Repairer Driven News
« Back « PREV Article  |  NEXT Article »

Sens. Lee, Merkley introduce bill promising consumers privacy, control over auto data

By on
Legal
Share This:

Sens. Mike Lee (R-UT) and Jeff Merkley (D-OR) have introduced bipartisan legislation that they say will restore vehicle owners’ control over their personal data.

The “Auto Data Privacy and Autonomy Act” aims to “prevent covered vehicle manufacturers from accessing, selling, or otherwise selling certain covered vehicle data, and for other purposes,” according to the bill text.

If passed, OEMs would have to obtain consent from vehicle owners to access data or only access data to improve covered vehicle performance or safety, according to the bill. “Covered vehicle performance” isn’t defined in the bill.

“Data” would encompass “all electronic data generated or processed onboard a covered vehicle, such as data generated by sensors, receivers, computer processing units, or other vehicle components; and data stored in a covered vehicle generated by the user of such covered vehicle.”

Consent must be “informed, specific, and unambiguous,” and freely given in writing. Permission could also be withdrawn, according to the bill.

The bill defines “covered vehicles” as motor vehicles, including those used for farming and construction.

The data could only be sold, leased, or shared if required by law or court order, for emergency response, or with consent of the vehicle owner.

A press release from Lee and Merkley states that connected vehicles are projected to make up 95% of all new vehicles on the road by 2030.

“Ownership should mean control,” said Lee, in the release. “Americans deserve to decide who has access to their personal data and how it is used—whether they are driving to work, harvesting crops, or operating machinery on a construction site. This bill empowers individuals to regain control of their vehicle data and restores transparency to a system that has left too many in the dark.”

Merkley added, “You shouldn’t be worried about billionaire corporations invading your privacy and stealing your data every time you start your car. Our bipartisan bill is a common-sense solution to ensure every American has control over their vehicle data and the freedom to choose how it is used.”

Rep. Eric Burlison (R-MO) has also introduced the companion bill in the House.

“Americans shouldn’t have to trade their privacy for convenience when driving their cars,” said Burlison, in the release. “This legislation prioritizes the rights of consumers, safeguarding their sensitive personal information from exploitation. I’m grateful to Sen. Mike Lee for leading this effort in the Senate. The Auto Data Privacy and Autonomy Act puts Americans back in the driver’s seat when it comes to their personal data. Americans should control their own data.”

President Joe Biden and legislators have previously discussed national security concerns when it comes to connected vehicle data. Those concerns are likely the reasoning behind a section of the law that prohibits OEMs from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable information (PII) of a U.S. citizen or lawful permanent resident to the Democratic People’s Republic of Korea, the People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, and the Bolivarian Republic of Venezuela.

According to the bill, PII is information that directly identifies a person such as their name, address, social security number or other identifying number or code, phone number, or email address; or indirectly identifies someone by gender, race, or date of birth. It could also apply to anything that reveals a person’s physical location or internet activity.

The bill comes in the wake of several news stories addressing the use and sharing of consumer data by OEMs and insurance companies.

One such case involves a lawsuit filed by Texas Attorney General Ken Paxton against General Motors and subsidiary OnStar for “false, deceptive, and misleading” business practices related to the alleged collection and sale of more than 1.8 million Texans’ private driving data to insurance companies.

Paxton alleges GM did so without customers’ knowledge or consent.

In June, Paxton opened an investigation into several car manufacturers over allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.

The newly introduced bill would require the Federal Trade Commission (FTC) to submit a report to Congress 180 days after the bill is enacted to provide:

    • “The types of such data that a manufacturer of a covered vehicle accesses;
    • “The individuals and entities, other than a manufacturer of a covered vehicle, that access such data;
    • “The federal or state government entities that access such data and how such entities use such data;
    • “The individuals and entities to whom such data may be sold or otherwise shared;
    • “The foreign governments to whom such data may be sold or otherwise shared and how such data is used by such foreign governments;
    • “The cybersecurity capabilities and risks associated with covered vehicles; and
    • “Occurrences of such data being compromised, including the prevalence of such occurrences and any entities with ties to foreign governments associated with such occurrences.”

The press release notes that a recent Salesforce survey of more than 2,000 U.S. car owners and lessors showed confusion about what constitutes a connected car and how much data they collect.

“As connected vehicles communicate with manufacturers, insurers, and other entities, their owners face increasing challenges in managing data privacy,” the release states. “Currently, the separation of vehicle ownership and data ownership leaves drivers vulnerable to opaque data-sharing practices, invasive surveillance, and a lack of control over their own property.”

The legislators said the bill would ensure vehicle owners have essential data rights and protections by:

    • Mandating that OEMs establish opt-in features for vehicle data collection.
    • Prohibit OEMs from sharing, selling, or leasing collected customer data without explicit consent, with narrow exceptions required by law.
    • Barring data sharing with adversarial nations.
    • Directing the FTC to report to Congress on data collection practices.
    • Allowing vehicle owners access to their vehicle’s data through technology-neutral standards set by the National Institute of Standards and Technology (NIST). According to the bill, owners would have access without having to pay a fee, purchase a license to decrypt operator data or use a device provided by the OEM to access and use operator data.
    • Giving owners the right to delete their data after connecting to a vehicle.
    • Protecting OEM confidential business information while safeguarding consumer rights.

The FTC will also be required to submit a report, not later than 180 days after the date of enactment, on the current practices employed for operator data generation, storage, transmission, and cybersecurity to the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce.

One year after the reports are submitted, the law would require the FTC, NIST director, vehicle manufacturers, vehicle owners, and other agencies, as necessary, to work together to establish one or more standards for a technology-neutral, standards-based, secure interface. The standards decided on would be reviewed in five years and then every five years after, according to the bill.

Violation of the law, if approved, would be a federal unfair or deceptive act or practice.

Images

Featured image credit: metamorworks/iStock

Share This: