car congress
Image: Henry Guan via Unsplash

Commerce Department IoT panel says car dealers should display privacy labels on vehicles

A Commerce Department advisory board on Tuesday called on government agencies and Congress to require car dealers to prominently display privacy disclosures on vehicle windshields as part of a broad range of recommendations concerning internet-connected devices.

The report, issued by Commerce’s Internet of Things (IoT) Advisory Board with help from officials with the National Institute of Standards and Technology (NIST), also says industry as a whole should offer universal opt-outs allowing consumers to more easily manage privacy settings across various IoT devices.

The report's recommendation for easy-to-understand and succinct privacy disclosures on Monroney labels — the windshield stickers dealers use to tell buyers a given car model’s fuel efficiency and safety ratings — comes as automakers are facing intense pressure to address the data privacy concerns presented by connected cars.

The labels should disclose whether vehicles collect personal data, whether the data is sold and whether universal opt-out from data collection is possible, the advisory board’s report says. It also recommends the labels include a QR code linking to an online privacy policy.

“This initiative is primarily driven by the need to enhance consumer protection and address growing concerns over personal data use and sharing by IoT devices in automobiles,” the report says, citing a 2023 Mozilla Foundation probe which documented widespread failures by automakers to protect consumers’ privacy and clearly notify them about data collection and sharing practices.

The 16-member advisory board includes leadership from top industry trade associations, academia, consultancies and two privacy experts, one of whom is the former chief privacy officer at the Commerce Department. 

The Alliance for Automotive Innovation, the top auto industry lobbying group, opposed the privacy sticker recommendation in writing and at a public meeting, but the advisory board decided to adopt the recommendation anyway after board member and privacy and emerging technology expert Debbie Reynolds briefed members on the positive impact labeling could have on consumer privacy, she said.

The auto trade association said in a statement that it is reviewing “the recommendations from NIST and the IoT advisory board. Automakers already provide consumers clear notices about the collection and use of vehicle data. That’s been in place for years.”

“The question is whether the Monroney label – which is already jammed with information on safety and fuel economy and vehicle features – can accommodate additional and meaningful new information on the complex topic of privacy and vehicle data,” the statement said.

Many automakers give drivers’ limited control over their data and have poor privacy breach track records, the report says, citing the Mozilla Foundation’s findings. 

Few if any major automakers adhere to “voluntary consumer protection principles” focused on data privacy which are included in an Alliance for Automotive Innovation industry pledge, the advisory board’s report says.

Mozilla’s findings spurred Sen. Ed Markey (D-MA) to ask 14 major auto companies to supply information about how they use customer data. In February, he told Federal Trade Commission (FTC) Chair Lina Khan that most of the car manufacturers sidestepped his questions and called on the agency to investigate the auto industry’s privacy practices.

The advisory board’s report has been shared with an IoT-focused federal working group composed of government officials which will work with executive branch agencies and Congress to determine whether legislation is required to update the stickers to include privacy language or whether the executive branch can implement the rule, Reynolds said.

The labeling recommendation is much needed and should be designed and enforced by the FTC, car privacy expert Andrea Amico said via email.

“So many consumers tell us they had no idea their car is ‘a smartphone on wheels’ that can transmit data to the manufacturer and other companies,” said Amico, who runs Privacy4Cars, a privacy technology company which helps consumers and businesses better understand data privacy concerns related to connected cars. 

“Too often this is not prominently disclosed or explained by dealers early in the shopping experience,” he added.

Easy-to-control privacy settings

Creating a universal opt-out mechanism for consumers using IoT devices and applications will allow users to more easily set their privacy preferences, the report says.

The data collection capabilities of IoT devices are staggering, Reynolds said in an interview. 

For example, smart thermostats are able to extract information from an owner’s phone, including geolocation, she said. Baby monitors and some other IoT devices can gather audio and video from inside consumers’ houses.

“There really is no limit to what they can collect,” Reynolds said. 

Hackers also have frequently breached IoT devices to commit cybercrimes.

IoT manufacturers and app developers will likely push back on the proposal due to potential costs and complexities involved in establishing the program, the report says, acknowledging that setting up a universal opt-out system will be challenging technologically.

The report includes several other privacy-oriented recommendations, including that Congress and the executive branch regulate third-party sharing and use of IoT device data, push manufacturers to use more digestible language in privacy policies and require notices so consumers know when IoT devices default to allowing location tracking.

The report is significant not only for how it can enhance IoT privacy for Americans, but also for how it will serve as a model worldwide, Reynolds said.

Few if any countries beyond Singapore have “really taken a stand on creating comprehensive standards around Internet of Things devices,” Reynolds said, asserting that U.S. leadership on the issue can “influence the whole globe.”

The advisory board’s report will not “just gather dust,” Reynolds said, because the federal working group is legally required to provide an implementation plan or say why a given recommendation won’t be implemented.

All executive branch agencies will receive the advisory board’s report.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.