Automakers and FCC square off over potential regulations for connected cars
Car manufacturers and the Federal Communications Commission (FCC) are gearing up for a potential fight over whether connected cars should be regulated as small pieces of telecom infrastructure — a decision that would have vast implications for how vehicles handle consumer data.
In recent letters obtained by Recorded Future News, automotive companies pushed back against inquiries from FCC Chairwoman Jessica Rosenworcel about whether everyday vehicles are so technologically advanced that they might be subject to new regulations.
Rosenworcel’s inquiries come at a time when connected cars are under increasing scrutiny, with lawmakers imploring another agency, the Federal Trade Commission (FTC) to regulate the industry. Recent news reports have also revealed how law enforcement uses data supplied by car companies without driver consent, how connected cars facilitate stalking and how auto manufacturers sell driver information to data brokers who in turn sell it to insurance companies.
Rosenworcel’s letters to the automakers, sent in January, cited the FCC’s responsibility for enforcing the Safe Connections Act (SCA) — a 2022 law meant to protect the telecommunications of domestic abuse survivors — but her questions had implications beyond it.
The FCC chair notably focused on whether car companies can be designated as “mobile virtual network operators” (MVNOs), which would open them up to new regulations requiring significantly more transparency on data practices and restrictions on the sharing or selling of geolocation records.
MVNOs are companies or other entities that offer wireless service over network infrastructure that they don’t own. Privacy advocates argue that connected cars easily fit the definition.
“The concept is that vehicles with telematics are like smartphones that just happen to be so large you can drive in them, but they are connected through a captive network paid for by the vehicle manufacturer, branded by the manufacturer and retailed directly to consumers by the manufacturer,” Andrea Amico, founder of Privacy4Cars, a technology company, said via email. “That is what MVNOs do.”
Privacy4Cars focuses on the myriad issues surrounding connected cars, including directions on how to wipe data for thousands of makes and models as well as a portal where customers can check what data their vehicles collect.
Privacy advocates and FCC experts said Rosenworcel’s focus on whether connected cars qualify as MVNOs signal that she is looking for ways to put more muscle into oversight of automakers.
The FCC did not respond to multiple requests for comment. Rosenworcel has not made the industry’s response letters easily accessible to the public, unlike in 2022 when she prominently published manufacturers’ letters responding to a query about their geolocation data policies, according to Chris Frascella, counsel at the Electronic Privacy Information Center.
A search for answers
Rosenworcel received responses from the nine car manufacturers to which she sent her inquiry — Ford, General Motors, Honda, Hyundai, Mercedes-Benz, Nissan, Stellantis, Tesla and Toyota.
She asked the automakers to state whether they or a related company, such as a parent, affiliate or subsidiary, “operates as a mobile virtual network operator (MVNO) or as another communications provider in order to provide connected car services or other in-vehicle connectivity.”
Seven of the nine car manufacturers responded that they do not operate as MVNOs. Two others — Tesla and Mercedes-Benz — did not directly address the question.
Whether cars can be designated as MVNOs has broad implications. Companies deemed to be MVNOs can’t reveal consumer data without permission, other than under a few exceptions, noted Harold Feld, senior vice president at the advocacy group Public Knowledge. Automakers would face restrictions on sharing drivers’ geolocation records and potentially other data. Other requirements would include providing simpler and easier to understand transparency notices at the point of sale.
At a recent public event, Hilary Cain, senior vice president of policy for the Alliance for Automotive Innovation, acknowledged that car companies need to do more to clearly convey their data privacy policies to consumers.
Cain was not speaking in the context of whether connected cars should be considered MVNOs, but she has been the point person for industry pushback against any new FCC regulation.
“Maybe we as an industry need to be rethinking how we're doing notice and consent,” Cain said during a panel focused on automotive data privacy and safety hosted by the Future of Privacy Forum.
“We’re trying to course correct that,” she added.
Not just car companies
Rosenworcel also sent letters to the three telecommunications giants whose infrastructure the car companies lease to provide connected car services. AT&T, T-Mobile and Verizon did not specifically reference MVNOs in their responses, but did make clear that they provide wireless connectivity to car companies, who then resell it, which experts and privacy advocates say meets the definition of an MVNO.
The telecommunications companies are saying: “Look, don't blame us — we sell the service to Ford or GM or whoever so that's an enterprise service,’” said Feld, an FCC and telecommunications expert. “Yeah sure, but then it's the car company that resells it to the consumer and that's classic MVNO stuff."
The three telecom carriers declined to comment when Recorded Future News asked about their exchanges with the FCC.
Feld said the commission would need to hold proceedings to move forward with such designations, but in his view the responses offered by the three carriers Rosenworcel reached out to “provide the basis for a theory that these guys are MVNOs.”
An intensifying debate
There are two ways that connected cars could fall under the MVNO umbrella, Feld said, though there is some ambiguity because connected car regulation would be new terrain for the FCC.
The first stems from how connected cars arguably offer qualifying voice services bundled with the data capabilities they pick up from carriers and pass on to consumers.
The second way, Feld said, is that the new SCA authorities explicitly include regulation of private mobile networks, which could be extended to a reseller.
“This is why the commission would like more details,” Feld said. “The nature of the capacity sold by the carrier to the car manufacturer, and then the nature of the service sold by the manufacturer to the owner of the car, will determine if it is an MVNO.”
The car industry lobby has resisted the prospect of new regulation and sent Rosenworcel a letter in January saying so after the FCC asked automakers for more information.
“Automakers do not have ‘shared mobile service contracts’ associated with separate lines in a single vehicle,” Cain said in the letter.
Cain added that vehicles are “associated with a telematics control unit which is not capable of making and receiving calls in the same manner as a telephone, but instead functions to place one-way calls to call centers operated by or on behalf of the automaker.”
The alliance’s position strikes at the heart of the debate. Cain argues that because automakers do not maintain call records or offer customer-facing call logs “in-vehicle connectivity offerings fall outside of the purview of the SCA and the problems associated with shared mobile service contracts that the SCA seeks to address.”
The alliance did not respond to direct questions about whether cars should be designated as MVNOs but provided Cain’s letter.
In their letters to Rosenworcel, the telecom carriers and car manufacturers make the same point.
A Verizon executive told the FCC the company assigns a “limited number of dialable geographic numbers” to a “few” automobile manufacturers, whose connected car equipment and offerings “may support in-car voice connectivity independent of the driver’s smartphone.”
“The extent to which those manufacturers offer their customers voice dialing capabilities depends on their agreements with their customers and the configurations of their systems and customer equipment,” the executive wrote in the company’s letter.
Amico points out that connected cars are assigned phone numbers, subscriber identity modules, known as SIMs, and an IMEI number, which is the unique identifier of a SIM card and allows mobile networks to know which device is connected and which handles the transfer of voice and data, Amico said.
It is hard to say how the commission will proceed, particularly given the possibility of overlapping FTC authority, Frascella said.
That agency has jurisdiction over data privacy and security, but has not yet issued an enforcement relating to connected cars. FTC and FCC officials have standing meetings to better manage their parallel consumer protection work, Frascella said.
“It’s kind of like how cybersecurity is right now in that we all recognize that there's a huge problem here,” he said. “So every agency is scrambling to fix it, but it's not clear who has overarching authority.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.