Vehicle Data Privacy
While advanced safety technologies have the potential to provide enormous safety, convenience and other important benefits to consumers, stakeholders frequently raise data privacy concerns as a potential impediment to deployment. NHTSA takes consumer privacy seriously, diligently considers the privacy implications of our safety regulations and voluntary guidance, and works closely with the Federal Trade Commission (FTC) -- the primary Federal agency charged with protecting consumers’ privacy and personal information -- to facilitate the protection of consumer information.
Why It Matters
In the context of advanced and automated safety technologies, consumer acceptance is critical to effective and timely deployment. These technologies generate, use and may share a significant amount of vehicle data likely to be viewed by private citizens as sensitive and personal (for example, routes frequently travelled and precise addresses visited). Consumer avoidance of new technologies because of concerns about data privacy may slow deployment and undermine promising safety benefits (i.e., lives saved and injuries avoided).
Key Federal Agencies
Although NHTSA has broad regulatory authority over the safety of passenger vehicles, it is the FTC that is the primary Federal agency responsible for protecting consumer privacy. The FTC and NHTSA staff meet, coordinate, collaborate and communicate frequently on privacy issues related to motor vehicles, including those involving new technologies such as connected and automated safety systems. Most recently, in June 2017, the FTC and NHTSA jointly held a well-attended workshop in Washington, DC, to examine the consumer privacy and security issues posed by automated and connected motor vehicles. For information,visit: www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected
Authority Roles and Responsibilities
The Federal Trade Commission
The FTC has authority to bring actions against companies or individuals that engage in unfair or deceptive acts or practices, including those involving vehicle data privacy and security. The agency uses law enforcement, policy initiatives, and consumer and business education to accomplish its mission. In the motor vehicle context, for example, the FTC could use its enforcement authority in appropriate circumstances to bring an action against an automaker that uses a consumer’s data in a way that violates the manufacturer’s stated privacy policies. As the primary agency with authority over consumer privacy, the FTC has ongoing efforts related to protecting the privacy of consumers who use connected devices, which includes connected vehicles. The FTC and the FTC staff have convened stakeholder forums and issued formal and informal guidance, including reports and blog posts discussing security and privacy best practices for businesses. For example, a 2016 FTC business blog post provided advice to rental car companies on how to protect consumer privacy in connected rental cars (https://www.ftc.gov/news-events/blogs/business-blog/2016/08/leaving-info-behind-rental-cars). For more information about the FTC and consumer privacy, visit: https://www.consumer.ftc.gov/topics/privacy-identity-online-security.
National Highway Traffic Safety Administration
NHTSA has broad regulatory authority over the safety of passenger vehicles and to issue voluntary guidance or mandate standards through a rulemaking process to address safety. Its safety regulations and voluntary guidance apply primarily to manufacturers of motor vehicles and motor vehicle equipment. NHTSA takes consumer privacy seriously, but does not have a unique role or specific authority to regulate consumer privacy or third parties in the context of motor vehicles or motor vehicle data, or to enforce consumer privacy laws. NHTSA’s role with respect to the privacy of vehicle data is limited to instances when safety regulations may have privacy impacts on individuals.
Consistent with its existing authority, NHTSA is responsible for addressing privacy only in the following contexts:
- Like all Federal agencies, NHTSA diligently considers the privacy impacts of its activities, regulations and voluntary guidance, and informs the public about any consumer privacy impacts through its rulemaking notices and published privacy impact assessments.
- In the context of vehicle safety technologies that raise concerns about consumer privacy, NHTSA examines privacy as a component of public acceptance in our rulemaking process. This is an aspect of the “practicability” that the agency is required to consider when proposing a motor vehicle safety standard under the Motor Vehicle Safety Act.
- NHTSA may issue voluntary guidance on emerging safety technologies that incorporates data privacy best practices in order to enhance consumer acceptance and avoid delaying deployment.
Voluntary Guidance: Automated Driving Systems
NHTSA’s voluntary guidance on Automated Driving Systems is an example of our use of voluntary, non-regulatory guidance to address consumer privacy and acceptance issues that may slow deployment of promising vehicle safety technologies. The agency has engaged in an active dialogue with the FTC, manufacturers, privacy advocates, and other stakeholders about the scope and mitigation of potential privacy impacts on consumers that could stem from automated driving systems. A recent highlight of this ongoing dialogue was NHTSA’s sponsorship with the FTC of the June 2017 workshop examining consumer privacy and security issues posed by automated and connected motor vehicles.
In November 2017, ADS 2.0: A Vision for Safety replaced the FAVP as the policy framework and NHTSA’s operating guidance for ADS. NHTSA intended A Vision for Safety to be a clearer, more streamlined and less burdensome guidance document. In so doing, NHTSA reiterated that “privacy considerations are critical to consumer acceptance of ADS and should be taken into account throughout the design, testing and deployment process.” The agency also indicated that it would continue to work closely with the FTC when motor vehicle safety matters have potential consumer privacy implications.
Documents appearing in the External Information portion of this Web site are provided in the interest of information exchange. The opinions, findings and conclusions expressed in the documents are those of the author(s) and not those of the Department of Transportation or the National Highway Traffic Safety Administration. The United States Government does not endorse products or organizations.
Data Generated by Vehicles
Automotive Industry Privacy Principles
- Global and Alliance FTC Letter Regarding Consumer Privacy Protection Principles for Vehicle Technologies and Services (PDF, 1.5 MB)
NHTSA welcomes feedback on the draft content of its Vehicle Data Privacy web page. The Agency will accept suggestions and comments via email to NHTSAPrivacyCounsel@dot.gov.
Search for more resources
Remarks at SAE/NHTSA Cybersecurity Workshop
||Speeches and Presentations||01/23/2018|
NHTSA and Vehicle Cybersecurity
Cybersecurity Best Practices For Modern Vehicles
A Summary of Cybersecurity Best Practices
National Institute of Standards And Technology Cybersecurity Risk Management Framework Applied to Modern Vehicles