How to get consent to collect connected car data from individual drivers? OpenDevTalk#4

October 31, 2022
When car data is processed that can be associated with a specific vehicle it is considered to be personal vehicle data. At High Mobility, we are focused on providing both VIN-specific live information and the tools necessary to capture consent. In our fourth Open Dev Talk we are introducing the basic legal and technical concepts that enable our platform users to run innovative new apps and services for individual drivers in a GDPR-compliant way.

Obtaining Driver Consent for Connected Car Data

High Mobility provides brand-independent connected car data that make use of the live information generated by privately-owned vehicles. This kind of insights can be utilised for instance for logbook applications, Pay-as-you-Drive insurance offerings or EV route optimisation services. Since we are solely working with VIN-specific vehicle data and not providing any anonymised data reports we are required to ensure that the driver permits the data sharing before the live information is processed for the respective purpose. By doing so, High Mobility prevents any kind of access to driver’s cars without prior acknowledgements. 

In order to start working with individual driver consent, we are recommending going through each of the following steps. Every underlying aspect will be explained in more detail both in the video of our first Open Dev Talk and this blog post.

  • Learn why consent is required  
  • Checkout legal requirements and obligations
  • Review the user’s perspective
  • Setup the OAuth authorisation flow

What Consent Means and Why It Is Required

Whenever a company likes to process personal data they generally first must ask for permission. Under the GDPR umbrella this concept is called consent. It means that users must have a clear choice and that they need to be able to decide themselves if they agree with the requested data scope, the underlying purpose and reason why the data is processed. They also must take specific action to signal consent. This can be as simple as ticking a checkbox on a webpage or signing a document that specifies the corresponding data sharing details.

In our specific context, we need to list all the requested vehicle-specific data items such as for example the geolocation, odometer and ignition data points. Furthermore, we will show the purpose and reason which might be for instance the trip overview for enabling the logbook use case. We also make transparent which company is requesting the data points and what kinds of terms and conditions need to be agreed to. Requesting consent is a one-time process and it does not need to be repeated for every following data request as long as the agreed scope and purpose is fullfilled. At any point of time, drivers need to have the chance to withdraw their consent.

Legal Requirements and Obligations

The GDPR regulation defines multiple roles which are related with a set of responsibilities and duties based on their relationship to each other. The most straight-forward role is the Data Subject. It is usually the human being which is associated with the data that should be used for the digital solution. According to GDPR, the data subject can only be a living individual and in our context the Data Subject is represented by the driver.

Data Controllers are key decision-makers as they have the overall say and control over the reason and purposes of the data sharing process. They need to be fully compliant with all data protection principles and they are required to fulfill several duties such as managing data-related risks and implementing organisational and technical security measures (e.g. consent capturing flows).

At High Mobility, we are looking at a 3-sided-relationship: Cars operated by individual drivers (Data Subject) generate data which is send to the OEM systems (Data Controller). High Mobility (Data Controller) lowers complexity for the data customers (Data Controller) that create additional value by providing their apps and services. Every relationship is grounded on a clear contractual basis. Our contracts with the cooperating brands cover for instance availability, support and service level agreements. Rights and obligations between High Mobility and our data customers are defined in the car data terms of use and drivers need to accept our end customer conditions before they can share their connected car data with others. All legal documents are made available on our online platform.

When a individual driver likes to give permission to a third party application he or she first needs to give consent to High Mobility to share data with the respective data customer. In a second step, consent needs to be given to the OEM as well in order to allow High Mobility to use the data for the corresponding purpose.

How Drivers Experience the Consent Flow

High Mobility’s consent flow can be integrated into the app or service that is provided by the data customer. Whenever a driver initiates the approval process, he or she is forwarded via an OAuth2 url to the primary consent flow screen.

We first ask them to login on Driver or register a new account. The Driver account makes it easy to manage vehicles and the corresponding data sharing approvals that have been granted to third party services. If no account has been created yet, it can be generated on the fly by simply entering the email address and country. Before finalising the registration, users must agree with the terms of service and privacy policy statements by hitting the associated checkbox. The password will be created with help of the link listed in an email notification after the approval has been completed to not interrupt the overall flow. The next step is to set up the vehicle. If not passed by the software provider, users will need to select the brand and enter the Vehicle Identification Number (VIN) to specify which car’s information should be shared.

The next screen highlights all data points that the service provider has requested to be shared. Since the GDPR’s data minimisation principle also applies to our data customers, drivers cannot extend or limit the requested data set. After having confirmed the data points selection, the user is finally forwarded to the associated manufacturer portal (e.g. MercedesMe, FordPass, etc.). Each portal works a bit differently but usually this step involves that the driver logs him/herself into his or her own account and grants access to the bespoke data points for High Mobility. At the end, the user is redirected back to the application that has originally triggered the consent flow. Individual consent steps for each brand are documented online.

How to Setup the OAuth 2.0 Consent Flow 

Before starting off, developers need to make sure that a data container has been created on our High Mobility platform. The data container represents the use case of your application and also encloses the list of data points that will be requested to be shared by the driver. If you have not created a data container yet we are recommending to revisit our first Open Dev Talk in which all necessary steps are demonstrated.

The OAuth client credentials cover the Client ID, Client Secret, Auth URI and Token URI and can be retrieved by opening the data container and navigating to the Oauth Client tab. In order to redirect the user back to the initial application you will need to put the Redirect URI for the OAuth2 callback into the corresponding field in our OAuth Client section and save changes. If you run a mobile application, feel free to utilise the associated URL-scheme for the iOS and Android operating systems.

The Auth URI can be generated by passing the parameters client_id, redirect_uri and app_id which is listed right under the title of your app container. Complementary parameters such as the brand, vin and locale can be passed as well to facilitate the process for users and skip some manual inputs accordingly. More detailed information and all other optional parameters can be checked in our official OAuth 2.0 User Consent docs.

-------------------------------
High Mobility Open Dev Talks 

At High Mobility, we are passionate about new technology. We offer free open source tools and developer friendly documentation for any projects to be integrated smoothly. More than 800 developers and product managers have already signed up for our moderated community platform and we are hosting connected car competitions for your innovative, connected car ideas. 

In our free monthly, 30-minute Open Dev Talk online session we are explaining exciting connected car related topics in 15 minutes and dedicate the rest of the time to your questions and ideas.

Join our community on Slack