Obtaining Driver Consent for Connected Car Data
High Mobility provides brand-independent connected car data that make use of the live information generated by privately-owned vehicles. This kind of insights can be utilised for instance for logbook applications, Pay-as-you-Drive insurance offerings or EV route optimisation services. Since we are solely working with VIN-specific vehicle data and not providing any anonymised data reports we are required to ensure that the driver permits the data sharing before the live information is processed for the respective purpose. By doing so, High Mobility prevents any kind of access to driver’s cars without prior acknowledgements.
In order to start working with individual driver consent, we are recommending going through each of the following steps. Every underlying aspect will be explained in more detail both in the video of our first Open Dev Talk and this blog post.
- Learn why consent is required
- Checkout legal requirements and obligations
- Review the user’s perspective
- Setup the OAuth authorisation flow
What Consent Means and Why It Is Required
Whenever a company likes to process personal data they generally first must ask for permission. Under the GDPR umbrella this concept is called consent. It means that users must have a clear choice and that they need to be able to decide themselves if they agree with the requested data scope, the underlying purpose and reason why the data is processed. They also must take specific action to signal consent. This can be as simple as ticking a checkbox on a webpage or signing a document that specifies the corresponding data sharing details.
In our specific context, we need to list all the requested vehicle-specific data items such as for example the geolocation, odometer and ignition data points. Furthermore, we will show the purpose and reason which might be for instance the trip overview for enabling the logbook use case. We also make transparent which company is requesting the data points and what kinds of terms and conditions need to be agreed to. Requesting consent is a one-time process and it does not need to be repeated for every following data request as long as the agreed scope and purpose is fullfilled. At any point of time, drivers need to have the chance to withdraw their consent.
Legal Requirements and Obligations
The GDPR regulation defines multiple roles which are related with a set of responsibilities and duties based on their relationship to each other. The most straight-forward role is the Data Subject. It is usually the human being which is associated with the data that should be used for the digital solution. According to GDPR, the data subject can only be a living individual and in our context the Data Subject is represented by the driver.
Data Controllers are key decision-makers as they have the overall say and control over the reason and purposes of the data sharing process. They need to be fully compliant with all data protection principles and they are required to fulfill several duties such as managing data-related risks and implementing organisational and technical security measures (e.g. consent capturing flows).
When a individual driver likes to give permission to a third party application he or she first needs to give consent to High Mobility to share data with the respective data customer. In a second step, consent needs to be given to the OEM as well in order to allow High Mobility to use the data for the corresponding purpose.
How Drivers Experience the Consent Flow
High Mobility’s consent flow can be integrated into the app or service that is provided by the data customer. Whenever a driver initiates the approval process, he or she is forwarded via an OAuth2 url to the primary consent flow screen.
The next screen highlights all data points that the service provider has requested to be shared. Since the GDPR’s data minimisation principle also applies to our data customers, drivers cannot extend or limit the requested data set. After having confirmed the data points selection, the user is finally forwarded to the associated manufacturer portal (e.g. MercedesMe, FordPass, etc.). Each portal works a bit differently but usually this step involves that the driver logs him/herself into his or her own account and grants access to the bespoke data points for High Mobility. At the end, the user is redirected back to the application that has originally triggered the consent flow. Individual consent steps for each brand are documented online.
How to Setup the OAuth 2.0 Consent Flow
Before starting off, developers need to make sure that a data container has been created on our High Mobility platform. The data container represents the use case of your application and also encloses the list of data points that will be requested to be shared by the driver. If you have not created a data container yet we are recommending to revisit our first Open Dev Talk in which all necessary steps are demonstrated.
The OAuth client credentials cover the Client ID, Client Secret, Auth URI and Token URI and can be retrieved by opening the data container and navigating to the Oauth Client tab. In order to redirect the user back to the initial application you will need to put the Redirect URI for the OAuth2 callback into the corresponding field in our OAuth Client section and save changes. If you run a mobile application, feel free to utilise the associated URL-scheme for the iOS and Android operating systems.
The Auth URI can be generated by passing the parameters client_id, redirect_uri and app_id which is listed right under the title of your app container. Complementary parameters such as the brand, vin and locale can be passed as well to facilitate the process for users and skip some manual inputs accordingly. More detailed information and all other optional parameters can be checked in our official OAuth 2.0 User Consent docs.
High Mobility Open Dev Talks
At High Mobility, we are passionate about new technology. We offer free open source tools and developer friendly documentation for any projects to be integrated smoothly. More than 800 developers and product managers have already signed up for our moderated community platform and we are hosting connected car competitions for your innovative, connected car ideas.
In our free monthly, 30-minute Open Dev Talk online session we are explaining exciting connected car related topics in 15 minutes and dedicate the rest of the time to your questions and ideas.
Join our community on Slack