Technology Advancements in Automobiles Bring Serious Privacy Concerns as Car Makers Appropriate Personal Data from Drivers

*Zachary Seidel

I. Introduction

The CEO of one of the largest automobile manufacturers in the world said it best: “We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing.”[1] Jim Farley, the current CEO of Ford Motor Company, continued by mentioning, “[b]y the way, we don’t supply that data to anyone[.]”[2] Mr. Farley has since triggered skepticism by retracting those statements.[3] Mr. Farley’s comments are disconcerting to the ordinary consumer who seeks privacy within their car.

Personal automobiles are rapidly becoming more safe, more intelligent, and more connected to the internet.[4] Automobile manufacturers collect and store an expanding list of car locations, functions, and driver tendencies for these technological advancements to function.[5] As cars become more technologically advanced and automated, legislatures need to address the privacy concerns presented through data collection.[6]

II. Data Collection in Cars

Data collection in automobiles, most prominently location information, presents two primary privacy concerns: (1) car companies storing drivers’ whereabouts and (2) selling that private information for marketing purposes.[7] These common practices present worrisome repercussions that will only exacerbate as technology advances.

Almost all major automobile manufacturers admit to collecting user driving history.[8] Not only do these companies collect the data, but many “store driving history data in a server off-board the vehicle.”[9] This information provides manufacturers visibility into “indisputably private” GPS information: where drivers park, a trip to the abortion clinic, or even trips to the strip club.[10] Consequently, driving history “generates a precise, comprehensive record of a person’s public movements that reflect a wealth of detail about [their] familial, political, professional, religious, and sexual associations.”[11] Unlike cellphones, carmakers do not offer drivers the option to “opt-out” of car location tracking.[12] Some cars even have cameras within the automobile designed to keep drivers awake at the wheel.[13] This feature requires the camera to analyze and store images of the driver and passengers.[14]

Not only do car manufacturers store this private data, but they also sell it to third-party companies.[15] By using driving history, including where individuals shop, work, and live, third-party companies extrapolate individuals’ income levels and spending habits to provide valuable marketing information to advertisers.[16] A government survey of major automobile manufacturers indicates that most manufacturers admit to contracting with third-party companies to sell data from automobiles.[17] As automotive technology advances, manufacturers will only collect more data. Modern cars collect about twenty-five gigabytes of data per hour.[18] Fully self-driving vehicles, an innovative concept extremely close to reality, reportedly “could ultimately generate around 100 GB of data per second.”[19] Consequently, data collection and sales to marketing companies will only increase.

III. Reasonable Expectation of Privacy

While case law on data privacy implications in modern cars is relatively scarce, State v. Worsham discusses the rationale of an individual’s right against vehicle data collection.[20] In Worsham, law enforcement downloaded data from the defendant’s “impounded vehicle’s electronic data recorder.”[21] An event data recorder, more commonly known as the “black box,” records vehicle and occupant information for recovery following an accident.[22] Florida’s Fourth District Court of Appeals ruled that law enforcement officials violated the defendant’s reasonable expectation of privacy by downloading the information without consent or a warrant.[23] In its decision, the court analogized the black box to other electronic storage devices, such as cellphones, which require warrants.[24] Just like the technological evolution of cellphones resulted in an increased collection of personal data, “the electronic systems in cars have gotten more complex” and lead to privacy issues.[25] While Worsham involved event data recorders, the same legal rationale applies to vehicle location tracking and other vehicle data.[26]

IV. Data Privacy Laws and Regulations

One of the most significant and widespread efforts to manage car data collection derives from the European Union’s General Data Protection Regulation (GDPR).[27] GDPR, enacted in May of 2018, is the “toughest privacy and security law in the world.”[28] It includes a substantial amount of new requirements, hefty fines, and explicit consent rules for organizations that collect private data around the globe.[29] While this innovative regulation restricts a considerable amount of private data collection within automobiles, GDPR only applies to the personal data of European Union citizens or residents.[30]

The United States does not have any federal regulations like that of GDPR.[31] However, California, the first state to legislate to protect personal data collection, crafted laws to provide residents some data privacy rights.[32] While the rights of citizens remain somewhat murky, California’s statute explicitly provides “a private right of action in connection with certain unauthorized . . . disclosure of a consumer’s . . . personal information[.]”[33] Illinois similarly enacted the Illinois Biometrics Information Privacy Act (BIPA), which protects consumer rights and prohibits companies from collecting certain data.[34] BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction” of captured biometric data.[35] Biometric data is “biologically unique to the individual” and is captured through advanced car features, such as fingerprint, voiceprint, or retina scanning.[36] BIPA requires an individual’s “informed written consent” acknowledging the data collection for a manufacturer to avoid any legal repercussions.[37] While these regulations are significant in maintaining an individual’s privacy within their vehicle, the laws do not explicitly refer to data collection within automobiles.[38]

To get ahead of the various impending privacy laws, many of the world’s largest automobile manufacturers signed onto the Automotive Consumer Privacy Protection Principles (the “ACPPP”).[39] The ACPPP includes: (1) transparency, (2) choice, (3) respect for context, (4) data minimization, de-identification and retention, (5) data security, (6) integrity and access, and (7) accountability.[40] By signing on to the ACPPP, carmakers promise to protect the personal information of drivers collected by vehicles.[41] Accordingly, these manufacturers agree to “obtain affirmative consent when using geolocation, biometrics, and other sensitive data.”[42] The ACPPP intends to make consumers aware of the harvesting of their vehicle’s private data. Although the ACPPP seems promising, it is voluntary and does not hold carmakers liable for privacy failures.[43]

