Vehicle Data Privacy:
Industry and Federal Efforts Under Way but NHTSA Needs to Define Its Role
GAO-17-656: Published: Jul 28, 2017. Publicly Released: Aug 28, 2017.
What GAO Found
Thirteen of the 16 selected automakers in GAO's review offer connected vehicles, and those 13 reported collecting, using, and sharing data from connected vehicles, such as data on a car's location and its operations (e.g., tire pressure). All 13 automakers described doing so on a relatively limited basis. For example, they reported using data to provide requested services to consumers and for research and development. None of the 13 reported sharing or selling data that could be linked to a consumer for unaffiliated third parties' use. However, as connected vehicles become more commonplace, the extent of data collection, use, and sharing will likely grow.
Automakers have taken steps, including signing onto a set of privacy principles, to address privacy issues. In comparing selected automakers' reported privacy policies to leading privacy practices, GAO found that these automakers' policies at least partially reflected each of the leading privacy practices, for example:
- Transparency: All 13 selected automakers' written privacy notices were easily accessible, but none was written clearly.
- Focused data use: Most selected automakers reported limiting their data collection, use, and sharing, but their written notices did not clearly identify data sharing and use practices.
- Individual control: All 13 selected automakers reported obtaining explicit consumer consent before collecting data, but offered few options besides opting out of all connected vehicle services to consumers who did not want to share their data.
The Federal Trade Commission (FTC) and the Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) are primarily responsible for protecting consumers and ensuring passenger vehicles' safety, respectively. FTC has the authority to protect consumer privacy and has issued reports and guidance and conducted workshops on the topic generally as well as on connected vehicles specifically. NHTSA has broad authority over the safety of passenger vehicles and considers the privacy effects and implications of its regulations and guidance. FTC and NHTSA have coordinated on privacy issues related to connected vehicles. However, NHTSA has not clearly defined its roles and responsibilities as they relate to the privacy of vehicle data. In response to emerging vehicle technologies, NHTSA included privacy requirements in a related rulemaking and included privacy expectations in voluntary guidance. Because of these actions, selected automakers and others said NHTSA's role in data privacy was unclear. NHTSA officials acknowledged that some stakeholders may be uncertain about its authority to address privacy issues. Federal standards for internal control require, among other things, that agencies define and communicate key roles and responsibilities. By clearly defining, documenting, and communicating NHTSA's roles and responsibilities in vehicle data privacy, NHTSA would be better positioned to coordinate with other federal agencies and to effectively oversee emerging vehicle technologies.
Why GAO Did This Study
The prevalence of connected vehicles—those with technology that wirelessly transmits and receives data—has raised questions about how the collection, use, and sharing of these data affect consumer privacy.
GAO was asked to review consumer privacy issues related to connected vehicles. This report: (1) examines the types, use, and sharing of data collected by connected vehicles; (2) determines the extent to which selected automakers' privacy policies for these data align with leading practices; and (3) evaluates related federal roles and efforts, among other objectives. GAO interviewed relevant industry associations, organizations that work on consumer privacy issues, and a non-generalizable sample of 16 automakers selected based on their U.S. passenger vehicle sales. In addition, GAO analyzed selected automakers' privacy policies (written notices and reported practices) against a set of leading privacy practices determined to be relevant to connected vehicles. To identify these practices, GAO reviewed a variety of privacy frameworks developed by federal agencies and others. GAO reviewed relevant federal statutes, regulations, and reports, and interviewed agency officials, including those from DOT, the Department of Commerce, and FTC.
What GAO Recommends
GAO recommends that NHTSA define, document, and externally communicate its roles and responsibilities related to the privacy of data generated by and collected from vehicles. NHTSA concurred with our recommendation.
For more information, contact Dave Wise at (202) 512-2834 or email@example.com.
Recommendation for Executive Action
Comments: As described in the 60-day letter from October 17, 2017, NHTSA plans to create a vehicle data privacy page to be added to their website that will include information on the types of personal data collected by motor vehicles and provide links to additional resources, including the Federal Trade Commission(FTC) and industry groups. On this web page, NHTSA also plans to outline its roles and responsibilities related to vehicle data privacy. In addition, NHTSA will consult with FTC as it develops the web page content and allow for industry and public comments. We will continue to monitor NHTSA's actions related to these efforts.
Recommendation: The Secretary of Transportation should direct NHTSA to define, document, and externally communicate the agency's roles and responsibilities in relation to connected vehicle data privacy.
Agency Affected: Department of Transportation