California Opens Privacy Probe Into Who Controls, Shares the Data Your Car Is Collecting

California’s new privacy regulator said Monday it is embarking on its first-ever enforcement action: a review of the privacy practices of connected automobiles. 

The California Privacy Protection Agency—created under a ballot initiative in 2020 and the only regulator in the nation solely dedicated to privacy issues—will examine the growing amalgamation of data collected by smart vehicles and whether the business practices of the companies collecting that data comply with state law.

“Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” Ashkan Soltani, the agency’s executive director, said in a statement.

U.S. regulators’ scrutiny of the data lags behind such efforts in Europe, which has forced automakers to update software to limit the collection and protect the privacy of consumers. 

Porsche provides a menu on vehicle dashboards where European drivers can give or withdraw their consent for the company to collect personal data or share it with third-party suppliers. 

Regulators in Europe also have opened investigations into how the auto industry uses personal information from cars such as location data. In February, Tesla agreed to offer a software update in Europe to change camera settings in cars after the Dutch privacy regulator investigated the company. Tesla disabled vehicles’ external security cameras by default until a driver turns on the function to record activity outside a car and changed the camera settings so they only save the last 10 minutes of footage recorded from outside the cars, compared with one hour of footage they previously had saved. 

The Dutch regulator also said it was a privacy violation for the cameras to extensively record people outside of cars without their knowledge. The Tesla update also included features to warn people inside and outside of cars that the external cameras are recording. Headlights blink if the cameras are recording and a message is displayed on a touch screen inside the cars.

Automobiles represent the latest frontier for regulators, raising fresh questions about who will control the data generated by vehicles as they move through the world. Numerous companies are in a position to access the data—including the automakers themselves, companies that make or run in-car navigation or infotainment systems, satellite radio companies and in-vehicle security and emergency services providers. Insurance companies have also been encouraging consumers to share information about their driving behavior, sometimes in exchange for a discount.  

All the data has commercial potential. In some cases, it can be used by insurers in determining how to set rates, evaluate risk and gauge safe driving behavior. It also can be used in urban planning and traffic studies; to help make real-estate decisions such as where to open a franchise or outlet; or be used in economic forecasting. In some cases, data brokers make vehicle data available for sale—stripping it of personal information such as names. People’s movement patterns are often unique, however, and their real-world identities can be inferred in large-scale location data sets even when the data is stripped of personal information.

Law-enforcement agencies also can now obtain the historical location of suspects, usually with a warrant. The sensors on modern cars have raised national-security concerns as well. China in 2021 banned certain officials from owning or driving Tesla vehicles citing concerns that data the cars gather could be a source of national-security leaks, The Wall Street Journal has reported.

California has been at the forefront of consumer-privacy issues in the U.S. In 2018, it passed the nation’s first California Consumer Privacy Act and expanded the law in 2020 by ballot initiative approved by voters. In the years since, 10 other states have passed similar laws and others are weighing whether to do so. Violations of California privacy laws can be punished by fines. As a relatively new agency, the California Privacy Protection Agency wasn’t authorized to begin enforcement activities until July 1. 

The agency has jurisdiction over technology companies that either have an annual gross revenue of over $25 million; buy, sell or share the personal information of more than 100,000 state residents, or derive more than 50% of their annual revenue from selling or sharing California residents’ data.

Write to Byron Tau at [email protected] and Catherine Stupp at [email protected]