Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Driver’s Licence Information and Test Drives: Guidance from the Alberta Office of the Information Privacy Commissioner

By Privacy and Cybersecurity Group
May 4, 2015
  • Canada
  • Privacy Rights
Share on Facebook Share on Twitter Share via email Share on LinkedIn

What personal information is reasonable for a motor vehicle dealer to collect from individuals participating in test drives? It has been acknowledged that dealers have a business need to collect personal information in association with offering test drives due to the risks associated with that practice. For example, individuals that take a vehicle for a spin may cause damage to the vehicle and/or, in the extreme, take it on an “extended test drive” and drive off the lot and not to return (as one unlucky luxury vehicle dealership in Halifax experienced).

The Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) recently issued guidance reminding motor vehicle dealers of their obligations under the provincial Personal Information Protection Act when collecting, using and disclosing personal information such as driver’s licence information in association with test drives.

Key Points

1.     Consent and clear notification of purposes of collection

Obtain consent (orally, in writing, or electronically) for the collection of the information. Before or at the time of the collection of personal information, dealers should clearly notify individuals that the purpose of collection of the driver’s license is for identification (as well as any other purposes, if applicable) and provide the contact information of the person who is able to answer questions on behalf of the dealer about the collection and use of the personal information.

2.      Collection must be reasonable – making copies of a driver’s licence is not reasonable

The OIPC Alberta reiterated that dealers should not make copies of driver’s licences of test drivers, but that recording the first and last name, address, and driver’s licence number would be considered reasonably required for meeting the intended purposes of the collection.

This guidance echoes the OIPC Alberta’s finding in Order P2012-10, where it determined that there was no reasonable purpose for a car rental agency to photocopy driver’s licences of renters. Specifically, making copies of legitimate  driver’s licences is not necessary if the licence number is recorded, as the information on the licence can be obtained from the motor vehicle database using the driver’s licence number recorded. In the case of people who steal cars using fraudulent driver’s licences, the practice of photocopying customers’ drivers licenses did not have significant utility for apprehending or deterring these people.

This broad prohibition on making copies of a driver’s licence falls in line with guidance and findings of the regulators on the collection of driver’s licence information in the retail context. These generally set out that circumstances where it is considered acceptable to record a driver’s licence number is limited, and that photocopying driver’s licence information is typically considered to not be reasonable (Collection of Driver’s Licence Numbers Under Private Sector Privacy Legislation – Guidance for Retailers, joint guidance issued by the OIPC Alberta, Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Privacy Commissioner of Canada).

3.     No secondary uses of information

Using information from a driver’s licence to for marketing purposes is permitted only with consent.

4.     Share only with consent or legal authorization

Disclosure of information collected for test drive purposes to third parties is prohibited except with consent or as authorized by law.

5.     Retain only for reasonably required period of time

Dealers should assess the length of time personal information collected for test drives should be retained to address the risks with that practice and should securely dispose of records at the end of this retention period.

6.     Protect the information

Dealers should put in place technical, administrative and physical safeguards to secure the personal information from unauthorized disclosure, such as storing the information in locked areas and encrypting electronic devices that contain personal information. This includes restricting access to staff who require the information on a “need to know” basis.

Conclusion

The collection of driver’s licence information in the context of a test drive must be reasonable, which means no photocopying/scanning the driver’s licence. Keep in mind the key requirements above regarding collecting, using and disclosing personal information obtained in association with test drives.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Alberta, Canada, Driver's Licence, Motor Vehicle Dealers
Privacy and Cybersecurity Group

About Privacy and Cybersecurity Group

Our Privacy and Cybersecurity lawyers operate at the intersection of technology and law. We understand that data is one of your core assets, driving insights and enabling development of valuable new products and services. Our global Privacy and Cybersecurity group works across all sectors offering a full complement of counseling and advice, regulatory and litigation services.

All posts

RELATED POSTS

  • Privacy Rights

The FTC’s Myspace Consent Order May Impact Use by Mobile App Developers of Unique IDs

On May 8th, the FTC released its proposed consent order in its investigation of Myspace.com, finding the social networking site […]

By Todd Daubert
  • Privacy Rights

It’s Friday 13th! Time to consider the cost of getting privacy wrong

Today is Friday 13th; so timely to consider the news stories this week saying that Google will soon be fronting up to […]

By Simon Elliott
  • Europe
  • Privacy Rights

Processing of riders’ personal data ̶ The Italian Data Protection Authority sanctions a food delivery company

By Privacy and Cybersecurity Group

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2022 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site