In a recent post regarding cars and consumer data, the FTC signaled that it is focusing on privacy issues associated with connected vehicles. The FTC’s awareness of the data practices associated with connected cars is not new. In 2013, the agency hosted an “Internet of Things” panel and explored the emergence of smart cars and their ability to capture locational data. A few years later, the FTC continued the conversation by cohosting a workshop with the National Highway Traffic Safety Administration, looking at the growing collection apparatus of connected cars and the ability for modern vehicles to collect potentially sensitive data about occupants, including biometric information or real-time location data.

This week’s post is arguably the most direct and clear signal by the FTC regarding connected vehicles: “Car manufacturers—and all businesses—should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their persona data.”

Core Areas of FTC Attention

The FTC blog includes the following key takeaways for automakers and other businesses in the automotive and transportation sectors:

• Geolocation data is sensitive and subject to enhanced protections. In recent years, the FTC has brought a number of enforcement cases emphasizing its stance that precise, geolocation data is sensitive data. Citing enforcement actions against X-Mode and InMarket, the Commission, the FTC  remarks that geolocation data can reveal “not just where a person lives and whom they spend time with”, but also other sensitive information like medical treatments they seek and where they worship. The ability of connected cars to reveal consumers’ persistent, precise location places these devices squarely within the ambit of these prior cases. It should send a warning to OEMs that the FTC is willing to enact enhanced protections against the unlawful collection and use of this data including ordering the deletion of the data collected and a prohibition on selling the sensitive location information collected.
• Surreptitious disclosure of sensitive information can be an unfair practice. The FTC once again cautions companies with legitimate access to consumers’ sensitive information to only use that data for the reasons in which it was collected. This guidance builds off of previous enforcement actions such as BetterHelp  and Cerebral, in which the FTC banned the companies from sharing consumers’ sensitive data for advertising purposes after resolving allegations that the firms shared the data with third parties despite making promises that they would only use or disclose the information for limited purposes. The FTC also admonished Cerebral for its alleged failure to clearly disclose that it would share consumers’ sensitive information.
• Using sensitive data for automated decisions can be unlawful. The FTC has been outspoken about its concern that automated, algorithmic decisions can lead to harmful outcomes for consumers. The post cites news reports detailing how data automatically collected about drivers has allegedly been used to create profiles of those individuals, leading to decisions regarding insurance rates and eligibility without consumer consent or awareness.

Consequences of Noncompliance

The FTC is urging auto companies to prioritize the privacy and security of the sensitive data collected by its vehicles.  And the FTC notes that the failure to heed these warnings could result in substantial financial penalties, deletion of the collected data, and a host of other corrective action plans.

With the FTC’s blog post, along with the California Privacy Protection Agency’s recent announcement that it is reviewing data privacy practices associated with connected vehicles and related technologies and the Biden administration’s investigation into national security concerns stemming from connected cars, it is clear that automakers’ privacy practices are under substantial scrutiny. 

Companies in the automotive and transportation sector are well advised to stay abreast of these developments and assess whether their operations are in line with current legal requirements.