Texas attorney general probes connected-car companies’ data privacy practices

At least four car companies’ data collection and sharing practices are under investigation by the Texas attorney general’s office for potentially violating state law on deceptive trade practices, according to documents obtained by Recorded Future News.

Kia, General Motors, Subaru and Mitsubishi received “civil investigative demand” letters from the office's consumer protection division in late April.

It’s the first known request for documents from connected car companies by a state investigative body as part of an enforcement review, experts say.

The California Privacy Protection Agency announced it would probe the data collection and sharing practices of connected-car companies and technologies in July, but the status of that inquiry is unknown. 

Texas’ comprehensive data privacy law does not come into effect until July 1 — which car privacy experts said they consider to be notable in light of the attorney general’s letters.

“Asking for data ahead of that date is aggressive, and may indicate the Texas AG is willing to start enforcement immediately upon the law becoming effective,” said Andrea Amico, CEO of Privacy4Cars.

It is unclear if more than four car companies are part of the probe. None of the automakers nor the Office of the Attorney General responded to requests for comment.

The consumer protection division demanded documents that identify each category and type of covered data collected, the methods used to gather that data, any agreements for a third-party to gather or share the data, and a list showing which makes and models of vehicles data was collected or shared from.

Texas defines covered data as any information collected about a car “regardless of whether deidentified or anonymized, that you obtained, directly or indirectly, from any vehicle sold by you.”

The car companies also were ordered to provide “each representation” made to car buyers regarding data collection and sharing, documents showing how they receive consent, company data governance policies and all public-facing privacy statements.

The state asked companies to supply information dating from 2019 to now. The manufacturers’ responses are due back to Attorney General Ken Paxton’s office by May 20.

Connected-car data collection and sharing has become increasinglycontroversial in recent months. On Tuesday the Federal Trade Commission issued its first public comment on connected cars’ data privacy policies since 2018, saying car manufacturers “should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data.”