On November 23, 2016, the Electronic Privacy Information Center (“EPIC”) issued a 17-page comment document to the National Highway Traffic Safety Administration (“NHTSA”) to highlight the privacy risks of automated vehicles and to recommend revisions to NHTSA’s Federal Automated Vehicle Policy (the “Policy”).  EPIC is a public interest research group established in 1994 to “focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age.”

NHTSA published the Policy on September 19, 2016, as a “starting point that provides needed initial guidance to industry, government, and consumers” over how best to address the variety of challenges posed by automated vehicle technology.  (See Request for Comment on “Federal Automated Vehicles Policy,” 81 Fed. Reg. 65,703 (Sept. 23, 2016).)  The Policy added definition to NHTSA’s future handling of automated vehicles in several areas, for example, by classifying vehicles according to their level of automated function.  Public comments to the Policy were due by November 22, 2016.  (Id.) 

In making its comments, EPIC urged NHTSA to revise the Policy to mandate compliance with the Consumer Privacy Bill of Rights (“CPBR”), establish new oversight authority, and protect state privacy rules for autonomous vehicles.  EPIC cited the “troves” of sensitive personal data that automated vehicles collect and disclose and how such data can be used by advertisers:  “advertisers are eager to know, for example, how long a car has been running to determine ‘from the navigation system, they’re about to pass a McDonald’s, the car’s been running for three hours and the child’s probably hungry.’”

EPIC continued by citing what it views as deficiencies in the notices provided by car manufacturers to consumers regarding data collection practices, stating that notices “fail to inform consumers about the true scope of data collection, and none give consumers true control over their data.”

Noting that NHTSA endorsed the CPBR, EPIC recommended that NHTSA revise the Policy in a manner consistent with the CPBR:  “Specifically, NHTSA should remove references to [‘]data privacy notices/agreements[’] in order to restore substantive rights to consumers and limit carmakers’ ability to hide behind incomprehensible privacy policies.  Most importantly, NHTSA should promulgate mandatory, legally enforceable privacy rules for automated vehicle manufacturers.  Voluntary codes of conduct and industry self-regulation simply cannot provide realistic privacy  protections when they are not supported by enforceable legal standards.”

The NHTSA Federal Automated Vehicle Policy can be found here. The request for comments can be found here. The EPIC comments can be found here.