The advent of connected cars has brought with it a wealth of conveniences, such as the ability to unlock vehicles using an app or play internet radio stations. However, this connectivity also enables these vehicles to gather substantial amounts of data about their users. This data, which can include sensitive information like biometric details and location, poses potential threats to consumers' privacy and financial well-being.
The Federal Trade Commission (FTC) has been monitoring the issue of connected cars for several years. The agency expressed its concerns related to these vehicles during an "Internet of Things" workshop in 2013, followed by a report in 2015. In 2018, the FTC hosted a workshop focusing on issues ranging from unexpected secondary uses of data to security risks associated with connected cars. The agency has also published guidance advising consumers to erase the data on their cars before selling them, similar to what one would do when reselling a computer or smartphone.
Privacy advocates have consistently voiced concerns about the vast amount of data that could be collected from cars, including biometric, telematic, geolocation, video, and other personal information. News reports have suggested that data from connected cars could be used for stalking or affecting insurance rates. There are also concerns that when any company collects a large amount of sensitive data, it can pose national security issues if that data is shared with foreign actors.
The FTC has warned car manufacturers and all businesses that it will take action to protect consumers against illegal collection, use, and disclosure of their personal data. Recent enforcement actions illustrate this commitment:
- Geolocation data is considered sensitive and subject to enhanced protections under the FTC Act. In cases such as X-Mode and InMarket, the FTC alleged that collected location data could be used unlawfully.
- Surreptitious disclosure of sensitive information can be deemed an unfair practice. Companies must ensure that they use consumer's sensitive information only for reasons initially stated when the data was collected. Recent actions against BetterHelp and Cerebral underscore this point.
- Using sensitive data for automated decisions can also be unlawful. The FTC's recent action against Rite Aid is a case in point.
These cases highlight the significant potential liability associated with the collection, use, and disclosure of sensitive data. The FTC has stated that firms do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service.
The most straightforward way for companies to avoid harming consumers through the collection, use, and sharing of sensitive information is by not collecting it in the first place. All businesses, including auto manufacturers, are capable of building products with safeguards that protect consumers when they are motivated to do so.
