US Senator Edward Markey (D-Mass.) is one of the more technologically engaged of our elected lawmakers. And like many technologically engaged Ars Technica readers, he does not like what he sees in terms of automakers’ approach to data privacy. On Friday, Sen. Markey wrote to 14 car companies with a variety of questions about data privacy policies, urging them to do better.
As Ars reported in September, the Mozilla Foundation published a scathing report on the subject of data privacy and automakers. The problems were widespread—most automakers collect too much personal data and are too eager to sell or share it with third parties, the foundation found.
Markey noted the Mozilla Foundation report in his letters, which were sent to BMW, Ford, General Motors, Honda, Hyundai, Kia, Mazda, Mercedes-Benz, Nissan, Stellantis, Subaru, Tesla, Toyota, and Volkswagen. The senator is concerned about the large amounts of data that modern cars can collect, including the troubling potential to use biometric data (like the rate a driver blinks and breathes, as well as their pulse) to infer mood or mental health.
Sen. Markey is also worried about automakers’ use of Bluetooth, which he said has expanded “their surveillance to include information that has nothing to do with a vehicle’s operation, such as data from smartphones that are wirelessly connected to the vehicle.”
“These practices are unacceptable,” Markey wrote. “Although certain data collection and sharing practices may have real benefits, consumers should not be subject to a massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese. Cars should not—and cannot—become yet another venue where privacy takes a backseat.”
The 14 automakers have until December 21 to answer the following questions:
- Does your company collect user data from its vehicles, including but not limited to the actions, behaviors, or personal information of any owner or user?
- If so, please describe how your company uses data about owners and users collected from its vehicles. Please distinguish between data collected from users of your vehicles and data collected from those who sign up for additional services.
- Please identify every source of data collection in your new model vehicles, including each type of sensor, interface, or point of collection from the individual and the purpose of that data collection.
- Does your company collect more information than is needed to operate the vehicle and the services to which the individual consents?
- Does your company collect information from passengers or people outside the vehicle? If so, what information and for what purposes?
- Does your company sell, transfer, share, or otherwise derive commercial benefit from data collected from its vehicles to third parties? If so, how much did third parties pay your company in 2022 for that data?
- Once your company collects this user data, does it perform any categorization or standardization procedures to group the data and make it readily accessible for third-party use?
- Does your company use this user data, or data on the user acquired from other sources, to create user profiles of any sort?
- How does your company store and transmit different types of data collected on the vehicle? Do your company’s vehicles include a cellular connection or Wi-Fi capabilities for transmitting data from the vehicle?
- Does your company provide notice to vehicle owners or users of its data practices?
- Does your company provide owners or users an opportunity to exercise consent with respect to data collection in its vehicles?
- If so, please describe the process by which a user is able to exercise consent with respect to such data collection. If not, why not?
- If users are provided with an opportunity to exercise consent to your company’s services, what percentage of users do so?
- Do users lose any vehicle functionality by opting out of or refusing to opt in to data collection? If so, does the user lose access only to features that strictly require such data collection, or does your company disable features that could otherwise operate without that data collection?
- Can all users, regardless of where they reside, request the deletion of their data? If so, please describe the process through which a user may delete their data. If not, why not?
- Does your company take steps to anonymize user data when it is used for its own purposes, shared with service providers, or shared with non-service provider third parties? If so, please describe your company’s process for anonymizing user data, including any contractual restrictions on re-identification that your company imposes.
- Does your company have any privacy standards or contractual restrictions for the third-party software it integrates into its vehicles, such as infotainment apps or operating systems? If so, please provide them. If not, why not?
- Please describe your company’s security practices, data minimization procedures, and standards in the storage of user data.
- Has your company suffered a leak, breach, or hack within the last ten years in which user data was compromised?
- If so, please detail the event(s), including the nature of your company’s system that was exploited, the type and volume of data affected, and whether and how your company notified its impacted users.
- Is all the personal data stored on your company’s vehicles encrypted? If not, what personal data is left open and unprotected? What steps can consumers take to limit this open storage of their personal information on their cars?
- Has your company ever provided to law enforcement personal information collected by a vehicle?
- If so, please identify the number and types of requests that law enforcement agencies have submitted and the number of times your company has complied with those requests.
- Does your company provide that information only in response to a subpoena, warrant, or court order? If not, why not?
- Does your company notify the vehicle owner when it complies with a request?