On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments. The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.

Process

The GAO turned to a variety of resources to explore the four identified issues. For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S. In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”). Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce.

Findings: Data Collection, Use, and Dissemination

  • Types of Data Collected: All thirteen of the selected automakers that offered connected vehicles reported collecting, using, and sharing data gathered through those vehicles. In addition, all thirteen confirmed that they collect vehicle health and location data. However, fewer automakers said that they collect driver behavior and “infotainment” data, such as music selections and the mobile applications used. None of the thirteen automakers reported collecting passengers’ biometric and health data or personal communications.
  • Limited Use: All thirteen automakers reported using collected data for fairly limited purposes. For example, they all reported using collected data to provide services, such as automatic crash notification or roadside assistance. In addition, all but one reported using collected data for research and development, specifically to improve their vehicles’ safety and performance. Far fewer (five out of thirteen) used collected data for marketing purposes.
  • No Sharing (Yet): All thirteen automakers said they typically do not share collected data with unaffiliated third parties such as data brokers. However, some automakers emphasized that their current use and sharing practices may change as the industry evolves and the amount and types of data collected expand. The GAO report therefore acknowledged that as the connected car industry expands, “the extent of data collection, use, and sharing will likely grow.”

Findings: Privacy Policies and Other Notices

The GAO identified six leading privacy practices most relevant to connected vehicles: (1) transparency, (2) focused data use, (3) data security, (4) data access and accuracy, (5) individual control, and (6) accountability. The report then assessed whether each selected automaker’s privacy policies reflected such practices, and found that most of them did. For example, most automakers reported limiting the sharing of data, limiting the collection and use of data, obtaining explicit consumer consent before collection, and using data security safeguards to protect passengers’ information. In addition, they all had written privacy policies that were readily accessible.

However, the GAO found that none of the privacy policies were written clearly or even accurately—instead, they were laden with legalese, and their reported data collection, use, and sharing practices generally were more limited than suggested in the notices. Moreover, although automakers obtained opt-in consent before collecting data from vehicles, they offered few options for consumers who do not wish to share their data besides opting out of all connected vehicle services.

Who’s In Charge?

The GAO report found that it is unclear to automakers what role the NHTSA will play with respect to consumer privacy and connected cars. The FTC largely is recognized as the entity primarily responsible for protecting consumer privacy, but the NHTSA has played an increasing role, as well. In the past, the two agencies have coordinated on privacy issues related to connected cars, even co-hosting a workshop in June 2017 to examine such issues. In addition, the DOT and NHTSA recently promulgated a Notice of Proposed Rulemaking (“NPRM”) that urged automakers to address consumers’ privacy concerns regarding vehicle-to-vehicle (“V2V”) communications systems meant to track and share cars’ location. In addition, NHTSA has created a voluntary Federal Automated Vehicles Policy that includes recommended privacy considerations.

The GAO report found that, given the fact that the NHTSA has no specific authority to address consumer privacy concerns, the NHTSA’s increased activity in this space has ended up confusing automakers. As a result, the report recommended that the Secretary of Transportation direct the NHTSA to define, document, and externally communicate its roles and responsibilities in relation to vehicle data privacy. The GAO believes that once the NHTSA clarifies its role, it will be better able to coordinate with other agencies and more effectively oversee the emerging (and quickly growing) connected car industry.