Data, Data Everywhere
As technology used in cars continues to advance, cars have begun to resemble personal devices, like phones, capturing vast amounts of sensitive personal information. Not surprisingly, cars are becoming a significant point of consumer data collection.
Beyond allowing a car to unlock with an app or playing music from an integrated system, "connected cars" may collect sensitive data points such as biometric information or geolocation from their users, along with information on personal habits and consumer preferences. Connected cars as a category broadly applies to vehicles that are equipped with technologies that allow access to information via the internet or some form of wireless connectivity, i.e., cars with automated driving features, cars with Android Auto/Apple CarPlay, etc.2
Because of this technology, automakers uniquely have access to broad amounts of sensitive personal information that even closely held devices like phones are unable to collect.
For example, when someone drives with passengers, the personal data processed may be collected from not only the driver, but also any passengers in the vehicle or alternate drivers, as is common in families or shared household vehicles. And unlike a personal device like a phone where the phone owner is the primary operator and may consent to specific data collection and use, the multiple drivers beyond the primary driver are unlikely to be offered any choice beyond the initial setup.
Unfortunately, the passengers get no choices.
And with many modern vehicles, even someone outside the vehicle may have their data collected as autonomous vehicle features use exterior-facing cameras to guide their systems. These cameras can obtain data from individuals — or the individual's other vehicle — outside the source vehicle.
Similarly, each time a renter connects to their rented vehicle, the renter's individual data, contacts, locations, map destinations and musical tastes are connected to the rented car. In many rental situations, unless the driver actively takes steps to wipe their personal information from the rented vehicle, the connected renter's data will persist in the vehicle for many weeks, months or years to come.
Since there is an expanse of personal data both actually collected and capable of collection, there is a risk of overcollection and a risk of overuse or misuse. Even more concerning, as noted above, is sensitive personal data collected from those who are unable to consent or are never offered the opportunity to consent — which can include passengers, casual users and children.
Unfortunately, where there is personal data, there is a risk that this data can easily become monetized through either sale to data brokers or third-party advertising companies, or used by automakers in vehicle advertising.
Sen. Edward Markey, D-Mass., who historically expressed various concerns over sensitive data collection in many contexts, has been leading the charge by asking the FTC to investigate the privacy practices of automakers.
In a February open letter to the commission, Markey urged the FTC to use the full force of its authorities to investigate the automakers and take all necessary enforcement actions to ensure that consumer privacy is protected.3 Markey previously requested that major automakers answer questions about their data collection, use and disclosure practices, with most automakers failing to address the privacy risks in their data practices.
FTC's Statement on Consumer Data Privacy and Cars
The FTC has kept its eye on automakers and connected cars since 2013 with workshops held over the years on the topic, its prior issuance of consumer guidance to wipe data before any car sales and the May tech blog release.
In the recent tech blog, the FTC states that the easiest way that companies can avoid harming consumers through the illegal collection, use or sharing of sensitive information is by not collecting it in the first place.
The FTC goes on to remind all businesses, including auto manufacturers, to build products with safeguards designed to protect consumers from potential harm resulting from the data collection. These steps would naturally include careful examination of data collected, its use and any secondary uses proposed, as well as the retention and management of the collected personal information.
The FTC reiterated that "firms do not have the free license to monetize people's information beyond purposes needed to provide their requested product or service, and firms should not let business model incentives outweigh the need for meaningful privacy safeguards."4
The FTC vows that it will "take action to protect consumers against the illegal collection, use, and disclosure of their personal data."5 In recent years, the FTC has engaged in enforcement actions in areas including geolocation data, surreptitious disclosure and using sensitive data for automated decisions.6
What's Next?
The FTC released its warning to automakers as data privacy continues to emerge as a national concern.
In February, the Biden administration indicated that it would take unprecedented action to address the national security risks from connected cars that incorporate technology from China and other countries of concern.7
Additionally, the Federal Communications Commission recently finalized geolocations enforcement actions against all major U.S. mobile phone carriers last month for illegally sharing access to customers' location information without consent and lack of reasonable protection measures against unauthorized disclosure.8
Comprehensive data privacy laws are being passed and enacted in states across the country.
