Cars and consumer data: Three warnings from the FTC

The US Federal Trade Commission (FTC) is warning connected vehicle manufacturers that they could face enforcement action over their collection and disclosure of personal data. 

“While connectivity can let drivers do things like play their favorite internet radio stations or unlock their car with an app, connected cars can also collect a lot of data about people,” the agency says in a recent blog post highlighting the implications of privacy enforcement action for car manufacturers. 

Here are three clear messages on car privacy from the FTC. 

1. Location data is ‘sensitive’ data

For the past few years, the FTC has been making extensive use of its powers under the FTC Act—a consumer protection law that was passed over a century ago but is relevant to today’s digital markets. 

“Geolocation data is sensitive and subject to enhanced protections under the FTC Act,” the FTC warns, citing several cases in which the agency has sanctioned companies over their treatment of information about people’s whereabouts: 

• X-Mode Social: The FTC reached a settlement with this data broker in January 2024, alleging that the company had unlawfully collected and sold data about people’s visits to “medical or reproductive health clinics, places of worship, (and) domestic abuse shelters.” 

• InMarket: In a second January settlement, the FTC ordered this location data aggregator to “delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent.” 

These cases firmly established the agency’s view that collecting and disclosing location data can violate the FTC Act. 

2. Secretly disclosing people’s sensitive information can be an ‘unfair practice’

Processing consumers’ sensitive data, including location data, is not illegitimate in itself. The US does not have a federal-level privacy law that prohibits companies from collecting, disclosing, or even selling sensitive data. 

However, the FTC argues that existing law prohibits businesses from “surreptitiously” (secretly) disclosing sensitive data without clear disclosure or, in some cases, obtaining consent. 

“Companies that have legitimate access to consumers’ sensitive information must ensure that the data is used only for the reasons they collected that information,” the agency says. 

To support this claim, the FTC points to several recent cases involving sensitive data per se, rather than location data specifically: 

• BetterHelp: This online therapy service was ordered to pay $7.8 million dollars after it allegedly “revealed consumers’ email addresses and health questionnaire information to third parties for advertising purposes.” 

• Cerebral: The FTC settled with this other remote therapy provider for $7 million following numerous alleged FTC Act violations—including selling consumers’ “medical and prescription histories, home and email addresses, (and) phone numbers” without prior notice or consent. 

The FTC Act bans any “unfair” practice that “causes or is likely to cause substantial injury.” According to the FTC, this prohibition includes disclosing consumers’ sensitive information in certain circumstances. 

3. Beware of using sensitive information to make ‘automated decisions’

Public attention is focused on AI, and privacy concerns mean many people feel apprehensive about embracing the latest iterations of this technology. 

AI software providers require masses of personal data to train and improve their algorithms. Car manufacturers, many of which have effectively become software providers since the proliferation of connected vehicles, are no different. 

“Companies that feed consumer data into algorithms may be liable for harmful automated decisions,” the FTC says, highlighting the risk of relinquishing too much control to machines without sufficient human oversight. 

To support its point, the agency again references a case involving neither cars nor location data. 

Last December, the FTC enforced against Rite Aid, a retailer whose use of facial recognition cameras resulted in several consumers experiencing “humiliation and feelings of stigmatization” following false accusations of shoplifting. 

It’s not immediately obvious how the Rite Aid case relates to privacy in connected vehicles. But the FTC’s broader message is clear: Any company using AI to make decisions about consumers must ensure that their model is trained on accurate data and that decisions are subject to suitable human oversight measures. 

Privacy in cars: A growing consumer concern 

People are increasingly concerned about their privacy, and connected cars – which can constantly track and share sensitive location data – are an obvious vehicle for these anxieties (no pun intended). 

With several recent news reports drawing the attention of privacy advocates and consumer groups, many car manufacturers are beginning to take privacy more seriously. 

As the FTC reiterates, “car manufacturers – and all businesses – should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data.”