V. Conclusion

As technology advances and autonomous vehicles continue to infiltrate our lives, privacy concerns exponentially increase. To counteract the massive collection of data, Congress needs to pass legislation to hold carmakers accountable for privacy breaches.[44] Within these regulations, lawmakers must require carmakers to provide clear and meaningful notice to consumers on what they are collecting and how they will use this data.[45] By providing this information, drivers would be able to opt out of a specific feature or potentially decide to purchase a different vehicle.[46] Car manufacturers also could limit privacy risks if lawmakers forced data to be altered, combined, and anonymized.[47] That way, an individual’s life would remain private. Carmakers need to be regulated and held accountable for their use of consumer data.[48] As new cars collect more data every year, there is an immediate need for uniform regulations.[49] Without such uniformity, carmakers will increasingly continue to reap benefit and profits from consumer data, at the cost of those consumers’ privacy.

*Zachary Seidel is a second-year day student at the University Of Baltimore School of Law, where he is a Staff Editor for Law Review, a member of the Royal Graham Shannonhouse III Honor Society, and the Treasurer of the Jewish Law Student Association. This summer, Zach will be working at Evans Law in Annapolis, Maryland, where he will be working on various real estate matters.

---

[1] Jim Edwards, Ford Exec: ‘We Know Everyone Who Breaks the Law’ Thanks to Our GPS in Your Car, Bus. Insider (Jan. 8, 2014, 8:16 PM), https://www.businessinsider.com/ford-exec-gps-2014-1.

[2] Id.

[3] See id.                                                                

[4] See Shane Prevost & Houssain Kettani, On Data Privacy in Modern Personal Vehicles, Ass’n For Computing Mach. (Jan. 7, 2020), https://dl.acm.org/doi/abs/10.1145/3372938.3372940.

[5] See id.

[6] See id.

[7] David Navetta et al., Privacy and Security Issues in Autonomous Cars, Cyber Defense Magazine (Oct. 24, 2019), https://www.cyberdefensemagazine.com/privacy-and-security/.

[8] See Senator Edward J. Markey et al., Tracking & Hacking: Security and Privacy Gaps Put American Drivers at Risk (2015) https://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf.

[9] Id.

[10] Navetta et al., supra note 7.

[11] Id.

[12] Bill Hanvey, Your Car Knows When You Gain Weight, N.Y. Times (May 20, 2019), https://www.nytimes.com/2019/05/20/opinion/car-repair-data-privacy.html.

[13] See Daniel Stoller & Hassan Kanu, Carmakers Selling Your Data Risk Collisions with Privacy Laws, Bloomberg L. (June 3, 2019, 4:45 AM), https://www.bloomberglaw.com/bloomberglawnews/privacy-and-data-security/X5JC7NBS000000?bna_news_filter=privacy-and-data-security#jcite.

[14] See id.

[15] See Markey et al., supra note 8.

[16] See Navetta et al., supra note 7.

[17] See Markey et al., supra note 8.

[18] See Geoffrey Fowler, What Does Your Car Know About You? We Hacked a Chevy to Find Out., Wash. Post (Dec. 17, 2019), https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/.

[19] Smart Cars vs. Privacy: A Driverless Car Could Generate 100 GB of Data per Second, Cybernews (Sept. 20, 2021), https://cybernews.com/privacy/smart-cars-vs-privacy-a-driverless-car-could-generate-100-gb-of-data-per-second/.

[20] State v. Worsham, 227 So. 3d 602, 605 (Fla. Dist. Ct. App. 2017).

[21] Id. at 603.

[22] Id.

[23] See id. at 606.

[24] See id. at 605.

[25] Id. at 606.

[26] Id.

[27] Stoller & Kanu, supra note 13.

[28] What is GDPR, the EU’s New Data Protection Law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/ (last visited Apr. 24, 2022).

[29] See id.

[30] See id.

[31] See Stoller & Kanu, supra note 13.

[32] See id.

[33] Assemb. B. No. 375, Chapter 55 (Ca. 2018), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

[34] Stoller & Kanu, supra note 13.

[35] Ill. Comp. Stat. 095-0994/99 (2009), https://www.ilga.gov/legislation/publicacts/95/095-0994.htm.

[36] Id.

[37] Id.

[38] See id. (mentioning nothing about data collection within automobiles).

[39] Stoller & Kanu, supra note 13.

[40] Consumer Privacy Protection Principles, Alliance for automotive innovation, inc. (Nov. 12, 2014), https://www.autosinnovate.org/innovation/Automotive%20Privacy/Consumer_Privacy_Principlesfor_VehicleTechnologies_Services-03-21-19.pdf.

[41] Id.

[42] Id.

[43] Id.

[44] See The Privacy Implications of Autonomous Vehicles, Data Prot. Rep.(July 17, 2017), https://www.dataprotectionreport.com/2017/07/the-privacy-implications-of-autonomous-vehicles/.

[45] See id.

[46] See id.

[47] See id.

[48] See id.

[49] See Stoller & Kanu, supra note 13.