Unless you drive a 1970s vintage model, chances are your car knows a lot about you. Chances are also good it is sharing at least of that information with third parties.
This is true no only in the United States but in most of the developed world. While there are exceptions, most countries are just beginning to think about regulating what data cars collect, how they store it and who they share it with.
A recent study in Australia highlights serious privacy issues with internet-connected cars, raising concerns about how car companies handle personal data. All of this information may not apply in the U.S., so we'll take a look at the U.S. below the Australia report.
Key Findings
Privacy Terms Are Complex:
- Many car brands make it difficult for consumers to access or understand their privacy policies.
- On average, buyers must read multiple documents totaling 14,000 words to understand how their data will be used.
Data Misuse Risks:
- Connected cars send data, like location and driving habits, to manufacturers and third parties.
- Some brands use this data for marketing or predictions about user behavior without clear consent.
- Information could be shared with insurers, data brokers, or even lead to stalking, robbery, or unwanted surveillance.
Limited Privacy Protections:
- Several brands don’t fully recognize what counts as personal information under privacy laws.
- For example, a map of your daily routes might seem anonymous, but it can identify you when combined with other data.
Lack of Consent:
- Many brands collect and use data for vague purposes like “marketing” or “research” without requiring clear, opt-in consent.
What about the U.S.?
It's tricky comparing the U.S. to other countries because, with each of 50 states having its own laws, it's hard to generalize but here's what a quick survey of the situation found:
1. Consumer Privacy Laws
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- If the data is collected from California residents, these laws require transparency, provide rights to access and delete personal information, and regulate its sale or sharing.
- Includes vehicle data if it identifies or can reasonably be linked to an individual.
- State Laws:
- States like Virginia, Colorado, Connecticut, and Utah have enacted their own privacy laws that may cover connected car data.
- These laws vary in scope but often mirror aspects of CCPA.
2. Federal Privacy and Security Laws
- Gramm-Leach-Bliley Act (GLBA):
- Applies if financial institutions collect car data related to loans, leases, or insurance.
- Includes privacy notice requirements and limits on sharing data with third parties.
- Children's Online Privacy Protection Act (COPPA):
- Governs data collection from connected vehicles used by children under 13 when combined with online services directed at children.
- Federal Trade Commission (FTC) Act:
- Prohibits unfair or deceptive practices in data collection and sharing. The FTC has taken action against companies failing to secure data in IoT (Internet of Things) devices, including cars.
3. Sector-Specific Guidance
- National Highway Traffic Safety Administration (NHTSA) Guidelines:
- Not legally binding, but NHTSA promotes best practices for automakers to protect privacy and cybersecurity in connected cars.
- Alliance for Automotive Innovation Privacy Principles:
- Many automakers voluntarily comply with these self-regulatory principles, which include notice, consent, and control over data collection and sharing.
4. Data Protection and Security Laws
- State Data Breach Notification Laws:
- Require companies to notify individuals if car-related data breaches involve personal information, such as location or biometric data.
- Cybersecurity Executive Orders:
- Federal initiatives often address IoT devices, including connected cars, mandating security measures for data.
5. Emerging Federal Privacy Legislation
- Congress has proposed several federal privacy bills, like the American Data Privacy Protection Act (ADPPA), which could provide a nationwide framework for protecting vehicle data.
6. International Implications
- If data from cars is shared across borders, laws like the General Data Protection Regulation (GDPR) in the EU may apply, requiring compliance with stricter privacy and data transfer rules.
Types of Car Data Under Scrutiny
- Personally Identifiable Information (PII): Names, addresses, payment information.
- Telematics Data: GPS location, speed, engine performance.
- Biometric Data: Fingerprints or facial recognition for access.
- Behavioral Data: Driving habits and preferences.
For a comprehensive strategy, automakers and tech companies should conduct regular data privacy impact assessments, implement robust cybersecurity measures, and remain abreast of evolving regulations.
What to do
At the moment, there's not much an individual can do to limit the collection and use of data through their car. The best protection is being aware that your movements can be traced by law enforcement, insurers, car rental companies and other companies and agencies that have an interest in your and your property.
It's worth knowing that all newer cars have what's called an On-Board Diagnostics II (OBD-II) port. It's usually located under the dashboard on the driver’s side, often near the steering column.
It provides access to the vehicle's computer system, enabling technicians to diagnose and troubleshoot issues related to the engine, emissions, and other systems. It can also be used to collect and transmit data and is often used by car rental firms and insurance companies to collect data on their customers.
The port is mandatory for all cars and light trucks sold in the United States since 1996. It allows reading of diagnostic trouble codes (DTCs), real-time data (e.g., engine speed, fuel trim), and emission system status.