With the ever-expanding Internet of Things, data privacy is a growing concern in today’s digital age. The automotive industry is no exception. The National Highway Traffic Safety Administration (“NHTSA”) has broad regulatory authority over the safety of passenger vehicles, but the Federal Trade Commission (“FTC”) is the primary federal agency responsible for protecting consumer privacy. However, neither of these regulatory agencies has taken a significant step in investigating and protecting consumers against automakers' intrusive collection of their personal data.

Based on a recent study, if an automotive industry report card were to ever be released, most major auto manufacturers would receive an “F” for data privacy. A report published by Mozilla Foundation, a global nonprofit best known for its open-source Firefox web browser, shared that all 25 of the car brands researched for their study report — including Ford, Toyota, Volkswagen, BMW, and Tesla — failed to meet the nonprofit organization’s minimum privacy standards and were found to collect more personal data from customers than necessary. Failing to do so not only jeopardizes consumer trust, but can also expose vehicle owners to serious privacy risks. This undermines common privacy principles, such as compliance with fair information practice standards and data minimization when dealing with the personal information of others.

Vehicles are becoming increasingly autonomous and interwoven with the Internet, collecting and transmitting vast amounts of data. Most modern vehicles can arguably be called “a computer on wheels.” According to Albert Fox Cahn, a technology and human rights fellow at Harvard’s Carr Center for Human Rights Policy, “…most cars are wiretaps on wheels.” Consumer Watchdog, a consumer protection group in California, called modern cars the equivalent of web browsers. Notwithstanding the different descriptions used to describe modern vehicles, it is commonly known that your vehicle puts your privacy at risk.

Unfortunately, despite the advance of technology within the latest vehicles, it appears that many automakers are not making sufficient efforts to safeguard the private information their technology is collecting. What does this mean for vehicle owners? This raises serious concerns about the protection of such private information, which vehicle owners would likely deem to be sensitive and personal information. Let’s discuss this further categorically.

Lack of Stringent Data Privacy Measures

One of the key concerns is the lack of stringent data privacy measures being implemented by automakers. Fortunately, states may start cracking down after the California Privacy Protection Agency (“CPPA”) announced they plan to review how connected vehicle (“CV”) companies are using data they amass from their customers' automobiles. This will be the first enforcement action by California’s new privacy regulator, and the only such agency in the United States. Misuse of the private data collected can cause a CV manufacturer to be in breach of California’s Consumer Protection Act (“CCPA”), which grants consumers new data rights. Given that this was recently announced on July 31, 2023, it will be interesting to see what the CPPA’s review reveals. In the event of a discovered violation, the Attorney General must give the CV manufacturer a 30-day notice to comply with CCPA regulations. Failure to rectify issues within that period may result in a civil penalty of up to $2,500 per violation, regardless of whether it was accidental or intentional. Additionally, automakers may face a $7,500 fine in case of intentional violations of CCPA provisions. The announcement of this review should stir conversation within the corporate offices of these automakers because based on other reports and studies released, a majority of automakers may be in violation.

Inadequate Consent and Transparency

Despite having long-winded privacy policies, automakers often fall short of obtaining proper consent from vehicle owners regarding data collection and sharing. Several of the car brands Mozilla Foundation interviewed contained long-winded privacy policies. Yet, the Mozilla Foundation still could not confirm whether any of the brands met their minimum security standards. An automobile manufacturer’s failure to comply with its own privacy notice exposes the manufacturer to regulatory action by the FTC pursuant to Section 5 of the FTC Act. If it is unclear to automobile manufacturers as to whether they comply with their own privacy notices, vehicle owners are presumably unaware of the extent to which their data is being collected and utilized.

Many vehicles are equipped with sophisticated infotainment systems, navigation tools, and automated safety technologies. Today, a typical modern vehicle contains dozens or even hundreds of sensors that cover almost every aspect of its operation and environment. Additionally, modern cars are increasing the number of cameras a vehicle may have, especially with the rise of 360-degree cameras in the latest modern vehicles. These technologies can generate and gather data on driving habits, locations, photos, calendar information, conversations, what music a driver listens to, and other personal preferences. Both Nissan and Kia are noted to have allowed the collection of information regarding a driver’s sex life. While some data collection may be necessary for enhancing driver experience and vehicle performance, there is a fine line between utility and intrusion.

Data Sharing with Insufficient Data Encryption

Another key concern is the sharing of user data with third-party entities, such as advertisers, data brokers, or app developers. Twenty-one out of the 25 car brands Mozilla Foundation reviewed, claimed to share personal user data, 19 claimed a right to sell that personal data, and 14 reported a willingness to share user information with the government and/or law enforcement if requested. While monetizing data can be a source of revenue for automakers, the method of sharing is troubling. Mozilla Foundation also could not confirm any of the automakers could meet the organization’s minimum-security standards regarding data encryption and protection against theft. However, if not adequately protected, the transmission of data between vehicles and external servers is vulnerable to interception. Such vulnerability puts drivers at risk of identity theft or unauthorized tracking.

Conclusion

To address these insufficient efforts in data privacy matters, automakers need to consider the following:

• Limiting the collection of data to only the data necessary to operate the systems of the vehicle;
• Investing in robust data protection measures;
• Enhancing encryption protocols to protect data during collection and transmission to third parties;
• Obtaining clear explicit consent from users for data collection and sharing via opt-in and opt-out choices;
• Releasing a privacy notice to vehicle purchasers with full transparency regarding data collection practices, purposes, and the entities to which data is shared; and
• Complying fully with those released privacy notices.

Additionally, it is equally important for vehicle owners to do their due diligence in not only reviewing the privacy notices that they receive when they purchase their new vehicle, but also understanding what laws and remedies are available to protect the personal information that is being collected and utilized by automakers. Jointly, proactive automakers and knowledgeable vehicle owners can ensure the strength of data privacy and ethical privacy practices.

Are automakers making sufficient efforts in data privacy? The present answer is no. However, with increased government and market pressures, the hope is that customer data protection becomes an auto industry priority.