Frank Terlep cautions any shop pulling data from a vehicle to have the customer’s authorization to do so.Dan Risley (left) and Patrick McGuire discuss steps collision shops should take to protect data they collect from customer vehicles.I-CAR’s Jason Bartanen says a search tool I-CAR developed can help shops locate what advanced driver assistance systems a vehicle may have and what calibrations may be necessary.

Potential data privacy concerns mean new steps for shops to protect customer information

Palm Springs, Calif.—Aaron Schulenburg of the Society of Collision Repair Specialists (SCRS) is among those saying that it’s not just California shops that should be concerned about a new consumer privacy law going into effect next January in that state.

The California Consumer Privacy Act gives consumers broad new rights to compel businesses to share what personal information they are collecting about them, how that data is collected, what purpose such collection serves, and how that information is being shared with others. Schulenburg noted that similar laws could be enacted in other states, and that SCRS has for years argued that agreements with insurers, information providers or others, often give shops very little knowledge or control over how customer or vehicle data is shared or used by others.

“We need to figure out a way that collision repairers can either identify how people are accessing their data, or be able to communicate to the customer that we don’t have a mechanism to be able to do so,” Schulenburg said.

Speaking at the recent Collision Industry Conference (CIC) held in Palm Springs, Calif., Dan Risley, who co-chairs CIC’s “Data Access, Privacy and Security Committee,” said even some shops in California think they will be exempt from the new law’s requirement because it applies only to businesses with annual sales above $25 million. But he noted that most shops are sharing customer information with much larger organizations, which could subject them to the new California law.

The committee’s presentation noted that vehicle scanning broadly expands the categories of customer data that shops have access to, and often are collecting and potentially sharing.

“If you’re getting access to the vehicle data through the data link connector or OBD-II port, it is my strong recommendation that you get authorization from that consumer to access and share that data,” Committee member Frank Terlep said. “It’s critical.”

Illinois attorney Patrick McGuire said there are a number of other steps shops should be taking relative to data privacy. He recommends that shops first limit, to the extent they can, the type and amount of information they actually take in.

“If it’s potentially personally identifiable or sensitive information, if you don’t need it, don’t get it in the first place,” McGuire said.

He said only employees with a work-related need should have access to the job files, shop management system or other computer systems.

“Maybe have employment or confidential agreements [related to data access and use] so that if something ever does happen, you can at least say you took reasonable steps to prevent it,” McGuire said.

He said shops could consider a check-out procedure for use of vehicle scanning tools.

“I could see someone saying to a detailer, ‘Hey, plug this into whatever car you’re working on, give the data back to me, and I’ll give you $15,” McGuire said. “That’s not unrealistic. I think you need to do what you can to try to prevent that.”

The committee asked shop owners attending CIC how many have a written agreement related to vehicle data privacy with companies to which they sublet work; only one hand in the room went up. McGuire said he’s amazed at how many shops release a customer vehicle to other companies without any kind of documentation or agreement.

He also reminded shops that while insurance companies may have valid reasons for accessing vehicle data, it still requires the consent of the consumer. This is particularly important, he said, in third-party claims where the customer has no policy agreement with – and is technically in an adversarial role with — the insurer paying the bill.

“The Federal Trade Commission that regulates data isn’t going to have much sympathy, even for a small business, that didn’t make at least an effort to put the right documents in place” in terms of customer authorizations and data privacy, McGuire said.


Fiat Chrysler discusses certification

Also during CIC, Erica Schaefer, collision marketing manager for Fiat Chrysler Automobiles (FCA), said the automaker is making vehicle scanning a requirement for its network of certified shops.

“We’re changing our position, from ‘Capability to scan,’ to, ‘You must scan in adherence to our position statement.’” We will be measuring it and doing some random audits, making people show proof of scans and so forth.”

The company has also announced that it has partnered with Collision Advice and the Automotive Management Institute (AMi) to bring a variety of online training to its certified collision shops. The training includes sessions on navigating the FCA “Tech Authority” information website, improving customer service, and a management guide to scanning and new technologies, as well as some more technical topics such as flashing an engine control unit.

The courses are available through AMi for anyone in the industry, and FCA is currently labeling the courses only as “recommended” for FCA-certified shops, but Jeff Peevy, the president of AMi, says some of the training “soon will be required” for FCA-certified shops. Shops also should be aware that AMi will be reporting to FCA a “commitment score” to indicate to what degree a shop has voluntarily completed the automaker’s training.

“Have they just had one person take the bare minimum? Or have they had all of their office staff take everything that’s available? That’s a sign of a commitment,” Peevy said. “That’s a way when FCA is looking at shops they can determine which shops are really committed to the FCA process and customer. So that’s something we’ve worked on and will be doing.”


Finding ADAS calibration requirements

Another online tool discussed was I-CAR’s “OEM Calibration Requirements” search page, which can help shops identify which advanced driver assistance systems a vehicle may have, and what reset or calibration tools, equipment and processes may be necessary.

The guide is not VIN-specific, but instead shows the names and locations of all cameras and sensors that are options on each make and model to assist shops in looking for the systems on a particular vehicle in their shop, as well as to more quickly find OEM calibration documentation. The guide also indicates what types of events – such as glass removal or replacement – result in the need for recalibration, and indicates whether a scan tool, aiming targets, or other special tools are needed for calibration.

“We spent thousands of hours on this calibration matrix to save the industry tens of thousands if not hundreds of thousands of hours on that research,” Jason Bartanen, director of industry technical relations for I-CAR, said. “As you’re going through the damage analysis process, putting together a repair plan, you can identify, ‘Hey, we’re replacing a glass on this vehicle, so we’re going to have to calibrate.’”

A three-minute video describing how to use the search tool is available on the I-CAR “Repairability Technical Support Portal” website (

Parts & People

Parts & People is published monthly by Automotive Counseling and Publishing Company, Inc., a Colorado corporation, P.O. Box 18731 Denver, CO 80203, 303-765-4664. President-Lance Buchner. Founded by Lance Buchner and Dave Lucia.