From The Editor | August 2, 2023

Connected Vehicles, Personal Data, And You

John Headshot cropped 500 px wide

By John Oncea, Editor

Law Matrix-GettyImages-597674500

The integration of advanced technology in vehicles presents regulatory challenges related to safety standards and the establishment of guidelines for connected vehicles on public roads. It also raises concerns about the large amounts of data, including personal and sensitive information, that are being collected, stored, and used.

Connected vehicles are a result of integrating internet connectivity and various communication protocols that allow the vehicle to connect to other devices, networks, and cloud-based services. Common features include GPS navigation, real-time traffic updates, remote vehicle control, and over-the-air software updates, all of which help enhance vehicle safety, improve efficiency, and provide various services to drivers and passengers.

Vehicle-to-vehicle (V2V) communication can enhance safety by providing warnings about potential collisions or dangerous road conditions and vehicle-to-infrastructure (V2I) communication allows vehicles to communicate with infrastructure elements like traffic lights, road signs, and traffic management systems. V2V and V2I can improve traffic flow, optimize traffic signal timings, and provide drivers with valuable information about road conditions and potential hazards.

Telematics, a field that combines telecommunications and informatics in vehicles, is another concept at play when discussing connected vehicles. It involves the transmission of data from the vehicle to remote locations and can be used for vehicle tracking, fleet management, and insurance-based programs that monitor driving behavior.

All this connectivity comes with risk, including cybersecurity concerns. As vehicles become more connected and reliant on software systems, protecting them from potential cyberattacks ensures the safety of vehicle occupants.

While keeping occupants physically safe is most important, keeping the huge amounts of data produced when operating a connected vehicle – everything from driving habits to personal information – is a close second. This means ensuring data privacy and implementing robust data protection measures is critical.

Who’s Tracking You?

A connected vehicle can gather a wealth of information about your journey, including road conditions and even if you've gained weight since your last ride, writes Politico. If you link your phone to the car's Bluetooth system, it also can access your contacts. While most of the data that cars collect pertains to the vehicle's performance, such as engine temperature and tire pressure, there is a demand for personal driver data, like your name and location, from industries like insurance, marketing, and car repairs.

The data mined when operating a connected vehicle is “shared with manufacturers and held for years under privacy policies that allow vast and near-unrestricted use of the data they collect,” reports TechCrunch. “Manufacturers can share or sell that information with data brokers, which when combined with web browsing and phone data can be used to profile users for targeted advertising.

“Collecting huge amounts of vehicle data also makes it obtainable by law enforcement agencies, which can demand vehicle data from in-car entertainment systems, collected by car manufacturers, and used for tracking and surveillance.”

“There is significant potential on applications using anonymous data, but there is far more market potential with applications on personal data,” Frederic Bruneteau, the managing director of the Ptolemus Consulting Group told Politico. “The need to have consent management that is efficient is crucial.”

The question, then, is who owns the data – the vehicle manufacturer or the driver/owner of the vehicle? This issue is complicated by the presence of multiple drivers and the fact that the vehicle owner may not always be the primary driver, instead being a leasing company or other entity. Furthermore, vehicles frequently change hands and can have multiple owners over time.

A Harvard study, Who owns the data generated by your smart car?, concluded that while the consumer may own the vehicle, in practice it is the manufacturer who is in most cases in control of the data. That’s just one opinion, however, and the longer it takes to decide, privacy advocates worry that lawmakers will have a much more difficult time protecting people’s information.

So, About That Legislation

According to Politico, privacy laws concerning ownership of car data, such as the 2015 Driver Privacy Act, already exist. This law states that any data collected by a car’s Event Data Recorder (EDR) belongs to the car owner and requires consent or a warrant for third parties to use the data. However, with the emergence of connected cars, the EDR only accounts for a small portion of the data collected. Since 2015, no federal laws have been passed to protect driver privacy, which allows car manufacturers to collect and sell location data on drivers who have opted into services like GPS and roadside assistance.

“We think it’s way past due time to update the Driver Privacy Act,” Politico quotes Andrea Amico, the founder of Privacy4Cars, as saying. Amico warns that infotainment systems collect at least as much data as the EDR does, and it can be extracted without a warrant.

Conversely, industry groups are also trying to weaken privacy regulations.

“In June 2020, the Alliance for Automotive Innovation made recommendations for privacy regulations to the Uniform Law Commission. In the letter, the industry group recommended changing the definition of ‘personal data’ to exclude ‘pseudonymized data,’ which has had names stripped from it,” writes Politico. “Though data brokers use lots of such data, it is often relatively easy to “de-anonymize” it and figure out which pseudonym corresponds to which real person.”

Although there is currently no specific legislation regarding cars, lawmakers are advocating for a comprehensive data privacy bill that encompasses all types of data, regardless of the device used to collect it. The Committee approved this bill, but it requires the support of Senate Commerce Committee chair, Maria Cantwell (D-WA) to become law.

One of the bill's provisions mandates that automakers obtain “affirmative express consent” before collecting data for specific purposes. This regulation is necessary to prevent car manufacturers from exploiting data collected for life-saving purposes, such as emergency roadside assistance, for their profit.

“The problem is once you agree to that, what consumers don’t realize is that you are also agreeing for the same data, your second-by-second geolocation data, your medical profile, anything connected to the car, is available for essentially any other purpose,” Amico said.

Which Brings Us To California

The California Privacy Protection Agency was established by a 2020 ballot initiative that toughened The California Consumer Privacy Act of 2018. The agency conducts operations to enforce Californians’ right to learn what is being collected about them, the right to stop that information from being spread, and the right to have it deleted.

According to The Washington Post, the CPPA “said its enforcement division would review manufacturer’s treatment of data collected from vehicles, including locations, smartphone connections, and images from cameras.”

“Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” Ashkan Soltani, CPPA’s executive director, said in a statement. “Our Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.”

California regulators could gain valuable insights by collaborating with their European counterparts on vehicle data privacy, writes The Post. In contrast to Washington where a national privacy law has yet to be passed due to lack of consensus, European investigations have compelled automakers to provide greater transparency regarding data collection and more options for users to control it.

The CPPA's inaugural investigation is a crucial turning point that could impact the future of privacy regulations and practices within the automotive and mobile technology industries. This California initiative is not limited to the state and could signify a wider trend toward more stringent regulation and enforcement in this sector. As connected cars become increasingly prevalent, all stakeholders - including regulators, industry, and consumers – must be vigilant in navigating this intricate landscape, with privacy as a top priority.