In this first installment of our series on the automotive and mobility sector, Cooley cyber/data/privacy lawyers introduce the key data privacy legal issues facing the automotive and mobility sector and provide an overview of the US state and federal regulatory enforcement environment.
US Regulators Target Automotive Sector
The wave of data privacy investigations in the United States has come for a new target: the automotive industry. Connected vehicles, and the supply chain that supports them, have become a key piece of technology integrated into our daily lives. Ashkan Soltani, executive director of California’s new Privacy Protection Agency (CPPA), summed this up well in July 2023 when he described modern vehicles as “effectively connected computers on wheels.” These “connected computers” are themselves enmeshed with other everyday technology, including our phones, apps and even social media accounts – and they collect significant amounts of information through built-in apps, sensors and cameras.
What does your car know about you?
A better question may be what doesn’t your car know about you? Automotive and mobility companies may collect everything from personal identifiers, government IDs, medical and insurance information, driving history and patterns, and vehicle diagnostic information to biometric data (such as voice or facial recognition data) and precise geolocation data and telematics. This data can reveal the most intimate details of a person’s life, such as their visits to medical or reproductive clinics, places of worship, or domestic violence shelters. By some counts, cars collect data from more than 100 different data points.
Data collected from vehicles and their drivers facilitate the personalization of driving, helping to predict and inform the driver of upcoming maintenance issues, create tailored insurance quotes, and call law enforcement or emergency services in case of an emergency. But such data also can be used by auto and mobility companies for their own purposes, unrelated to the provision of driving services.
Importantly, much of this data falls within US privacy laws’ definitions of “personal data” or “personal information” – and some also would be considered “sensitive” personal data subject to heightened protections. While most of the data relates to drivers, it also may relate to passengers and people near the vehicle.
Regulatory backdrop: State consumer privacy laws
Against the backdrop of this extensive data collection, the auto and mobility sector has been criticized for its privacy practices (for example, see this Mozilla report from 2023). Regulators are starting to test this position. While there are few privacy and security regulations specific to the auto industry, many existing general privacy regulations (and those soon to take effect) apply to the industry already.
The passage of the California Consumer Privacy Act (CCPA) in 2018 ushered in a wave of similar comprehensive consumer privacy laws in almost 20 other states to date. Of these, laws in Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia are currently in effect. All original equipment manufacturers (OEMs), and many suppliers or technology partners with access to personal data (including those that store such data on behalf of OEMs), will have obligations under these laws.
While these laws vary from state to state, they all impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording consumers certain rights concerning their personal data, such as the right to access, correct, or delete certain personal data, and to opt out of certain data processing activities, such as “sales,” targeted advertising, profiling, and automated decision-making. These state laws allow for statutory fines for noncompliance. For example, the CCPA provides for fines of up to $7,500 per intentional violation.
Enforcement activity in California and Texas
Significantly, one of the first actions of the CPPA after it assumed enforcement authority of the CCPA in 2023 was to announce a review of the privacy practices of connected vehicle manufacturers and related connected vehicle technologies. According to Soltani, “[the] Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The announcement highlighted the volume and types of data that cars now ingest (including consumers’ locations, personal preferences, and details about their daily lives), and described features such as location sharing, web-based entertainment, smartphone integration, and cameras as a particular concern for consumer privacy. This review remained ongoing as of April 2024.
Even more recently, the Texas attorney general opened an investigation into several OEMs following reports that certain manufacturers had collected and sold data about drivers to third parties, including insurance providers. Emphasizing the “millions of data points” that OEMs have access to, the attorney general observed that “consumers have grown extremely concerned that their driving data is being reported to their insurance company without their knowledge or authorization,” and declared that the reports “merit a thorough investigation and appropriate enforcement.”
‘Sensitive’ personal data
US state consumer privacy laws generally have heightened protections for “sensitive” personal data, defined to include precise geolocation data and biometric data, among other data elements – in other words, exactly the data that vehicles collect in large quantities. Most of these laws require covered businesses to obtain consumer consent before processing sensitive personal data. In California, the CCPA instead allows consumers to limit a company’s use and disclosure of sensitive personal data in certain circumstances. All of these laws also require covered businesses to undertake a data protection assessment related to the processing of sensitive personal data.
What about federal privacy law?
At the federal level, the Federal Trade Commission (FTC) has had connected cars on its radar for at least the past decade. The FTC held an Internet of Things workshop in 2013, followed by a 2015 staff report, which highlighted privacy and security concerns related to connected vehicles. In 2018, the agency hosted a connected vehicles workshop calling attention to issues ranging from unforeseen secondary data uses to security risks. The FTC also has published guidance reminding consumers to delete the data on their cars before selling them (as one would with a computer or smartphone).
Following the CPPA’s enforcement sweep and news reports about OEMs allegedly selling driver data to third parties, the FTC published a blog post in May 2024 on cars and consumer data, writing: “Car manufacturers – and all businesses – should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data.” In the post, the FTC described three recent enforcement themes relevant to the auto and mobility sector, including geolocation data, surreptitious disclosure of sensitive data, and automated decision-making related to sensitive data.
Shortly after the FTC’s post, Democratic Sens. Ron Wyden of Oregon and Edward J. Markey of Massachusetts requested that the FTC investigate whether automakers illegally shared driving data with data brokers. They called for the FTC to hold automakers and data brokers – including their senior executives – accountable if violations are found, and to scrutinize the broader industry’s practices. This letter followed another letter from April by the same senators, which focused on automakers’ disclosure of location data to law enforcement agencies.
Unless Congress passes a federal comprehensive privacy law that preempts similar state laws like the CCPA, OEMs and many other companies in the automotive and mobility sector will need to comply with the legal patchwork at the state level and heed the FTC’s enforcement authority.
In our next installment, we’ll explore in more detail recent privacy enforcement actions and lessons learned for the automotive and mobility sector.
