On June 28, 2017, The Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) hosted a workshop  to examine the consumer privacy and security issues that automated and connected motor vehicles pose.  The workshop’s Public Notice, which solicited comments from stakeholders in advance of the event, highlighted the benefits that connected cars can provide to consumers, as well as the vulnerabilities that may arise through use of the emerging technologies.  During the workshop this week, speakers and panelists, including industry representatives, consumer advocates, and government officials, considered the issues from the Notice and responded to panel questions on data use, cybersecurity, and privacy.  Their comments emphasized the complexity of developing a regulatory framework that promotes innovations while protecting consumers, and many of the participants called for more collaboration and consumer education.

Chairwoman Maureen Olhausen’s opening remarks jump-started the day with a call for “regulatory humility.”  In her reflections on the FTC’s role with respect to emerging connected car technologies, Chairwoman Olhausen said the FTC seeks “to protect consumers’ personal and sensitive information and prevent unreasonable data security practices, within a framework that allows continued innovation and growth.”  She also acknowledged that “predicting the future – including future benefits and harms – is difficult,” and that, pursuant to the FTC Act, the Commission must “understand the likely benefits and risks of connected cars” before putting in motion any new regulation.  To that end, she provided a “key piece of context for that assessment.” Approximately 40,000 people died in car accidents in the U.S. during 2016.  She continued: “Connected cars promise to significantly reduce such fatalities.  We regulators must keep that benefit in mind to ensure that our approaches to connected cars do not hinder such a positive outcome.”  According to the Chairwoman, that “means we must continue to work with our sister agencies, like NHTSA, to avoid unnecessary or duplicative regulation that could slow or stop innovation, and ultimately leave consumers worse off.”

Subsequent workshop participants echoed the Chairwoman’s interest in understanding the benefits and risks of connected vehicles and minimizing regulatory overlap.  Below are some of the key issues raised during the workshop.

Data Collection, Storage, and Transmission: Participants considered the amount of types of information that connected cars use to improve consumers’ experiences and protect them.  They explained that connected cars increasingly include technologies that enable the vehicles to access information via the Internet and gather, store, and transmit data for entertainment, performance, or safety purposes.  As a result of such technologies, connected cars are expected to gather enormous amounts of data, with conservative estimates suggesting that the average connected car will generate up to 30 terabytes of data daily by 2020.  Some of that data will pertain solely to the functioning of cars, including their operations, speed, predicated path, emergency breaking, or crash information.  Other information may be highly personal and sensitive, including geolocation information and biometric data.  As panelists discussed these types of information, they raised additional questions about data ownership, data sharing, encryption, anonymization of information, law enforcement access, and future uses of data.

Cybersecurity: The workshop addressed the potential risks to the security of data that connected cars collect.  While speaking on this topic, participants considered how Internet-connected vehicles may face the same security vulnerabilities as other connected computing platforms and to what extent incident response programs may need to differ in the automated-vehicle space.  They furthermore raised concerns over the potential for a “large scale attack” in the industry in the near future and questioned how companies can develop a tiered approach to addressing vulnerabilities, given such risks.  In addition to considering the procedural challenges of addressing cybersecurity threats, panelists emphasized the complex web of actors beyond car makers who would be involved in any incident and response, including suppliers, repair facilities, and telecommunications companies.  They also discussed the idea that having more data could be critical to improving cars, even though data minimization is an important information practice principle.  This observation underscores the challenge of determining how existing self-regulatory and government frameworks for cybersecurity can adapt to cover connected cars.

Privacy Issues: Participants additionally addressed privacy issues as they relate to connected cars.  They explored how consumer notice and choice, as well as usage limitations, operate in the automobile context, and they considered the role of federal agencies, as well as industry and local government actors, in protecting consumer privacy and data security in connected cars.  Of note, panelists once again considered the uniqueness of the connected-car industry, especially as it relates to a consumer’s ability to opt-out of some forms of data collection and sharing.  Moreover, participants emphasized the different privacy practices that may need to be in place for owners of vehicles in contrast to what needs to be in place for their passengers and other users.  As the panels concluded, the discussion again turned to the question of how to best regulate.  Participants considered the benefits of a self-regulatory regime and a federal framework, as well as an approach that relies on tort or local law to regulate new privacy issues as they emerge.

The FTC’s workshop examined issues that legislators and other regulators are simultaneously considering as they speed up their efforts to address the connected car industry.  The event also emphasized the need for more consumer education, and greater collaboration among government, industry, and other stakeholders.  As part of those efforts, participants directed audience members to review the Consumer Privacy Protection Principles from the Alliance of Automobile Manufacturers and the Association of Global Automakers, the work of the Auto Information Sharing and Analysis Center (ISAC), and the FTC’s Business Center.