As of July, the following states have comprehensive data privacy laws: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska and Rhode Island.
Currently, the laws of California, Colorado, Connecticut, Virginia and Utah are effective, while Florida, Oregon, Texas and Montana's privacy laws will all become effective by the end of the year.
In addition to the focus by the FTC, many of the state statutes categorize precise geolocation information as sensitive personal data, with varying definitions of what constitutes "geolocation data."
For example, Virginia's data privacy law states that access to recorded motor vehicle data, data recorded by a motor vehicle recording device including location data, may only be accessed by the motor vehicle owner or with the owner's consent unless specified conditions apply.9
Compare that to Texas' data privacy law which specifically targets manufacturers of new motor vehicles sold or leased in the state as requiring the disclosure of recording devices in the vehicle's owner's manual.10
Further complicating the issue with personal data collection in cars is that state comprehensive privacy laws vary in their approach to the collection and use of sensitive data with consent — either opt-in or opt-out — and for consent to secondary uses, also in some states, an affirmative opt-in is required. These issues may only be exacerbated for any passengers including minor children or nonprimary drivers.
Finally, there is also the issue of fulfilling consumer rights obligations.
As data privacy legislation continues to expand, all businesses, including automakers, must carefully examine their data collection, use and retention practices. Consumers are becoming more aware of their rights and good data practices.
Practicing good data hygiene and stewardship is the only appropriate path forward. While the current options for maintaining good data hygiene are limited, especially for consumers, there are some steps that both consumers and businesses can take to protect individuals' rights and maintain good data practices.
From the consumer perspective, limiting your connections to connected cars — whether that be by Bluetooth for directions, phone calls or music, a USB wire for charging your device or a Wi-Fi hot spot for internet access — would minimize the amount of personal data being shared with the car and its automaker.
Rather than use the vehicle for these items, one can use their phone without connecting to the vehicle. Listen to the radio, play music from your phone, take calls on speaker, use the built-in navigation tool, charge your phone with a remote charging block, or use a personal Wi-Fi hot spot instead of one built into your vehicle.
Further, when not in your own vehicle but rather a borrowed car from a friend or a rental car, always make sure you delete any data you may have inserted into the car, such as destinations visited in the navigation history, calls made if you did connect your phone, and just the memory of the connection to your personal device in general. These practices will become standard operating procedures for consumers with good data hygiene, however they should not only fall onto the consumer.
Rental car companies should include, as part of their standard vehicle turnover procedures, the removal and deletion of any data from the previous renter. Just like a hotel room is cleaned and all items from the previous renter are removed, the same should be done for vehicle rentals.
Also, manufacturers of autonomous vehicles should develop their autonomous driving systems to recognize when a person is around the vehicle, but should not ever look to identify who that person is by tracking biometric or other identifying features. The same applies to other vehicles on the road — the license plate or other unique characteristics of the other vehicles are not relevant to the purpose of developing an autonomous driving system — only the actual determination of whether another vehicle is around or not is relevant.
While there is no foolproof method for protecting your data when interacting with a connected car, there are steps both consumers and businesses can take to minimize the collection of data, especially from people who do not have the ability to reject the collection of their data.
- FTC, Staff in the Office of Technology and The Division of Privacy and Identity Protection, Cars & Consumer Data: On Unlawful Collection & Use (May 24, 2014), [hereinafter Unlawful Collection].
- FTC, Connected Cars: Privacy, Security Issues Related to Connected, Automated Vehicles (Jun. 28, 2017).
- Letter from Senator Edward Markey to FTC Chair Lina Khan (Feb. 27, 2024).
- Unlawful Collection, supra note 1.
- Id.
- Id.
- The White House, FACT SHEET: Biden-Harris Administration Takes Action to Address Risks of Autos from China and Other Countries of Concern, (Feb. 29, 2024).
- FCC, FCC Fines AT&T, Sprint, T-Mobile, and Verizon Nearly $200 Million for Illegally Sharing Access to Customer's Location Data (April 29, 2024).
- Va. Code Ann. § 46.2-1088.6
- Tex. Transp. Code § 547.615(b); § 547.615(a)(2).