Carmakers have for a decade cited an industry group’s code of conduct to stress their privacy standards, but Congress is now investigating alleged “brazenness of the automakers’ deception” over troves of driver data shared with police.
The reality is that at least a third of these carmakers aren’t following the principles they agreed to in 2014, as the universe of data cars collect about drivers continues to grow, according to an investigation by two members of Congress. Still, the automakers’ lobbying group says the pledge is best-in-class—and has no public plans to change or strengthen its privacy commitments.
Whether car companies’ privacy promises are deceptive or simply up-to-interpretation given a piecemeal approach to US privacy regulation is a hot debate between the industry and lawmakers. Caught in the middle are consumers signing away sensitive data in a notice-and-consent model that still leaves them in the dark.
“The automakers’ privacy code of conduct only provides consumers with the illusion of privacy,”
The carmakers’ group insists generating vehicle data doesn’t amount to surveillance. In a five-page memo published in December 2023 about the deep correlation between driver safety and data collected by vehicles, the alliance said, “Yes, your vehicle is generating and transmitting safety data. That’s by design. No, your car isn’t spying on you.”
The Code
Over the past decade, cars’ ability to collect data has evolved to power new infotainment and safety features. Cars can now gobble up biometric data, eye movements, and sexual activity, according to Mozilla research. Meanwhile, the voluntary principles in the code of conduct have been reviewed twice since their inception in 2014—once in 2018 and once in 2022— but with no changes made, despite the expansive shift in data collection.
“To date, the industry has concluded that the Privacy Principles in their current form continue to provide greater protection to consumers than what is available through other codes of conduct or through comprehensive privacy laws that have been enacted in various states,” Cain said in a Sept. 26 statement to Bloomberg Law.
The code says carmakers need to gain drivers’ informed consent to use or share geolocation information, biometrics, or driver behavior information with third parties. But carmakers don’t need consent to use or share that data “to comply with a lawful government request, regulatory requirement, legal order, or similar obligation.”
For geolocation data specifically, carmakers can only give out their drivers’ information in the response to a warrant or court order, “absent exigent circumstances,” per the principles.
“My investigation with Senator Markey found that most auto companies haven’t been living up to their public promises to protect their customers’ location and driving data,”
A key issue for Markey and Wyden is that some carmakers revealed to Congress they’d turn over location data to the government “with a mere subpoena,” which the senators don’t see as a high enough bar compared to a court order or warrant.
Toyota,
The code of conduct’s broad language, coupled with an “ambiguous” legal landscape over the government’s requirements for police to access car data, have left some carmakers to interpret the code differently, Cain said.
The agreement doesn’t define the term ‘court order,’ for example, which led some companies to decide that “at least some subset of subpoenas” are sufficiently equivalent, she said. This could include a judicial subpoena, where “a failure to comply may be punishable as a contempt of court.”
Different types of subpoenas—ranging from administrative type of subpoenas to those issued by law enforcement—carry “different weights,” said Matthew Baker, cybersecurity and privacy group chair at Baker Botts. “I think that the average consumer would not appreciate what that means within a privacy notice.”
Current privacy frameworks—namely, the European Union’s General Data Protection Regulation and the California Consumer Privacy Act—emphasize the need for consumers to adequately understand their data rights, he explained.
While the automakers’ privacy principles were voluntary, Markey and Wyden have called on the Federal Trade Commission to leverage its jurisdiction under its prohibition against unfair, deceptive acts in commerce.
The FTC declined to comment for this story.
If carmakers are indeed making these types of representations publicly—and outwardly promoting or embracing them to their consumer base—“I can see a way in which that, at a minimum, the FTC could take up their enforcement authority and make this actionable,” said Baker.
Without the current principles, “there would not be any nationwide protections for consumers with respect to vehicle data,” Cain said, pointing to the lack of a federal privacy law.
“So, frankly, I’m surprised when automakers get criticized for the Privacy Principles by federal policymakers,” she added.
Meanwhile, on the hill, several lawmakers have proposed acts to strengthen privacy protections for car data. On Sept. 25, Sen. Jeff Merkley (D. Ore) introduced the Car Privacy Rights Act, which would require companies and third-parties to give drivers an option to opt-out of data collection.
Drivers’ “most sensitive and private data,” including biometrics and location information, currently falls under a regulatory “Wild West,” said Elizabeth Goitein, senior director of the Brennan Center for Justice’s Liberty & National Security Program. “And then you get things like these policies, voluntary codes of conduct, which are incredibly misleading.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.