Automakers are facing a wave of new legislation in state capitols to rein in the internet-connected technologies increasingly being embedded in vehicles amid growing concerns the industry isn’t doing enough to prevent privacy violations such as stalking.
Lawmakers in at least four states—New Jersey, Tennessee, New York, and California—have passed or introduced legislation in the past six months to shore up protections from in-car surveillance technologies that experts say are putting drivers’ privacy at risk.
Leading carmakers all sell models that can use technologies such as in-vehicle sensors and cameras along with connected apps to collect an array of data that a 2023 Mozilla Foundation report said includes vehicle telematics—and even drivers’ facial expressions or sexual activity. The sharing of that information as well as location and other collected data, sometimes without express consumer consent, can lead to harms ranging from financial injury to cases of stalking.
“We’re past smartphone on wheels—we’re now at Facebook on wheels,” said Andrea Amico, founder of data privacy-tech company Privacy4Cars Inc.
In absence of greater clarity, plaintiffs have turned to existing statutes to challenge allegedly deceptive practices.
Legislation Moving
State legislators have been busy introducing car-related privacy bills since 2023.
New Jersey enacted a law in January requiring auto dealers to delete consumers’ personal information from the systems of vehicles they sell or trade in, while lawmakers in Montana and Kentucky have introduced similar legislation.
Tennessee lawmakers introduced a proposal in January to develop a registry of drivers who don’t want car companies to collect their data, which would require automakers to give them a chance to opt out. A bill that would update New York’s insurance laws to require auto insurers disclosures about how they factor telematics data into rates also was introduced in the state Senate earlier this year.
In the California State Legislature, meanwhile, several bills aim to tackle connected-car issues. One signed into law in October requires auto manufacturers to disclose the presence of in-vehicle cameras.
Another, introduced in February, would require carmakers to provide privacy protections for survivors of domestic violence, stalking, sexual assault, and human trafficking. The Federal Communications Commission released a similar proposal this month implementing the Safe Connections Act, a 2022 federal law meant to ensure survivors of domestic violence have access to communications technology separate from their abusers.
Also on the federal level, the National Highway Traffic Safety Administration is weighing a rulemaking on what data protections to require for vehicle safety systems that monitor driver behavior.
While some of the bills being proposed by states are “very thoughtful because they are truly car-specific,” Amico said, privacy laws need not mention automakers by name to implicate them.
“None of those laws also have computer or server or cloud storage” services or devices mentioned by name, Amico noted, “so the fact that a device is named or not named really shouldn’t matter from the perspective of the law.”
Existing Privacy Laws
As those passenger vehicle-specific privacy measures advance, the absence of explicit, car-focused regulations in current consumer privacy laws has left automakers and drivers to figure out how existing statutes apply.
A Florida man sued General Motors LLC, OnStar LLC, and LexisNexis Risk Solutions Inc. in March alleging violations of the federal Fair Credit Reporting Act and the Deceptive and Unfair Trade Practices Act. Romeo Chicco’s proposed class action claimed GM provided OnStar telematics data from his car without his knowledge or consent to the LexisNexis unit, which then provided the information to his insurance agency.
Chicco never signed up for OnStar nor did his policy with GM mention that such data would be shared with LexisNexis, according to his complaint.
GM has been hit with purported class actions over the same practices in California, Michigan, New York, and Pennsylvania. The lawsuits cite a host of common law and constitutional invasion of privacy statues, consumer protection laws, and, in one case, California’s wiretapping law.
GM stopped sharing OnStar Smart Driver customer data with LexisNexis and another data broker, Verisk Analytics Inc., on March 20, the company said in an email to Bloomberg Law.
“We are reviewing the complaints and have no further comment at this time,” a GM spokesperson wrote.
The various lawsuits’ shared focus on common law and business practices claims emphasizes the lack of clear privacy protections regarding data collected by automakers, Dickinson Wright LLP member Sara H. Jodka said.
“It tells us that right now, with regards to data, the type of data that is at issue with connected cars is not the kind of data that any of the consumer-facing state privacy laws deal with,” said Jodka. “They don’t define vehicle history, brake data. The information at issue is not protected by those laws.”
For that reason, she said, the complaints point to allegations “that the data was used without their knowledge and consent to harm the consumers” rather than to a statutory cause of action.
While states have different laws, Amico said, federal consumer-protection statutes such as the Federal Trade Commission Act clearly make vehicle manufacturers accountable when it comes to collecting data.
“In general, those laws all require transparency and very clear consent,” he said.
The Self-Regulatory Route
In the absence of clear legal or regulatory obligations, the auto industry has tried to shape its own rules.
The Alliance for Automotive Innovation established consumer-privacy principles in 2014. The self regulatory group’s members include Ford, GM, and Aptiv.
“All of these car companies are trying to figure out how to fit into the patchwork of state privacy legislation,” said Adonne Washington, policy counsel at Future of Privacy Forum. “Just because a bill doesn’t say ‘car’ or ‘automaker’ doesn’t mean they think they aren’t going to be touched.”
Washington also noted that the industry is poised to have connected cars collect even more data in the future.
The GM lawsuits are a warning to automakers, according to Jodka. They need to fully understand the information they’re sharing with third parties and ensure they’re getting specific consent from consumers to share it, she said.
“If privacy policies aren’t specific, there was never consent and they can’t rely on it,” said Jodka.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.