in and lease-end forms to document that you had offered to delete the data from the vehicle and, if applicable, the consumer’s refusal to have the data removed. 

What types of transactions does this law affect?

The law states that only vehicles that dealers “take possession of…from a consumer for the purpose of resale or lease.” This would suggest that this law affects vehicles that are taken in on trade or lease returns. The law does not explicitly cover rentals, test drive vehicles, and courtesy vehicles, but we encourage dealers to adopt good practices for data deletion in these situations as well. 

What about vehicles I receive at auction?

The law does not specify whether or not vehicles that you receive at auction are affected because there is no “consumer” in the transaction with the auctioning company. With that understanding, it would be best practice to search for and delete any consumer data on these vehicles prior to resale. 

What kind of personal information are we talking about?

The law suggests “personal information” and posits some examples, such as “navigation history, paired phones, garage door codes…”, but given that there is some ambiguity here, we will view “personal information” in the broadest scope in the context of in-vehicle data. This would mean any personal information that would be stored in on-board infotainment systems (via a Bluetooth connection) and in-vehicle databases. Vehicles are essentially “computers on wheels” these days, so this includes, but is not limited to, the following:

  1. Contact information (name, address, phone numbers), 
  2. Navigation history,
  3. Geolocation data, 
  4. Biometric data,
  5. Internet browsing history, 
  6. Media data,
  7. Text and voice communication records,
  8. Garage codes,
  9. Gate codes, 
  10. Keyless entry codes, and 
  11. Payment information.  

 How do I “wipe” the vehicle’s data?

There are two ways that you can wipe this information that is allowed by this new law:

  1. Use techniques specified by the vehicle manufacturer; or
  2. Use a menu option on the vehicle to restore the on-board device to its original factory settings.

Regardless of the method you choose, it needs to follow the data clearing protocols that are in accordance with the Guidelines for Media Sanitization, which was developed by the National Institute of Standards and Technology (NIST). These guidelines standardize the data removal process to ensure that all data is cleared, purged, or destroyed safely and securely as to not allow unauthorized access to the data. This formalized process requires that your staff not only be trained in the concept of media sanitization but also requires them to identify the personal data stored in the vehicle, determine which category of data destruction is applicable (given the risk to confidentiality and the nature of the media), remove the data stored in the vehicle, and then verify that the data was removed. 

As noted in a response to a prior question, a consumer’s personal information can be stored in a variety of locations within the vehicle and you may need to seek out multiple resources for instructions to remove the data. A good place to start is the vehicle’s owner’s manual and multimedia manual. You will then want to search the manufacturer’s website for any specific instructions based on the year, make, and model of the vehicle. Here are some basic steps to remove personal data from a vehicle:

  1. Reset the system to factory settings,
  2. Clear any GPS data,
  3. Remove garage door codes or gate access codes, 
  4. Disconnect any other “user” who is paired on Bluetooth, 
  5. Delete contact information, and
  6. Clear all login information.

It is important to note that resetting the vehicle to factory settings, though allowed by this new law, may not guarantee that consumer information is completely removed and the consumer should be notified of such. It is becoming increasingly clear that dealers will need to provide the consumer a form to memorialize this process and document the consumer’s acceptance or refusal of the data removal service. The New Jersey Coalition of Automotive Retailers (NJCAR) is working on a form to help New Jersey dealers document this process.

It costs me money to do this. Can I be paid for my work?

Yes. In an amended version of the bill in early 2023, the authors put in language that allows dealers to charge a reasonable fee to the consumer to remove the data. However, you must also disclose the fee to the consumer prior to doing any of the work and give the consumer an opportunity to do it themselves or through another vendor. If you decide to charge the consumer for this service, we recommend that you document this charge and the consumer’s consent to have this service performed. When taking a vehicle in on trade during a sales process, the dealer should itemize the reasonable fee on the Retail Order Form (ROF) above the “Taxable Amount” section in the area alongside the documentary fee. If it is a lease return, it is more appropriate to document this data removal as a service through the service department. 

Closing Comments

Though seemingly daunting at first, this new law is not difficult to comply with. As a matter of fact, most of you are probably already doing it now during vehicle reconditioning! The only difference is now you have to document two things: 1) the offer to the consumer the ability to wipe the data and 2) any reasonable fees that the consumer may incur if you do this for them. 

On a final note, as personal data becomes a hotter topic in 2024 – as seen in New Jersey’s data privacy law and a rise of lawsuits by out-of-state residents – it becomes increasingly important that dealers make consumer privacy a priority. I urge you to speak to one of our representatives at info@complyauto.com to discuss more about our suite of privacy solutions to protect your dealership from government interference or plaintiffs’ attorneys. It’s a crazy world out there and laws like these just give them more ammunition.

Scroll to Top