Passenger and fleet vehicles collect several types of data, including geolocation data. Vehicle geolocation data support features such as navigation, emergency response services, vehicle tracking applications, personalized insurance rates, and fleet management tools. Automotive manufacturers, data brokers, insurance companies, and law enforcement are examples of entities that may access and use geolocation data for a variety of purposes. Concerns about vehicle geolocation data collection include sensitive location tracking, data overcollection and retention, consumer awareness and consumer choice issues, data brokers’ access, and data disclosure to law enforcement or other governmental entities. Vehicle geolocation data used to track a consumer’s location may present risks that involve stalking, domestic violence, or threats from foreign adversaries. Consumers who choose to not share optional geolocation data may not realize that this choice may inhibit certain vehicle features. Consumers who share vehicle geolocation data may choose to do so on the basis of incomplete or misleading information in privacy policies and disclosures. Data brokers may facilitate the exchange of data to entities seeking to gain insights into marketing and analytics for commercial purposes or for activities such as monitoring traffic patterns and road conditions for public applications; these purposes could also make data accessible to bad actors. Law enforcement and other governmental entities might access geolocation data without a warrant, which may support them to identify a suspect’s location while potentially presenting Fourth Amendment issues and exposing consumers to further tracking and risks. Some stakeholders in the automotive industry voluntarily created a set of principles to regulate collection of consumer data. These principles require automotive manufacturers and suppliers to, for example, inform consumers about vehicle geolocation data being collected, obtain consent prior to data collection, and require a warrant or court order from law enforcement or other governmental entities when requesting such data. The automotive industry employs various measures to minimize risks associated with collecting geolocation data (e.g., de-identification), but data may be difficult to anonymize in some circumstances. Several agencies share federal oversight and action related to vehicle geolocation data: the Federal Trade Commission (FTC), National Highway Traffic Safety Administration (NHTSA), Department of Commerce (DOC), Federal Communications Commission (FCC), and Department of Justice (DOJ). The FTC has several authorities related to vehicle geolocation data, including oversight of consumer disclosure practices and limiting of foreign adversaries’ access to these data. NHTSA’s most relevant responsibility related to vehicle geolocation data collection is its jurisdiction over motor vehicle safety. Relevant action from DOC includes a rule that bars the sale and import of certain connected vehicle technologies. The FCC has several authorities over dissemination of vehicle geolocation data and has proposed a rule that would disable connected vehicle services that may present risks for domestic-abuse survivors. The FCC also maintains a covered equipment list of technologies that pose certain security risks. DOJ has issued a rule that prevents the bulk exchange of personal data, including precise geolocation data, with foreign adversaries and other covered persons. Congress may determine that current industry practices and self-regulation are sufficient to address privacy concerns related to vehicle geolocation data collection; in this case, Congress may take no action and defer to agencies and consider options for congressional oversight and investigation. Alternatively, Congress may seek to take action to address this issue. For example, Congress may consider comprehensive data privacy legislation (such as H.R. 8152, 117th Congress) that would limit risks associated with the collection and exchange of consumer data (e.g., by regulating data brokers or vehicles). A legislative avenue might include measures that would seek to apply data privacy laws to vehicles, limit insurance company access to geolocation data, protect survivors of domestic abuse, and limit warrantless access of geolocation data. Comprehensive data privacy legislation for vehicles (such as H.R. 10473/S. 5579, 118th Congress) could cover topics such as the access, sale, and exchange of vehicle data, including geolocation data. To limit insurance companies’ access to vehicle geolocation data, Congress may choose to introduce legislation, launch investigations, hold hearings, or require research on the topic. To address risks associated with connected vehicle technologies, Congress could enact legislation (such as H.R. 2110, 119th Congress) that would allow domestic-abuse survivors to disable these technologies. Congress may evaluate options to limit warrantless access to geolocation data by law enforcement and governmental agencies either through legislation or by evaluating recent court decisions. In addition, as states have taken different approaches to regulating privacy related to vehicle geolocation data, Congress might include preemption provisions in legislation to reduce variation in approaches across states.
Full content not yet available.