Baby, You Can Drive My Car, But Please Don’t Touch My Data! Connected Cars and Arising Data Privacy Issues

August 17, 2021

Today’s car market is saturated with connected cars - vehicles that exchange data with networks inside and outside the vehicle. In 2016, the connected car market was estimated to be worth 52.6 billion dollars, and it is projected to jump to 219 billion by 2025, signaling that this market is here to stay and flourish.1

Once considered a figment of imagination from sci-fi literature, today connected cars are mainstream and accessible to all. Most major automakers now boast vehicles and ancillary platforms that connect drivers to the internet of things from inside the cabin, allowing drivers to navigate traffic, stream media, and monitor vehicle diagnostics at the push of a button (or, rather, the swipe of a finger). In fact, even most major car rental companies offer connected cars.2  Let’s say you rent one of these cars during a trip. You hop in the car and connect your phone to the center console to play some music and help with navigation. You realize the previous renter before you had synced all their contacts, music, and other personal data into the car system. Now the previous driver’s data is exposed not just to you but also other future renters, as well as the car manufacturer and even the car rental company. This scenario represents one of many developing data privacy concerns surrounding connected cars and the grander implications they signal to the privacy and legal industry.

Depending on the manufacturer and model, a connected car may generate up to 25 gigabytes of data per hour from the hundreds of sensors within the vehicle.3 This data can be transmitted or received through various forms of wireless connectivity to car makers, emergency services providers, satellites, cloud platforms, and even other vehicles.4

Data from connected cars can be used in both the aggregate and on an individual basis. For example, using aggregate data from many vehicles, traffic flow can be optimized, road hazards can be identified, and traffic congestion can be managed. While on an individual basis, the data can be used for delivering roadside assistance or for providing electric vehicle charging services. The applications for the use of connected car data are continuously expanding, with a promise of significant personal and even wider societal benefits.5

Given that the field of connected cars is an emerging sector, the roles and responsibilities surrounding the protection and privacy of vehicle have not yet been clearly settled. Some auto industry groups advocate for consumer responsibility in protecting data linked to connected vehicles, and even offer privacy checklists as guidance for consumers who rent or sell vehicles with connected capabilities.6  On the other hand, some data security leaders argue that the automotive ecosystem should proactively plan and design for privacy, emphasizing that high-level security and protection should be embedded as a foundational setting in connected cars.7

Federal Legislation like the Driver Privacy Act of 2015 reflects a regulatory effort to protect information stored in connected cars. The law prohibits anyone but the owner from accessing data from a car’s electronic data recorder with limited exceptions, including for law enforcement and first responders. However, a car’s electronic data recorder is only one of hundreds of other ways connected cars collect data, highlighting the need to expand either legislation or industry self-regulation to further address connected vehicle data collection.8 The FTC and NHTSA (National Highway Traffic Safety Administration) have also provided formal and informal information on best practices and privacy issues posed by connected vehicles9, all suggesting that the industry is keenly aware of this new Wild West on wheels -- and the need for some additional rules of the road.