Skip to Content

Privacy & Data

NHTSA Automated Vehicles Guidance Punts Privacy to the FTC and Congress

A “streamlined” version of the National Highway Traffic Safety Administration (NHTSA)’s automated vehicle policy framework was announced last week by Secretary of Transportation Elaine Chao. Unfortunately, this shorter version does not address any of the issues we raised last fall when NHTSA unveiled its initial policy framework. At the time, CDT called for more guidance on data sharing with NHTSA, privacy rules, cybersecurity standards, and the need for consumer voices to be a component of the framework.

The new version addresses none of these issues. Cut from eighty-two pages to a brisk twenty-five, NHTSA’s latest guidance focuses almost exclusively on safety issues in automated driving systems. The serious privacy and ethical considerations raised by automated vehicles are relegated in the new document to one footnote. At least cybersecurity gets one page’s worth of attention.

According to NHTSA, the new guidance is meant to be less “burdensome” on the automotive industry, which might be more laudable if not for the fact that the guidance is already voluntary. In August, a report from the Government Accountability Office (GAO) called on NHTSA “to define, document, and externally communicate its roles and responsibilities in relation to connected vehicle data privacy.” Rather than fulfill this call for action, it’s clear that NHTSA intends to pass the privacy buck entirely to the Federal Trade Commission (FTC).

While there’s no question the FTC is paying attention to privacy and security issues in cars, NHTSA’s position will force the FTC to play an even larger role, one that may prey on the Commission’s already strained resources and capacity.

When it comes to automotive privacy, the FTC largely focuses on policing privacy promises made by the automakers themselves. This means that in-vehicle privacy protections will be guided by the auto industry’s self-regulatory guidance, the 2014 Consumer Privacy Protection Principles. While CDT has been generally supportive of these high-level principles, we’ve also suggested automakers put forward more rigorous requirements that better provide drivers with transparency and control over data collection and sharing. The GAO’s report notes that privacy experts have expressed concerned that these principles provide neither sufficient guidance to inform automakers’ actions nor to protect individual’s privacy rights. CDT has also noted potential privacy issues with some connected car apps currently offered by automakers.

On the data security side, the FTC has aggressively gone after unreasonable data security practices. The high dollar value and importance of the automobile in Americans’ daily lives should ensure the FTC’s full attention, certainly in light of the Commission’s narrower interpretation of what constitutes harm to consumers. But other industry players continue to challenge the FTC’s very ability to police data security, and as we have noted in comments to both the FTC and NHTSA, the state of automotive cybersecurity is quite opaque for consumers and regulators alike.

This is an area where legislative action seems appropriate, and fortunately, Congress appears to recognize the importance privacy and security will play in the responsible deployment of autonomous vehicles. HR 3388, the bipartisan SELF DRIVE Act, passed out of the House in early September. The bill addressed a number of the concerns that CDT had with an earlier package of autonomous vehicle legislation while including both privacy and security provisions, but it isn’t perfect. For example, Congresswoman Zoe Lofgren has noted that HR 3388 has a potentially significant loophole that could give automakers free rein over any automotive data that’s encrypted for some period of time.

Yet there is the opportunity to improve the aims of the SELF DRIVE Act as similar legislation works its way through the Senate. Without legislative action that protects the privacy and security of driver and car data, consumers will be left with the limited voluntary guidance from NHTSA and the limited enforcement abilities of the FTC.