The Federal Trade Commission’s stance this month against the automobile industry’s collection of data is consistent with legal precedent and necessary from the standpoint of consumer protection.
Analysts predict that, by 2025, over 400 million cars will become “connected” through infotainment platforms—a significant increase from 2021’s 237 million. By 2030, they project that a whopping 95% of passenger cars will have embedded internet connectivity. Yet, as Americans’ cars become more digitized and connected, concerns over illicit data collection appear to continually grow.
Last year, the Mozilla Foundation studied the data practices of the 25 leading car manufacturers and found that each one “collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.”
Concerns over autos’ broad data sweep aren’t new. The FTC highlighted many of them in a 2013 workshop, releasing a related report two years later. It hosted a similar workshop in 2017, addressing the types of data automakers collect and store, and their privacy and accompanying security practices (or lack thereof). However, this issue only recently became a top burner issue for the commission.
First, automakers began removing AM radio from their dashes last year. Eliminating a free entertainment mechanism that doesn’t collect third-party personal information allows them to “digitize” the dash to collect and sell more of their consumers’ information. This business trend caught Congress’s attention, resulting in the introduction of the AM Radio for Every Vehicle Act to safeguard consumers’ data.
In March, the New York Times broke news that some automakers collect and share driving behavior with the insurance industry—without drivers’ consent. A coalition of lawmakers also found that information is passed to law enforcement without a warrant.
For these reasons, the FTC on May 14 announced it’s aware of this growing problem and warned that the commission “will take action to protect consumers against the illegal collection, use, and disclosure of their personal data.”
Although critics may contend no legal issue is at play here, the commission has every right to stop this data collection. Several key precedents support the FTC’s legal authority to do so.
First, the FTC has plain statutory authority to regulate data collection that threatens privacy. Section 5 of the Federal Trade Commission Act authorizes the FTC to regulate unfair practices, calling such practices unfair if they’re likely to cause substantial injury to consumers that consumers can’t reasonably avoid themselves.
It also prevents deceptive acts—representations, omissions, or practices that are likely to mislead consumers who act reasonably under the circumstances. Thus, if an automobile company makes representations about its data collection practices that are false or misleading, or fails to disclose important information about data collection and use, the FTC could pursue enforcement actions under Section 5.
For instance, if a company claims it doesn’t share user data with third parties but does so without clear consent, as the New York Times’ recent news story suggests GM has done, this would likely be a deceptive practice.
Second, courts reinforced the FTC’s broad statutory authority to prevent unfair practices. In FTC v. Wyndham Worldwide Corp., the US Court of Appeals for the Third Circuit considered whether the FTC has the authority to regulate cybersecurity practices under the unfairness prong of Section 5(a) of the FTC Act.
The FTC sued the Wyndham Worldwide Corp. and its subsidiaries for allegedly deficient cybersecurity practices that failed to protect consumer data against hackers. Over two occasions in 2008 and 2009, hackers accessed Wyndham’s computer systems, stealing personal and financial information from hundreds of thousands of consumers, leading to over $10.6 million in fraudulent charges.
The FTC’s suit alleged Wyndham’s conduct constituted an unfair practice in violation of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The Third Circuit affirmed the District Court’s decision, ruling the FTC had authority to regulate cybersecurity practices under the unfairness prong of Section 5.
Significantly, Wyndham affirmed the FTC’s authority to regulate data security practices of companies and bring enforcement actions under the unfairness prong of Section 5 of the FTC Act, underscoring the importance of companies maintaining reasonable data security measures to protect consumer information.
The FTC’s statutes and the corresponding court enforcement of such authority protects consumer privacy and data security across various sectors, including the automotive industry, by ensuring that companies are accountable for their data practices and that consumers have some degree of control over their personal information.
Protecting drivers’ data is wholly consistent with the FTC’s statutory authority and decades of legal precedent. The commission should ignore the critics and proceed unabated.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
David Balto is former policy director of the FTC and has practiced antitrust law for over 30 years.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.