By Caleb Skeath
You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you?
New Jersey legislators are debating two identical bills that would provide additional safeguards against the disclosure of data contained in a car’s “black box,” which track a vehicle’s technical status and operational performance. These devices, often referred to as event data recorders or EDRs, are present on 90% of all cars and light trucks in the U.S. and may soon become mandatory on all new vehicles. In addition to assisting mechanics with car repairs, EDRs can assist law enforcement and insurance companies in crash investigations.
According to the National Conference of State Legislatures, fourteen states have enacted statutes that generally only allow access to data on an EDR with the car owner’s consent. If enacted, New Jersey’s law would prohibit third parties from accessing an EDR’s data without the owner’s consent, a warrant, or a discovery order in a civil case. Other provisions in the law would allow manufacturers, dealerships, and car repair facilities to access the data for the purpose of diagnosing or repairing the vehicle, as well as allowing the disclosure of de-identified data “for the purpose of improving motor vehicle safety, security, or traffic management.”
In addition, car owners would be required to retain the information on an EDR for two years after an accident resulting in injury or death. Any individual who knowingly attempt to destroy the EDR or its information during this period could face a $5,000 fine, although it is unclear whether this provision would apply in instances where a car is rendered useless as a result of an accident and is subsequently scrapped.
Although most vehicle EDRs are only designed to collect information for a few seconds before and after a collision that triggers a vehicle’s airbags, there is no current federal limitation on the types or durations of data that vehicle EDRs can collect. With an increasing percentage of new vehicles coming equipped with built-in communication systems, legislators are concerned that the types and volume of data that EDRs collect could grow exponentially. The Driver’s Privacy Act, currently under consideration in the Senate, would allow owners or lessees of vehicles to retain ownership over the data in a vehicle’s EDR and prohibit other individuals from accessing the data, subject to certain exceptions. Another bill under consideration in the House contains similar provisions, in addition to a requirement that purchasers of new vehicles are notified if their vehicle contains an EDR and prohibiting the sale of new vehicles after 2015 unless the owner can control the recording of information on the EDR.
In addition to a vehicle’s EDR, other types of technology that manufacturers are adding to cars can pose new privacy questions. Last month, General Motors notified owners of its new Chevrolet Corvette that using the car’s Valet Mode, which records audio in the car’s cabin when activated, could violate the law in 13 states if the prior consent of other individuals present in the car is not obtained. Valet Mode, which also records video of the car’s activities when activated, was intended to monitor the activities of third parties who drive the car when the owner is not present. General Motors has promised to release an update in order to ensure compliance with legal requirements, but in the meantime has advised owners to disable Valet Mode or obtain consent of the vehicle’s occupants prior to any recording.