The Automotive Service Association (ASA) cautions that some third-party vendors that collision and service repair shops do business with might be reselling their customers’ data in detail, or as an aggregate, to other third parties.
This practice raises concerns that shop owners might not be aware when their data, and their customers’ data, is being shared and/or sold. As a result of this practice, shops could be incurring additional liability and potential exposure to lawsuits.
To address this issue, ASA has developed a Data Security Policy Agreement/Addendum for those wishing to ensure the protection of their customer data. Click here to access this resource, from the ASA’s website.
“The protection of personal information and proprietary technical data is a priority for consumers, regulators, legislators and class-action attorneys throughout the United States and abroad,” said attorney Patrick J. McGuire, Patrick J. McGuire Law Offices, Mt. Prospect, Ill. “As an industry, everyone should be doing everything within their power to prohibit the unapproved/unsolicited sharing of estimates and repair data that goes beyond the scope of what is necessary during the normal course of doing business.”
Recently, one of ASA’s board members encountered a situation in which estimate data was unknowingly shared with CARFAX within 48 hours of the estimate being created. The board member stated that the consumer was irate because the value of his vehicle was impacted severely. He demanded to know why the shop shared the information without his consent.
“Shops need to take control of their data,” said Scott Benavidez, ASA’s Collision Division Operations Committee director. “Situations like this aren’t unique, and the potential for class-action lawsuits should cause everyone to lock down their data. Nobody should be profiting from the data we are generating on behalf of our customers.”
To date, the shop in question has not determined who shared the data, although when asked, CCC Information Services, the preferred estimating system provider for the shop, replied with a letter from CARFAX Communications Director Larry Gamache saying “CARFAX currently gathers information from more than 34,000 sources. However, CCC is not one of these. CCC does not report information from your facility to CARFAX.”
Bob Wills, ASA’s Mechanical Division Operations (MOC) director, said the Data Security Policy Agreement/Addendum ASA developed provides shops with a tool to protect themselves. The document states that all information (data) provided to outside vendors is owned exclusively by the shop and provided for the sole purpose of conducting business. It does not grant the authority or privilege to share the data, sell it, or repackage it in total or part without the express written consent of the shop.
“We believe that most third-party vendors in the industry do a great job of protecting a shop’s data,” Wills said, “and they have policies and contractual language to highlight their commitment to doing the right thing. We also know that there are a few vendors that profit from using the shops’ data without their express written consent. It’s time for the industry to take note and take control of their data.”