FTC fires 'shot across the bow' at automakers over connected-car data privacy

The Federal Trade Commission (FTC) warned auto manufacturers on Tuesday that it is closely watching their data collection and sales activities, citing several recent enforcement actions which it suggested could apply to the industry’s practice of sharing sensitive car data with advertisers.

The comments, made in a blog post, gave special attention to the sale of geolocation data and what the agency called the “surreptitious disclosure of sensitive information.”

“Car manufacturers—and all businesses—should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data,” the blog post said, noting that connected cars and data privacy have been on its “radar for years.”

FTC blog posts are seen as a mechanism for the agency to informally alert industry to rein in potentially illegal activities.

The agency’s announcement emphasized that geolocation data sales in particular are subject to “enhanced protections” under the FTC Act. 

“Cars are much like mobile phones when it comes to revealing consumers’ persistent, precise location,” the blog post, which was produced by the agency’s Division of Privacy and Identity Protection, said. 

“In a series of seminal cases in recent years, the Commission has established that the collection, use, and disclosure of location can be an unfair practice,” it added.

The cases the agency cited in the post include recent settlements with two firms selling geolocation data to advertisers. One of those cases, against the data broker Outlogic, centered on FTC allegations that the peddled data could be used to track consumers’ visits to sensitive locations such as reproductive health clinics.

A second case cited in the post involved the data broker InMarket Media, which the FTC alleged illegally used sensitive data to organize consumers into advertising audience segments.

FTC blog posts are usually the result of significant internal discussion informed in part by public listening sessions and workshops held by the agency, said John Davisson, director of litigation at the Electronic Privacy Information Center.

“These posts are a warning to industry and to regulated entities … take note, fix your business practices, if they're not compliant with this,” Davisson said, adding that they are “a way for the FTC to convey this is the way they're going to approach enforcement.”

Defense lawyers often publicly flag FTC blog posts on their firms’ websites “because these attorneys that do compliance work are trying to read the tea leaves and make it clear to their clients and others that these are the rules of the road,” he said.

Car privacy advocate Andrea Amico, who is CEO of Privacy4Cars, said the blog post is a “big shot across the bow from the FTC to the broad auto industry — not just the manufacturers — on the need to dramatically step up their privacy practices on disclosure, use, and disposal of the growing amount of personal information vehicles collect, store, and transmit.”

Quiet since 2018

Tuesday’s post is the agency's first public comment on connected cars since 2018 aside from a short release advising consumers to wipe their data from rental cars last year. It comes at a time when U.S. senators are publicly pressuring the agency to take action against automakers for data privacy violations.

In addition to the warning about the use of geolocation data, the agency cautioned that companies with access to customers’ sensitive data “must ensure that the data is used only for the reasons they collected that information.”

The post then cited the FTC’s recent settlement with BetterHelp, a company offering online counseling, which shared customers’ email addresses and information gleaned from health questionnaires with third parties who used it for advertising.

The agency also referenced its recent settlement with Rite Aid, which it went after for allegedly using faulty facial recognition technology to identify problem customers. The blog post said industry should note that case because it underscores that “firms do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service, and firms shouldn’t let business model incentives outweigh the need for meaningful privacy safeguards.”

Data minimization also was a focus of the blog post, which said that the best way for companies to ensure they do not harm consumers by improperly using their data is to not collect it in the first place.

The car data privacy issue has been a focus for consumer advocates in recent years. Matt Schwartz, a policy analyst at Consumer Reports, said his organization has urged the FTC to investigate how automakers collect and share driver behavior data with insurers and data brokers.

"Consumers deserve to use their vehicles without feeling their every move is being tracked or used against them,” Schwartz said.