Vehicle Data Privacy: Industry and Federal Efforts Under Way but NHTSA Needs to Define Its Role
Highlights
What GAO Found
Thirteen of the 16 selected automakers in GAO's review offer connected vehicles, and those 13 reported collecting, using, and sharing data from connected vehicles, such as data on a car's location and its operations (e.g., tire pressure). All 13 automakers described doing so on a relatively limited basis. For example, they reported using data to provide requested services to consumers and for research and development. None of the 13 reported sharing or selling data that could be linked to a consumer for unaffiliated third parties' use. However, as connected vehicles become more commonplace, the extent of data collection, use, and sharing will likely grow.
Automakers have taken steps, including signing onto a set of privacy principles, to address privacy issues. In comparing selected automakers' reported privacy policies to leading privacy practices, GAO found that these automakers' policies at least partially reflected each of the leading privacy practices, for example:
- Transparency: All 13 selected automakers' written privacy notices were easily accessible, but none was written clearly.
- Focused data use: Most selected automakers reported limiting their data collection, use, and sharing, but their written notices did not clearly identify data sharing and use practices.
- Individual control: All 13 selected automakers reported obtaining explicit consumer consent before collecting data, but offered few options besides opting out of all connected vehicle services to consumers who did not want to share their data.
The Federal Trade Commission (FTC) and the Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) are primarily responsible for protecting consumers and ensuring passenger vehicles' safety, respectively. FTC has the authority to protect consumer privacy and has issued reports and guidance and conducted workshops on the topic generally as well as on connected vehicles specifically. NHTSA has broad authority over the safety of passenger vehicles and considers the privacy effects and implications of its regulations and guidance. FTC and NHTSA have coordinated on privacy issues related to connected vehicles. However, NHTSA has not clearly defined its roles and responsibilities as they relate to the privacy of vehicle data. In response to emerging vehicle technologies, NHTSA included privacy requirements in a related rulemaking and included privacy expectations in voluntary guidance. Because of these actions, selected automakers and others said NHTSA's role in data privacy was unclear. NHTSA officials acknowledged that some stakeholders may be uncertain about its authority to address privacy issues. Federal standards for internal control require, among other things, that agencies define and communicate key roles and responsibilities. By clearly defining, documenting, and communicating NHTSA's roles and responsibilities in vehicle data privacy, NHTSA would be better positioned to coordinate with other federal agencies and to effectively oversee emerging vehicle technologies.
Why GAO Did This Study
The prevalence of connected vehicles—those with technology that wirelessly transmits and receives data—has raised questions about how the collection, use, and sharing of these data affect consumer privacy.
GAO was asked to review consumer privacy issues related to connected vehicles. This report: (1) examines the types, use, and sharing of data collected by connected vehicles; (2) determines the extent to which selected automakers' privacy policies for these data align with leading practices; and (3) evaluates related federal roles and efforts, among other objectives. GAO interviewed relevant industry associations, organizations that work on consumer privacy issues, and a non-generalizable sample of 16 automakers selected based on their U.S. passenger vehicle sales. In addition, GAO analyzed selected automakers' privacy policies (written notices and reported practices) against a set of leading privacy practices determined to be relevant to connected vehicles. To identify these practices, GAO reviewed a variety of privacy frameworks developed by federal agencies and others. GAO reviewed relevant federal statutes, regulations, and reports, and interviewed agency officials, including those from DOT, the Department of Commerce, and FTC.
Recommendations
GAO recommends that NHTSA define, document, and externally communicate its roles and responsibilities related to the privacy of data generated by and collected from vehicles. NHTSA concurred with our recommendation.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Transportation | The Secretary of Transportation should direct NHTSA to define, document, and externally communicate the agency's roles and responsibilities in relation to connected vehicle data privacy. |
The prevalence of connected vehicles-those with technology that wirelessly transmits and receives data-has raised questions about how the collection, use, and sharing of these data affect consumer privacy. In 2017, GAO reported that The Federal Trade Commission (FTC) and the Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) are primarily responsible for protecting consumers and ensuring passenger vehicles' safety, respectively. FTC has the authority to protect consumer privacy and has issued reports and guidance and conducted workshops on the topic generally as well as on connected vehicles specifically. NHTSA has broad authority over the safety of passenger vehicles and considers the privacy effects and implications of its regulations and guidance. FTC and NHTSA have coordinated on privacy issues related to connected vehicles. However, NHTSA has not clearly defined its roles and responsibilities as they relate to the privacy of vehicle data. In response to emerging vehicle technologies, NHTSA included privacy requirements in a related rulemaking and included privacy expectations in voluntary guidance. Because of these actions, selected automakers and others said NHTSA's role in data privacy was unclear. NHTSA officials acknowledged that some stakeholders may be uncertain about its authority to address privacy issues. Federal standards for internal control require, among other things, that agencies define and communicate key roles and responsibilities. Consequently, GAO recommended that NHTSA define, document, and externally communicate its roles and responsibilities in relation to connected vehicle data privacy. In 2018, GAO confirmed that NHTSA had taken sufficient action to fully implement GAO's recommendation. Specifically, NHTSA launched a Vehicle Data Privacy webpage in December 2017. This webpage: (1) describes and documents NHTSA's authority, roles, and responsibilities with respect to data privacy; (2) explains FTC's authority, roles, and responsibilities concerning privacy and vehicle data privacy; (3) indicates that NHTSA welcomes feedback on the webpage's content; and (4) provides an email address to send suggestions and comments. After launching the webpage, NHTSA emailed auto industry stakeholders, including an automaker and the two industry associations that represent most automakers that sell vehicles in the U.S., letting them know about the new web page and asking for feedback. By clearly defining, documenting, and communicating its roles and responsibilities concerning vehicle data privacy, NHTSA is better positioned to coordinate with other federal agencies and to effectively oversee emerging vehicle technologies.
|