California, home to the highest number of registered vehicles in the U.S., is at the forefront of a critical issue – the privacy practices of automobile manufacturers and vehicle technology firms.

The California Privacy Protection Agency (CPPA), the state’s privacy enforcement authority, has messaged that it is launching an enforcement initiative. This initiative seeks to scrutinize the burgeoning pool of data accumulated by connected vehicles and assess whether the commercial practices of the firms gathering this data align with state regulations. This announcement signifies a crucial priority in privacy enforcement, highlighting the escalating focus on personal data management within the automotive industry.

Connected vehicles can accumulate a plethora of data through built-in apps, sensors, and cameras. As Ashkan Soltani, the executive director of CPPA, aptly describes, “Modern vehicles are effectively connected computers on wheels.” These vehicles monitor not only the occupants but also individuals in proximity. Location data, personal preferences, and information about daily routines are readily available. The implications are wide ranging; data can facilitate extensive consumer profiling, anticipate driving behavior, influence insurance premiums, and even assist urban planning and traffic studies.

While the commercial value of this data is undeniable, concerns about its management are growing. California’s enforcement announcement aims to probe this area, demanding transparency and compliance from automobile manufacturers. The CPPA will investigate whether these companies provide adequate transparency to consumers and honor their rights, including the right to know what data is being collected, the right to prohibit its dissemination, and the right to request its deletion. This type of regulatory scrutiny could also trickle down to the vast commercial network of supply, logistics, trucking, construction, and other industries that use tracking technologies in vehicles.

This concern extends beyond U.S. borders. European regulators have urged automobile manufacturers to modify their software to restrict data collection and safeguard consumer privacy. For instance, Porsche has introduced a feature on their European vehicles’ dashboards that allows drivers to either permit or retract the company’s consent to collect personal data or distribute it to third-party suppliers. Furthermore, European regulators have launched investigations into the automotive industry’s use of personal data from vehicles, including location information.

In the wake of an investigation by the Dutch privacy regulator, Tesla has amended the default settings of their vehicles’ external security cameras to remain inactive until a driver enables the outside recording function. Moreover, the camera settings now store only the last 10 minutes of recorded footage, in lieu of an hour of data previously collected. The Dutch regulatory body also stated that it infringes on privacy for the cameras to record individuals outside the vehicles without their consent. In response, Tesla’s new update includes features that alert passengers and bystanders when the external cameras are operating by blinking the vehicle’s headlights and displaying a notification on the car’s internal touchscreen. Such European investigations may indeed inform California’s regulatory approach.

However, the privacy landscape of connected cars is intricate. Automobile manufacturers, satellite radio companies, providers of in-car navigation or infotainment systems, and insurance firms are part of this complex ecosystem. For example, Stellantis, the parent company of Chrysler, recently established Mobilisights to license data to various clients, including competitor car manufacturers, under strict privacy safeguards and customer data usage consent.

As the CPPA conducts its first investigation, it marks a critical juncture, potentially shaping the future of privacy regulations and practices in the automotive industry, as well as the broader concept of mobile technologies. California’s initiative is not just a state issue — it could indicate a broader trend toward stricter regulation and enforcement in the sector. As connected cars become more common, regulators, the industry, and consumers must all navigate this complex landscape with a sharp focus on privacy.

For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.

Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Photo of Sinan Pismisoglu Sinan Pismisoglu

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with…

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with early planning and prevention through detection, remediation, and crisis management. Sinan collaborates with engineering teams to create compliance-integrated risk management frameworks, governance, and ethics programs for emerging technologies such as AI/ML, cybersecurity, IoT, and cloud models.