Privacy Regulators Pursue Connected Cars, Lawyers Say
Privacy regulators in the U.S. and abroad are scrutinizing how connected vehicles collect and share data about their drivers, said Morrison Foerster attorneys on a webinar Wednesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"Connected vehicles raise serious privacy considerations because they function less like cars and more like rolling computers, constantly collecting, analyzing and transmitting data,” said the firm’s Jonathan Newmark. “They collect vast and continuous streams of data from dozens of onboard sensors and systems."
“This data is sensitive, and it is revealing,” Newmark added. “Location and biometric data can expose deeply personal behaviors, [while] routine driving habits can paint detailed behavioral profiles and data from one trip may be used for targeted advertising, dynamic pricing or even passed to law enforcement with or without the user's knowledge.”
And regulators care, said Newmark and colleagues. Morrison Foerster’s Marian Waldmann Agarwal noted that the California Privacy Protection Agency in 2023 announced a sweep of car companies’ privacy practices (see 2308010014). It was "clear evidence that the California regulator sees cars as data dense platforms similar to our smartphones,” she said.
Earlier this year, CalPrivacy announced an enforcement action against Honda (see 2503120037). However, taking a “broad-based investigatory path,” the state privacy regulator swerved from the car-specific topics that some might have expected, privacy lawyer Edward Chang said.
"While the original focus was on the vehicle telematics collection” and how it might be shared with third parties, “what the enforcement action actually landed on was the [car manufacturer’s] practices on their website,” said Chang. "It's likely that [CalPrivacy] saw what this [car company] was doing with their vehicle data collection, and … wasn't sure if there was enough there. And so then [it] shifted gears to the website data collection practices.”
The FTC has signaled a focus on connected vehicles at the federal level as well, said Newmark. He cited May 2024 guidance on privacy concerns specific to connected vehicles, related to collection of geolocation data, disclosure of sensitive info beyond specified purposes and the use of sensitive data for automated decisions.
Overseas, the European Data Protection Board adopted connected car guidelines back in March 2021, noted Alex van der Wolk, another attorney at the firm. Not all of it is up to date, he said. More recently, the EU Data Act came into effect in September, said the lawyer: “The Data Act was not written specifically for vehicles," but "it does also apply to vehicles."