Connected car data privacy under investigation by California regulator

How automakers make use of data collected by connected cars is coming under scrutiny in California. On Monday, the California Privacy Protection Agency announced that it will review the data privacy practices of connected vehicle manufacturers. The agency is empowered to do so thanks to a 2018 state law, the California Consumer Privacy Act.

"Modern vehicles are effectively connected computers on wheels. They're able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle," said Ashkan Soltani, CPPA's executive director.

"Our Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers' data," he said in a statement.

Connected cars are fast becoming ubiquitous—it may well be impossible to buy a new car, truck, or SUV in 2023 that doesn't have at least one embedded modem in it. In the mid-2010s, many OEMs saw dollar signs at the prospect of monetizing data collected by their deployed vehicle fleets, and unlike with cellphones, it can be hard or impossible to disable location tracking in one's car.

"Under the California Consumer Privacy Act, geolocation is considered personal information. People have the right to say no to being tracked in their cars, but it is unclear if car companies are providing this right," said Justin Kloczko, a privacy advocate at Consumer Watchdog. "These companies know more about us than we know about ourselves, and they’re the ones in control of our personal information, not us," Kloczko said.

These fears are not abstract; class-action lawsuits have been brought against both Ford and data broker Otonomo, albeit unsuccessfully in both cases. And earlier this year, we learned that Tesla employees shared "highly invasive videos and images recorded by customers' car cameras" from 2019 until at least mid-2022.