A probe by the California Privacy Protection Agency into consumer data collected by automakers could shed light on how the powerful regulator will use its authority to investigate other industries in its quest to protect the privacy rights of more than 39 million state residents.
Consumer advocates said they hope the investigation leads to more consumers exercising their privacy rights, spurred on by the only US regulator solely dedicated to privacy that has made connected cars its first test case. The probe could be wide-ranging given the vast amounts of data collected from vehicles with such features as geolocation tracking or videos captured by car cameras.
Meanwhile, car manufacturers that collect and share the data are expected to be more vigilant. The probe is believed to be the first time the car industry’s privacy practices have been publicly examined by an enforcement body, said Maneesha Mithal, a partner at Wilson Sonsini Goodrich & Rosati, who formerly led the Federal Trade Commission’s privacy division.
“Connected cars are ubiquitous, and our cars now have connected features in a way that they didn’t have 10 years ago,” she said. “It goes to the intersection of many interesting issues. So it’s location data, it’s ad tech, it’s security, it’s technology, it’s AI.”
Holistic Approach
The July announcement of the probe indicates the agency wants to start strong as it ramps up its operation after gaining enforcement powers last month, said Christine Lyon, privacy partner at Freshfields Bruckhaus Deringer LLP. The probe comes despite ongoing hiring for personnel and a court battle that has delayed enforcement of a good chunk of the regulations.
The agency didn’t reveal whether instances of wrongdoing spurred the probe, but rather that it was looking at the auto industry as a whole. That stance is in contrast to prior investigations done by the California attorney general’s office—which also has privacy enforcement powers—such as one in January that alleged some mobile apps weren’t honoring opt-out requests.
“They’re really showing that we’re going to be looking holistically at industries, not just responding to individual issues at specific companies,” Lyon said. “This really reflects a different approach than what we’ve seen in the past with enforcement, and I think it is a significant development.”
With the industry-wide scope, the agency is trying to be proactive instead of reactive to privacy non-compliance, Lyon added. With such an approach, the state privacy regulator could later turn its attention to other data-intensive industries even if there are no specific, concrete complaints, she said.
Such a process could be advantageous given the agency’s limited resources as it still builds up. For instance, it’s more efficient for investigators to ask five companies in the same sector the similar questions rather than probing various companies in different industries, said Mithal.
The scope of enforcement actions—if violations are found—will be the key thing to watch. The agency may find isolated problems and issue orders against specific companies, but the regulator could also adopt a more aggressive interpretation of the law and seek across-the-board changes, analysts said.
Issues That May Be Looked At
Privacy advocates insist that car companies have not been following California’s updated comprehensive privacy law. They praised the agency’s inquiry as a necessary first step.
“Data, of course, is the new road to profit for car manufacturers,” said Justin Kloczko, who follows tech and privacy for Consumer Watchdog. “Cars can create a total consumer profile using our personal information to track us and sell us things. We already know this information has been shared with law enforcement and private companies.”
The Alliance for Automotive Innovation Inc.—the trade group for vehicle manufacturers such as Toyota Motor Corp. and Ford Motor Co.—said in a statement it “respects the importance of protecting consumer data” and is following its own privacy principles that it established back in 2014.
One main area the regulator may examine is whether car companies have given sufficient notice to Californians that they can opt out of their data being sold or shared. Typically, automakers ask drivers to refer to the car manual or website for their privacy policy and how to exercise their privacy rights. Language asking for consent can be full of jargon or confusing, advocates said.
The agency’s probe should focus on whether automakers engage in “dark patterns"—subtle ways that make it more difficult for one to exercise their privacy rights—which are banned under California’s privacy law, said Kloczko.
“It’s just too much in some ways for consumers to keep up with these notices and opts out and opts in. And every time I get into a car, I’m not going to want to worry about that,” said Mithal.
The relationships between car manufacturers and the firms they share data with will likely come under scrutiny, Lyon said, especially with past allegations of improper data collection by cars. The agency may probe whether the collection of such personal information is in violation of the state’s requirements around data minimization, which ask that data be collected only for reasonably necessary purposes, such as ensuring the car operates better.
Thus, the whole ecosystem around connected cars—including the infotainment systems that personal devices connect to—will likely be analyzed, Lyon added.
Either way, said Mithal, the inquiry sends a warning to the industry.
“When a regulator comes around, companies tend to sit up straighter,” she said.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.