Connected Carmakers Don't Provide Clear Data Collection, Use, Sharing Notices, Says GAO
No automaker provided clearly written privacy notices about data collected, used and shared through connected vehicles, said a GAO report dated July 28 and released Monday. GAO reviewed consumer privacy issues of more than a dozen connected passenger vehicles manufactured by Ford, General Motors, Honda, Tesla, Toyota and others, and interviewed auto industry groups and CTA and CTIA. An industry spokesman said automakers take privacy seriously. The report also said the National Highway Traffic Safety Administration (NHTSA) needs to provide more clarity on data privacy.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
All 13 automakers said they collected vehicle "health" and location data, but fewer reported collecting motorist behavior and infotainment information like mobile apps used or music selections, said GAO. It said none reported collecting information on vehicle occupants' health or personal communications. The vehicle data that was collected was used for automatic crash notification or roadside assistance for users, R&D to improve safety and performance of cars and for marketing, the report said. GAO said automakers differed on who owned the data. Some said it was unclear while others said they owned it or customers had ownership with automakers having a license to use it. Data ownership is a "potential challenge to achieving gains in transportation safety and efficiency," the report said.
GAO said automakers' use of connected vehicle data could generate revenue between $450 billion and $750 billion by 2030. The report was requested by House Science Research and Technology Subcommittee Chairwoman Barbara Comstock, R-Va., and ranking member Dan Lipinski, D-Ill. A spokesman for the Alliance of Automobile Manufacturers said the group is reviewing the report, but added automakers take privacy "very seriously." He cited industry-developed Consumer Privacy Protection Principles, based on Fair Information Practice Principles, FTC guidance and other best practices, that are "binding public commitments enforceable" by the FTC.
Automakers' privacy notices largely followed leading practices on data accuracy, access and security, accountability, focused data use, individual control and transparency, but the report found their policies didn't clearly state their data sharing and use practices. GAO, which didn't assess the extent to which automakers followed their policies, said most automakers reported they focused on matters like data security. But none of their written notices was "in plain language" and their reported data practices "generally were more limited than suggested in their notices." Companies reported getting "explicit consumer consent" before data collection but offered "few options besides opting out of all connected vehicle services to consumers who did not want to share their data," the report added.
In interviewing several privacy experts, GAO said tracking, loss of consumer control of their personal data and insecure data were concerns. One expert raised the issue of how multiple drivers of one car would be informed about data collection, and others said data sharing with third parties will become a bigger issue. Most experts specifically told GAO that "lack of sufficiently informed consent," disparate treatment among consumers and little or no consumer choice were issues. GAO said most experts didn't think the industry developed guidelines provided sufficient guidance for protecting people's privacy.
The FTC and NHTSA have coordinated on privacy issues but NHTSA hasn't clearly delineated its role and responsibility on data privacy, said GAO. NHTSA doesn't have authority to regulate consumer privacy but can consider privacy impacts of its regulations such as its motor vehicle safety standards, said the report. It's important for the agency to clarify and communicate its privacy role and responsibility, giving automakers better understanding of NHTSA's oversight and coordinating with other agencies, said GAO. "However, if that opportunity is missed, consumers may not fully embrace emerging technologies with potential safety benefits, such as vehicle-to-vehicle technology and automated vehicles," the report said. NHTSA didn't comment.
CTA's Jamie Boone, senior director-government affairs, emailed that the GAO is right about the importance that agencies clearly define and explain their roles. A "consistent, innovation-friendly approach," which recognizes coordination between NHTSA and FTC on privacy and security issues will provide the tech industry "a regulatory environment that recognizes the importance of consumers’ privacy and the freedom to innovate."