The Federal Trade Commission’s Office of Technology has issued a warning to automakers that sell connected cars. Companies that offer such products “do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service,” it wrote in a blog post on Tuesday. Just because executives and investors want recurring revenue streams, that does not “outweigh the need for meaningful privacy safeguards,” the FTC wrote.
Based on your feedback, connected cars might be one of the least-popular modern inventions among the Ars readership. And who can blame them? Last January, a security researcher revealed that a vehicle identification number was sufficient to access remote services for multiple different makes, and yet more had APIs that were easily hackable.
Later, in 2023, the Mozilla Foundation published an extensive report examining the various automakers’ policies regarding the use of data from connected cars; the report concluded that “cars are the worst product category we have ever reviewed for privacy.”
Those were rather abstract cases, but earlier this year, we saw a very concrete misuse of connected car data. Writing for The New York Times, Kash Hill learned that owners of connected vehicles made by General Motors had been unwittingly enrolled in OnStar’s Smart Driver program and that their driving data had been shared with their insurance company, resulting in soaring insurance premiums.
The FTC is not taking specific action against any automaker at this point. Instead, the blog post is meant to be a warning to the industry. It says that “connected cars have been on the FTC’s radar for years,” although the agency appears to have done very little other than hold workshops in 2013 and 2018, as well as publishing guidance for consumers reminding them to wipe the data from their cars before selling them.
(By contrast, the California Privacy Protection Agency announced last year that its enforcement division had begun making inquiries with automakers to ensure they complied with the state’s 2018 Consumer Privacy Act.)
The FTC says that automakers and other businesses must protect users’ data against illegal collection, use, and disclosure. It points to recent enforcement actions against companies in other sectors that have illegally collected or used geolocation data, surreptitiously disclosed sensitive user data, and illegally used sensitive data for automated decisions.
The FTC says the easiest way to comply is to not collect the data in the first place.