On July 31, the California Privacy Protection Agency’s Enforcement Division announced that it would be reviewing connected vehicle manufacturers’ and technologies’ privacy practices. Connected vehicles contain features that collect information about owners and riders, including location sharing, web-based entertainment, cameras, and smartphone integrations.
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Agency has the right to investigate potential violations of the CCPA. Violations can include using personal information for purposes not disclosed to consumers, not fulfilling consumer rights requests, and more. Section 1798.140(o)(1) of the CCPA defines “personal information” as “information that identifies, relates to, or could reasonably be linked with you or your household.” The California Attorney General’s Office provides examples of personal information on its website, such as geolocation data, fingerprints, records of products purchased, and individuals’ full names.
Due to the approximately 35 million vehicles currently registered in California, the Agency believes that connected vehicles, especially as they become more widespread, affect the majority of California consumers. When announcing its intentions, the Agency’s Executive Director, Ashkan Soltani, concluded that “modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” The fact that connected vehicles can monitor devices near a vehicle presents broader concerns regarding the privacy of individuals who are neither drivers nor passengers.
The Agency’s concerns are timely. On April 6, Reuters published a report outlining findings about driver and rider privacy in Tesla vehicles. Although Tesla’s website represented that all vehicles are “designed from the ground up to protect your privacy,” interviews conducted by Reuters with nine former indicate that, between 2019 and 2022, Tesla employees shared internally “highly invasive videos and images recorded by customers’ car cameras,” in addition to more mundane images.
Reuters’ findings may not have been the catalyst for the Agency’s investigation, but a number of lawsuits have been filed against connected vehicle manufacturers over alleged data privacy violations. Although the lawsuits have so far been unsuccessful, the growing concern about how these vehicle manufacturers are collecting and using consumer data explain the Agency's decision to investigate. .
As the Agency initiates its first investigation, there is the potential for a large shift, not only in the automotive industry, but also in any field relying heavily on data and mobile technology. As these technologies continue to emerge and be adopted, the implications for organizations’ privacy practices will only grow.
