Navigating the Data Privacy Landscape in the Automotive and Mobility Sector
In the rapidly evolving world of automotive technology, the intersection of data privacy and consumer protection has become a focal point for regulators and industry stakeholders alike. As vehicles transform into sophisticated connected devices, the implications for data privacy are profound. In this first installment of our series on the automotive and mobility sector, we delve into the key data privacy legal issues facing this industry and provide an overview of the regulatory environment at both the state and federal levels in the United States.
US Regulators Target the Automotive Sector
The automotive industry is experiencing a surge of scrutiny from US regulators, particularly as connected vehicles become ubiquitous. Ashkan Soltani, the executive director of California’s new Privacy Protection Agency (CPPA), aptly described modern vehicles as “effectively connected computers on wheels.” This characterization underscores the extensive data collection capabilities of these vehicles, which are integrated with smartphones, apps, and social media, gathering vast amounts of information through built-in sensors, cameras, and applications.
What Does Your Car Know About You?
The question of what data vehicles collect is staggering. Automotive and mobility companies may gather a wide array of information, including personal identifiers, government IDs, medical and insurance information, driving history, vehicle diagnostics, and even biometric data like voice and facial recognition. This data can reveal intimate details about individuals, such as their visits to medical facilities or places of worship. Estimates suggest that cars can collect data from over 100 different data points, raising significant privacy concerns.
While this data collection can enhance the driving experience—enabling personalized services, predictive maintenance alerts, and emergency assistance—it also poses risks. Companies may use this data for purposes unrelated to driving services, leading to potential misuse and privacy violations. Importantly, much of the data collected falls under the definitions of “personal data” or “personal information” as outlined in US privacy laws, with some data classified as “sensitive” and subject to stricter protections.
Regulatory Backdrop: State Consumer Privacy Laws
The automotive sector has faced increasing criticism regarding its privacy practices, as highlighted in a 2023 Mozilla report. In response, regulators are beginning to take action. Although there are few regulations specifically targeting the automotive industry, existing general privacy laws apply to it. The California Consumer Privacy Act (CCPA), enacted in 2018, has inspired similar laws in nearly 20 other states, including Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia.
These state laws impose various obligations on businesses, including the requirement to provide clear privacy notices and grant consumers rights over their personal data. Consumers can access, correct, or delete their data and opt out of certain data processing activities. Noncompliance can result in significant fines, with the CCPA allowing penalties of up to $7,500 per intentional violation.
Enforcement Activity in California and Texas
The enforcement landscape is becoming increasingly active. One of the first actions taken by the CPPA after assuming enforcement authority in 2023 was to review the privacy practices of connected vehicle manufacturers. Soltani noted that the Enforcement Division is investigating how these companies comply with California law regarding data collection and usage. The review focuses on the extensive data collected by vehicles, including location, personal preferences, and daily life details.
In Texas, the attorney general launched an investigation into several original equipment manufacturers (OEMs) following reports that they had collected and sold driver data to third parties without consent. The attorney general emphasized the public’s growing concern over the unauthorized sharing of driving data, prompting a thorough investigation into these practices.
‘Sensitive’ Personal Data
US state consumer privacy laws typically provide heightened protections for “sensitive” personal data, which includes precise geolocation and biometric data—exactly the types of data that vehicles collect in abundance. Most of these laws require businesses to obtain consumer consent before processing sensitive data. In California, the CCPA allows consumers to limit the use and disclosure of sensitive personal data under certain circumstances. Additionally, businesses must conduct data protection assessments related to the processing of sensitive data.
What About Federal Privacy Law?
At the federal level, the Federal Trade Commission (FTC) has been monitoring connected vehicles for over a decade. The agency has held workshops and published reports addressing privacy and security concerns related to connected cars. Following the CPPA’s enforcement actions and reports of OEMs selling driver data, the FTC reiterated its commitment to protecting consumers from illegal data practices. The agency highlighted enforcement themes relevant to the automotive sector, including geolocation data, surreptitious data disclosures, and automated decision-making.
In light of these developments, Democratic Senators Ron Wyden and Edward J. Markey have called on the FTC to investigate whether automakers have illegally shared driving data with data brokers. They urged the agency to hold automakers and data brokers accountable for any violations.
Conclusion
As the automotive and mobility sector continues to evolve, the legal landscape surrounding data privacy is becoming increasingly complex. With a patchwork of state laws and heightened scrutiny from federal regulators, OEMs and related companies must navigate these challenges carefully. In our next installment, we will explore recent privacy enforcement actions and the lessons learned for the automotive and mobility sector.
For more insights into navigating privacy and cybersecurity challenges in the automotive and mobility sector, visit Cooley’s resource page.