Vehicle Data Privacy: Industry and Federal Efforts Under Way but NHTSA Needs to Define Its Role

What GAO Found

Thirteen of the 16 selected automakers in GAO's review offer connected vehicles, and those 13 reported collecting, using, and sharing data from connected vehicles, such as data on a car's location and its operations (e.g., tire pressure). All 13 automakers described doing so on a relatively limited basis. For example, they reported using data to provide requested services to consumers and for research and development. None of the 13 reported sharing or selling data that could be linked to a consumer for unaffiliated third parties' use. However, as connected vehicles become more commonplace, the extent of data collection, use, and sharing will likely grow.

Automakers have taken steps, including signing onto a set of privacy principles, to address privacy issues. In comparing selected automakers' reported privacy policies to leading privacy practices, GAO found that these automakers' policies at least partially reflected each of the leading privacy practices, for example:

• Transparency: All 13 selected automakers' written privacy notices were easily accessible, but none was written clearly.

• Focused data use: Most selected automakers reported limiting their data collection, use, and sharing, but their written notices did not clearly identify data sharing and use practices.

• Individual control: All 13 selected automakers reported obtaining explicit consumer consent before collecting data, but offered few options besides opting out of all connected vehicle services to consumers who did not want to share their data.

The Federal Trade Commission (FTC) and the Department of Transportation's (DOT) National Highway Traffic Safety Administration (NHTSA) are primarily responsible for protecting consumers and ensuring passenger vehicles' safety, respectively. FTC has the authority to protect consumer privacy and has issued reports and guidance and conducted workshops on the topic generally as well as on connected vehicles specifically. NHTSA has broad authority over the safety of passenger vehicles and considers the privacy effects and implications of its regulations and guidance. FTC and NHTSA have coordinated on privacy issues related to connected vehicles. However, NHTSA has not clearly defined its roles and responsibilities as they relate to the privacy of vehicle data. In response to emerging vehicle technologies, NHTSA included privacy requirements in a related rulemaking and included privacy expectations in voluntary guidance. Because of these actions, selected automakers and others said NHTSA's role in data privacy was unclear. NHTSA officials acknowledged that some stakeholders may be uncertain about its authority to address privacy issues. Federal standards for internal control require, among other things, that agencies define and communicate key roles and responsibilities. By clearly defining, documenting, and communicating NHTSA's roles and responsibilities in vehicle data privacy, NHTSA would be better positioned to coordinate with other federal agencies and to effectively oversee emerging vehicle technologies.

Why GAO Did This Study

The prevalence of connected vehicles—those with technology that wirelessly transmits and receives data—has raised questions about how the collection, use, and sharing of these data affect consumer privacy.

GAO was asked to review consumer privacy issues related to connected vehicles. This report: (1) examines the types, use, and sharing of data collected by connected vehicles; (2) determines the extent to which selected automakers' privacy policies for these data align with leading practices; and (3) evaluates related federal roles and efforts, among other objectives. GAO interviewed relevant industry associations, organizations that work on consumer privacy issues, and a non-generalizable sample of 16 automakers selected based on their U.S. passenger vehicle sales. In addition, GAO analyzed selected automakers' privacy policies (written notices and reported practices) against a set of leading privacy practices determined to be relevant to connected vehicles. To identify these practices, GAO reviewed a variety of privacy frameworks developed by federal agencies and others. GAO reviewed relevant federal statutes, regulations, and reports, and interviewed agency officials, including those from DOT, the Department of Commerce, and FTC.