On October 24, 2014, the Federal Trade Commission (“FTC”) issued a press release announcing its endorsement of the privacy and security framework proposed by the National Highway Traffic Safety Administration (“NHTSA”) to protect consumer privacy and security related to vehicle-to-vehicle (“V2V”) communications. V2V communication systems are used in motor vehicles to transmit information or “telematics” for safety and convenience purposes, including, for example, detecting and automatically correcting skidding; providing navigation, weather and traffic information; alerting first responders when airbags are deployed; and allowing consumers to control aspects of the vehicle’s functionality through their smartphones. NHTSA published regulations in August 2014 proposing to require V2V communication capability in all passenger cars and light trucks by 2019, and to create minimum performance requirements for V2V devices and messages. NHTSA also asked for comment regarding its proposed framework for protecting consumer privacy and security. FTC’s press release announced the filing of FTC’s formal comment on October 20.
In its comment, the FTC noted its longstanding role as the primary federal agency charged with protecting consumer privacy, both under the Fair Credit Reporting Act and Section 5 of the FTC Act, which authorizes the FTC to take action against deceptive or unfair commercial practices. The FTC next identified three areas of potential privacy and security risks arising from V2V connectivity, identified by participants in a workshop held by the FTC. Workshop participants expressed concerns that (i) connected car technology could be used to track consumers’ precise geolocation over time; (ii) information about driving habits could be used to set car insurance premiums or set prices for other auto-related products without drivers’ knowledge or consent; and (iii) V2V devices could be used to hack into a car’s internal computer network. One participant reported that he had successfully used a telematics unit to hack into a car’s internal computer network and was able to control the vehicle’s brakes.
The FTC commended NHTSA for adopting a privacy and security framework designed to address these risks. First, according to FTC, NHTSA implemented a deliberative, process-based approach to address privacy and security risks by collaborating with numerous stakeholders to undertake a thorough risk assessment. Second, the FTC stated that NHTSA designed the V2V system in a way that limits the amount of data collected and stored to serve only the intended safety and convenience purposes and to prohibit the use of stored records to re-identify a particular individual or vehicle. Finally, the FTC supported NHTSA’s choice not to connect V2V devices to other onboard computers in a way that would permit hackers to access vehicle control systems.