Navigating the Privacy Pitfalls of Connected Cars: A Call for Industry Self-Regulation

Eric D. Reicin, President & CEO, BBB National Programs

On my recent visit to the Consumer Electronics Show in Las Vegas, I explored a vast floor of autonomous vehicle technology suppliers and other manufacturers tied to automotive innovation. This tour underscored for me that connected cars – those equipped with connectivity, integrated data systems, cameras sensing driver activity, and technology that communicates with the world around the car – hold great promise to improve vehicle safety and customer experience and enable the advancement of autonomous technologies.

However, the very systems that allow connected cars to operate efficiently also potentially pose privacy risks for everyday consumers.

For example, in recent months, there’s been an emphasis on car data’s role in helping law enforcement solve criminal cases. And while there is a need for policymakers, in concert with law enforcement, to sort through the role of connected cars in criminal investigations, the broader public is arguably more concerned with how this information may be used, misused, or accessed in general. Recently, Andy Greenberg reported how a vulnerability exposed one automaker’s cars to remote hacking, revealing location data for a year.

When it comes to navigating privacy challenges in the automotive and mobility sector, the crux of the issue lies in the vast amount of sensitive information that connected cars collect. Policymakers are grappling with how to draft laws that protect consumers while not stifling the development of the emerging connected car industry.

If policymakers are struggling to find a solution to a vexing public policy problem, my instinct is to try to identify a solution through independent industry self-regulation. In this instance, the automotive industry, in collaboration with privacy compliance professionals, could take the lead in developing a robust self-regulatory framework.

"Connected cars" refers to vehicles equipped with communications systems that connect to other devices and external networks. For example, connected cars track when and where drivers travel, how fast they go, when they slam on the brakes, how long they remain at certain locations, and the routes they take. 

Other data – such as use of in-car entertainment and traffic systems, information from connected devices such as phones, driver and passenger activity through in-car or external cameras, or voice commands – can reveal intimate details about a person’s lifestyle and habits. Such data can be leveraged or sold for purposes beyond what a consumer would expect or consent to, raising privacy questions. As a recent Forbes Tech Council piece put it, “vehicles are collecting data and customer consent may not matter.”

Of course, it does matter, and the questions become even more pressing when considering the potential for connected car data to be hacked or exploited by third parties. This risk is heightened by the fact that many automakers share data with third-party companies (for a fee), including insurance providers, data brokers, advertisers, and marketing firms.

Currently, there is no comprehensive federal framework for the regulation of connected car data. The Federal Trade Commission (FTC) has taken some steps to regulate the collection of data in vehicles, focusing on consumer protection and preventing deceptive practices. For instance, at the very end of the Biden administration, the FTC announced it was taking action against an automaker over allegations that it collected driving behavior data used to set insurance rates without adequately notifying consumers and obtaining their affirmative consent. Also, the U.S. Department of Commerce recently finalized a rule on connected vehicle supply chains from foreign adversary threats. 

Meanwhile, some states have focused on regulating how car manufacturers handle consumer data, while others have considered measures to restrict the use of car data by third parties. With no cohesive national or state-by-state strategy, consumers are left vulnerable. State attorneys general are taking notice. Just last month, Texas Attorney General Ken Paxton sued two insurance carriers for unlawfully collecting, using, and selling driving data. 

While federal and state policymakers debate how best to regulate connected cars, the automotive industry has an opportunity to take proactive steps toward protecting consumer privacy through industry self-regulation. This approach could involve collaboration among stakeholders to establish clear, transparent guidelines for how data is collected, stored, and shared. Such an approach would not be starting from scratch, as the Autonomous Vehicle Industry Association has already stated its commitment to “securing American leadership in autonomous vehicles,” and the Alliance for Automotive Innovation has a number of resources on connected vehicles. 

A self-regulatory framework would allow for quicker implementation of privacy protections than waiting for the government. Industry self-regulation would also enable industry stakeholders to tailor the framework to the specific needs and challenges of connected vehicles, ensuring that it is both practical and effective.

Key elements of a self-regulatory framework might include:
  • Data Transparency: Automakers clearly informing consumers about what data is being collected, how it will be used, and with whom it will be shared. A critical issue here is ensuring this information is provided to consumers at a time, in a place, and in a manner that allows them to process and understand it.
  • Consumer Control: Getting consumers’ informed consent before sharing their sensitive data and giving consumers the ability to control their data.
  • Data Security: Adopting industry-wide robust security measures to prevent unauthorized access to connected car data, including regular vulnerability testing.
  • Data Minimization: Committing to only keeping data that is appropriate, informed by asking whether the data is necessary for regulatory or product optimization and customer experience. Given current financial modeling, stakeholders would likely debate data minimization parameters. 

As lawmakers struggle to craft meaningful privacy protections, the auto industry has a unique opportunity to enhance trust with consumers by taking responsibility for safeguarding consumer data. By establishing self-regulation standards in collaboration with privacy experts, the industry can protect privacy, improve transparency, and ensure that connected vehicles become and remain a safe and reliable technology for all users.

Originally published in Forbes