Recent U.S. developments indicate a growing focus on regulating and investigating the data privacy practices of companies in the automotive sector. The Federal Trade Commission (FTC) recently highlighted in a blog post its concerns with data collected by automobiles, emphasizing the importance of consumer privacy and security when it comes to location data and other types of sensitive information. This follows a letter sent by Senators Ron Wyden and Ed Markey to the FTC urging the agency to investigate the data privacy practices of automakers related to the sharing of location data with law enforcement agencies. The Federal Communications Commission (FCC) also announced its intention to scrutinize the connectivity practices of automakers because of potential abuses related to consumer data.
Meanwhile, as states continue to enact privacy laws, there is a growing potential for state attorneys general to investigate the data practices of automotive companies. Given the heightened scrutiny by both federal and state regulators, it is crucial for companies across the automotive sector to stay informed about and compliant with the evolving legal landscape to mitigate potential risks. Recent notable developments and key considerations are detailed below.
Federal Inquiries on the Rise
Earlier this year, Senator Markey sent a letter to FTC Chair Lina Khan calling for the FTC to investigate automakers’ data practices and protect the privacy of all road users. The letter follows Senator Markey’s inquiries into auto companies’ privacy practices late last year. “From the basic functioning of different vehicle features to real-time location information to biometric information,” the letter stated, “carmakers now have access to a wide variety of sensitive data on drivers and passengers.” Senator Markey’s letter also highlighted data collection of individuals outside of the vehicle in the case of autonomous vehicles equipped with exterior-facing cameras. Senator Markey urged the Commission to “take all necessary enforcement actions” against automakers to protect consumer privacy.
In April 2024, Senators Wyden and Markey sent a joint letter to the FTC requesting that the agency investigate automakers’ practices related to sharing location data with law enforcement agencies. According to the letter, vehicle manufacturers misled consumers by failing to honor voluntary commitments to require a warrant or court order before providing customer location data to government agencies. The senators asserted that this may constitute deceptive conduct prohibited by Section 5 of the FTC Act.
Two weeks after this joint letter was released, the FTC published a blog post signaling the agency’s focus on connected cars and consumer data, including “biometric, telematic, geolocation, video, and other personal information.” Pointing to several recent enforcement actions, the blog post highlights how emerging principles from these actions could be adapted in the connected vehicle context. Specifically, the FTC emphasizes that the collection, use, and disclosure of geolocation data can be considered an unfair practice in violation of the FTC Act, noting the potential for vehicles to reveal persistent, precise location information. Notably, the blog post adds that using sensitive data for automated decisions may also be unlawful if doing so produces “harmful” results.
The FCC has also expressed privacy concerns related to connected cars. The FCC has authority under the Safe Connections Act to help survivors of domestic violence and abuse to access safe and affordable connectivity, and the agency has recently taken steps to extend this authority to connected vehicles. In January 2024, FCC Chair Rosenworcel sent letters to nine of the largest automakers serving the U.S. market, asking about the connected cars they offer; how companies retain, share, or sell drivers’ geolocation data; and plans to support domestic abuse survivors to avoid misuse of connected car tools by abusers. Following responses from automakers, the FCC issued a Notice of Proposed Rulemaking (NPRM) seeking comment on whether the FCC’s rules implementing the Safe Connections Act should be updated to address the impact of “connected car services” on domestic violence survivors, as well as other steps the FCC could take to support domestic violence survivors’ access to safe connected cars. The NPRM noted that connected cars may enable abusers to track survivors using the vehicle’s location-based services, and asked specifically whether providing consumers with more information about vehicle privacy controls could prevent misuse of connected car services.
States Racing to Enforce
The continued proliferation of state consumer privacy laws also impacts the automotive industry. As of May 2024, 19 states had enacted such laws. These laws regulate personal data broadly across industries, and two states have publicly targeted the automotive sector as an enforcement priority. Last year, the California Privacy Protection Agency (CPPA) announced a review of connected vehicle manufacturers and related technologies as the new agency’s first enforcement activity under the California Consumer Privacy Act (CCPA). Emphasizing the critical nature of privacy compliance, the announcement highlighted that modern vehicles can “collect a wealth of information” and “often automatically gather consumers’ locations, personal preferences, and details about their daily lives.” In the announcement, the CPPA disclosed that it had sent inquiries about CCPA compliance to companies in the connected vehicle space.
The Connecticut Office of the Attorney General (OAG) has also publicly prioritized the automotive sector as an enforcement target under the Connecticut Data Privacy Act (CTDPA), which became effective in 2023. Within six months of the CTDPA going into effect, the OAG stated that it had issued “over a dozen” notices of violations. At least one such notice was sent to a car brand. According to a report published by the OAG earlier this year, the OAG sent a notice of violation to an unnamed car brand following a public report that, according to the OAG, raised “serious privacy concerns regarding connected vehicles.” As states continue to ramp up privacy enforcement, companies in the automotive sector should remain attentive to enforcement developments and ensure their practices comply with evolving privacy requirements.
About Venable
Venable’s Technology and Innovation practice, which includes the Privacy and Data Security Practice Group and the Autonomous and Connected Mobility Practice Group, has extensive experience counseling clients in the automotive sector on privacy policy, investigations, and compliance. Please feel free to reach out to us if you would like to learn more about federal or state privacy legislation, applicability to your organization, or what you can do to assess your compliance posture with respect to new laws.