FTC encourages consumers to report car privacy concerns

“Concerned about what information your car collects and how it’s used? Tell the FTC…” the US Federal Trade Commission (FTC) posted on X on 14 March, together with a link to its fraud-reporting portal and the hashtags “#connectedcars” and “#privacy”. 

The FTC has been highly active since late 2022, with privacy-related enforcement campaigns targeting a series of issues from health information to children’s privacy and, most recently, data brokers.  

Could connected cars be the agency’s next privacy target? 

The FTC’s CARS rule 

Last December, the FTC finalized its Combating Auto Retail Scams (CARS) Rule, a consumer protection regulation aimed at protecting US consumers from “bait-and-switch tactics and hidden junk fees” when purchasing vehicles. 

The CARS Rule, which will take effect this July, prohibits automotive dealers from including optional features in a vehicle’s default price, among other measures. 

The CARS Rule is not privacy-related and has no significant implications for connected car manufacturers in particular. However, commentary within the FTC’s CARS document relates the new rule to the agency’s broader efforts to regulate other aspects of the automotive industry, including with regard to privacy. 

Privacy and security in connected cars workshop 

In 2017, the FTC held a joint workshop with the National Highway Traffic Safety Administration (NHTSA) titled “Connected Cars: Privacy, Security Issues Related to Connected, Automated Vehicles”. 

In a follow-up document reflecting on the event, FTC staff made several observations: 

• Connected cars can provide “important benefits” for consumers.  
• Many different types of companies collect data from a connected vehicle, including the manufacturer of the car itself and the manufacturers of components such as the entertainment system. 
• Cars can collect many types of data, from anonymous and aggregate data to sensitive personal information such as iris scans and real-time location. 
• The connected nature of modern vehicles presents cybersecurity risks. 

The FTC noted that drivers are increasingly concerned about “secondary, unexpected uses” of data collected by their vehicles, and emphasized that car manufacturers can help assuage these concerns by integrating privacy into the design of their products. 

Increasing car privacy awareness among consumers and legislators 

Besides its recent social media post, the FTC has taken seemingly little interest in connected car privacy in the seven years since its workshop. 

However, there has been much more awareness about the potential privacy issues in connected cars elsewhere, including among legislators and regulators in several US states and society at large. 

Last July, the California Privacy Protection Agency’s (CPPA) Enforcement Division announced a review of privacy practices by connected vehicle manufacturers. In October, the state passed a law regulating data collection by in-car cameras, SB 286.  

Nearly one-third of US states have passed so-called “comprehensive privacy laws” in the past few years, many of which have implications for how car manufacturers treat drivers’ data. 

So whether or not the FTC’s social media post signals an enforcement sweep on connected vehicles, it’s clear that car manufacturers can gain customers’ trust by taking privacy seriously. 

You might also like to read: