The troves of data collected by today’s modern connected cars has long been viewed as a cash cow — a yet untapped opportunity that could boost profits for automakers. Now one California agency wants to know exactly how that data might be used.
The California Privacy Protection Agency announced plans this week to review the data privacy practices of automakers that make and sell connected vehicles embedded with all kinds of data-mining features, from cameras and location sharing to web-based entertainment and smartphone integration.
“Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” CPPA executive director Ashkan Soltani said in a statement. The aim, Soltani said, is “to understand how these companies are complying with California law when they collect and use consumers’ data.”
The CPPA’s review is a first in the United States, where automakers have enjoyed a more lax data privacy environment compared to Europe. But that could soon change, at least in states that have passed data privacy laws like California, Connecticut, Colorado, Utah and soon Virginia.
So far, California is the first to conduct a review of how automakers use connected car data, an action that aligns with the state’s lead in data privacy laws. The Agency is conducting this review under the California Consumer Privacy Act, a law adopted in 2018 that gives individuals in the state the right to know the personal information collected about them by businesses, the right to delete that information and the right to stop its sale or sharing.
Privacy advocates have raised concerns about the downside of connected cars for years because these vehicles often automatically gather consumers’ locations, personal preferences and other details about their daily lives. Those concerns have grown as automakers have stepped up their software game in a bid to catch up with Tesla.
Today, a new 2023 model year vehicle likely has an infotainment system with an array of third-party apps as well as cameras, including one facing the driver as part of its advanced driver assistance system. A growing number of vehicles have “Google built-in,” software based on the company’s Android operating system that has been adapted for automotive and integrates all of Google’s app directly into the vehicle.
The agency said California has more than 35 million vehicles registered in the state. That’s not counting the millions more registered in other states that are on California roads. This saturation of connected cars has implications even for individuals who don’t own the vehicle, including ride-hailing customers and even pedestrians.
Internet-connected vehicles produce huge amounts of data when driven, data which is then shared with manufacturers and held for years under privacy policies that allow vast and near-unrestricted use of the data they collect. Manufacturers can share or sell that information with data brokers, which when combined with web browsing and phone data can be used to profile users for targeted advertising.
Collecting huge amounts of vehicle data also makes it obtainable by law enforcement agencies, which can demand vehicle data from in-car entertainment systems, collected by car manufacturers, and used for tracking and surveillance.
Google noted in a statement provided to TechCrunch that it does not have access to any vehicle data unless automakers choose to license Google products.
“In all instances data is used in accordance with our Terms of Service and Privacy Policy,” the company said, providing a link to that policy. “Drivers also have the option to change privacy settings for Google apps and services at any time. This extends to what is shared with third parties.”
GM pointed TechCrunch to its policy as well, noting that it is committed to protecting customers’ personal information.
“GM takes data privacy seriously and is committed to safeguarding personal information,” the company said in an emailed statement. “For every GM vehicle, the vehicle owner must accept GM’s User Terms and Privacy Statement to use these products and services. These documents detail our data practices and are available online for consumers to review.”