By Jenna Andrews
Collecting driver data from “connected cars” is becoming a modern-day gold rush in the automotive industry. A recent McKinsey Report estimated that revenue from harvesting driver data could reach $750 billion by 2030. Today, nearly all vehicles on the market use mobile technologies that allow automakers to gather enormous amounts of information about drivers. The developing self-driving vehicles, which rely on cameras and sensors to operate, generate enough driver data in thirty seconds of driving to fill up the memory on a typical iPhone. This information could include geolocation, driving habits, routine schedules and even biometrics. Although the market for consumer data from vehicles is growing rapidly, legislation addressing privacy and data protection in connected vehicles is proving to be behind the curve.
Connected vehicles have the ability to provide data collectors with highly intimate and commercially valuable information about their operators. For example, sensors used by BMW are sophisticated enough to determine if there is a child riding in the car. Advertisers are eager to use information such as this to alert drivers of child-friendly attractions or services within the location of the car. But do drivers consent to sharing this personal information with the manufacturer of their car or even with unrelated companies?
State Regulation
So far the regulatory framework for connected cars, including autonomous vehicles, is largely developing at the state level. Nine states and the District of Columbia have enacted legislation to regulate the testing and operating of autonomous vehicles. However, most of these laws do not address the collection of consumer data. California has been at the forefront of addressing privacy and data protection concerns in vehicles. The Autonomous Vehicle Deployment Regulation requires manufactures to provide operators with written disclosures of any information collected by the vehicle that is not necessary for safe operation and obtain written approval in order to gather the data from the car.
Federal Regulation
In 2015 the Security and Privacy in Your Car Study Act (SPY Act) was introduced, requiring the National Highway Safety Transportation Administration (NHSTA) to work with the Federal Trade Commission (FTC) to conduct an intensive study of cyber security and privacy practices in cars. The SPY Act of 2015 was a curtailed version of a Senate proposal that called for minimum federal safety and privacy standards. Neither the House nor Senate saw any votes on the act. The SPY Act of 2017 has recently been reintroduced, proposing a similar study conducted by NHSTA in conjunction with the FTC and National Institute of Standard and Technology. The study would identify best practices for securing data collected by vehicles but would not immediately create any new standards or regulations.
Self-Regulation
In the absence of wide-ranging privacy regulations for these data-generating cars, the Alliance of Automobile Manufactures and the Association of Global Automakers have published a set of consumer privacy protection principles. Members of these organizations commit to providing car owners with clear notice of data collection, providing choices regarding use and sharing of information, and providing reasonable measures to protect data. Members agree that new vehicles manufactured in 2017 and beyond will conform to these principles.
However, as driver data becomes easier to collect and the distribution of this data becomes more lucrative, the automotive industry should not be relied upon to police their own consumer protection standards. Car manufacturers are stakeholders in the business of gathering vehicle data, and therefore, it is unlikely that self-regulation will be an adequate method of consumer protection. The proposed SPY Act is a step in the right direction, but in order to prevent the misuse of driver data gathered from connected cars the suggested practices set out by the FTC and NHSTA will need to be legislated and enforced.
Student Bio: Jenna is a Staff Member of the Journal of High Technology Law and 2L at Suffolk University Law School. She holds a B.S. in Marketing from Johnson & Wales University.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
