Connected Cars: Balancing Innovation and Data Privacy in Cars

Josie Croce, Contributing Member 2023-2024

Editor-in-Chief 2024-2025

Intellectual Property and Computer Law Journal

I. Introduction

Connected cars, or cars with internet access, present a real threat to victims of domestic violence as they may serve as a tool for an abuser to track the geolocation of the movement of their car. It is expected that over 95% of passenger cars sold will have embedded internet access by 2030.[1] Connected cars offer features like navigation tools, hands-free calling, and infotainment systems.[2] For these features to function, however, automakers collect and retain data on the users, paving the way for misuse of personal data by automakers and domestic abusers.[3]

Although some automakers allow users to opt out of the connected services and data-sharing functions, many users are unknowing to the breadth and amount of data collected about them through their car.[4] In fact, 65% of drivers are unfamiliar with what a connected car is, and many drivers are hesitant of automakers’ data collection.[5] While data collection is legal, few drivers are comfortable with their car harvesting sensitive information like their geolocation, voice recordings, biometric data, and text messages.[6]

This article explores connected cars and the personal data collected through this technology. Part II provides background on how connected cars operate, what kinds of data is collected, and the potential for misuse and abuse of this data. Part III discusses the legal protections for users’ personal data at the state and federal level, and Part IV concludes that these laws should be extended to include protection of intrusive data collected by connected cars.

II. Background

In-Vehicle Infotainment and Connected Smartphone Apps

In-vehicle infotainment systems allow car users to utilize information, entertainment, and communication sources on a display screen on their dashboard.[7] Through Apple’s CarPlay and Android Auto, users can connect their mobile phones to the in-vehicle infotainment system and display their apps on screen.[8] Apple even boasts that CarPlay can reach into a users’ iPhone and use their email, text messages, and calendars to predict where they’re going.[9]

The global market for in-vehicle infotainment systems was valued at $29,000,000,000 in 2021 and is expected to continuously increase as automakers seek to meet an increase in demand for luxury cars.[10] In-vehicle infotainment systems are extremely prevalent in the car industry today: ninety-seven percent of new cars globally have a touch screen and a quarter of U.S. cars and trucks have displays that are eleven inches in length or more.[11]

Aside from in-vehicle infotainment systems, many automakers also offer mobile phone apps that permit owners to connect to their car and perform special features remotely.[12] For example, Ford offers “FordPass,” an app that allows users to stop and start their car, check their fuel level, and view their vehicle health.[13] Toyota offers an app that allows users to find their car in a crowded lot, start their engine, and lock their car.[14] Chrysler, Dodge, Jeep, Ram, and Fiat offer Connected Services, which allows users to make and receive calls on their in-vehicle infotainment system, activate features on their car, and receive monthly reports on their vehicle.[15]

What data is being collected, maintained, and used

While automakers promote their cars as “computer[s] on wheels,” there are privacy risks associated with the amount of user data being collected.[16] Generally speaking, different automakers collect a wide range of different types of personal data. Consumers contract and consent to data collection policies when they purchase or lease a vehicle equipped with connected technology.[17] Automakers collect intrusive personal data like users’ name, address, phone number, email address, current and past vehicle location data, vehicle odometer readings, vehicle fuel level, interior and exterior images, and driving data regarding the vehicle’s acceleration, braking, steering, and seat belt usage.[18]

Equally concerning for users is the automakers’ policy on what automakers are permitted to do with the personal data they collect.[19] In a study of twenty-five automakers, most have privacy policies that permit the automaker to collect, share, and sell user data.[20] In addition, a majority permit the sharing of information with government entities.[21]

Data leaks and misuse

The collection of user data has, in the past, resulted in serious misuse by automakers. Tesla was publicly criticized after it was revealed that their employees were messaging each other videos and images recorded by their customers’ car cameras.[22] In Tesla’s internal messaging system, employees shared recordings of crashes and other car-related incidents captured by the cameras that are installed in every Tesla vehicle.[23] Although Tesla’s privacy policy promised owners that “camera recordings remain anonymous and are not linked to you or your vehicle,” several former employees claim they could see the location of the recordings.[24]

Outside of misuse, there are also potential leaks of personal data. For instance, in April 2023, Toyota issued a notice that 2,150,000 customers’ data had been exposed on the internet due to a “cloud misconfiguration.”[25] The data exposed included user email addresses, the location of the vehicles, and videos recorded from cameras in the car.[26]

Victims of domestic violence

The geolocation of connected cars has the potential to be used as a tool of domestic abuse.[27] The New York Times highlighted the threat that connected cars pose after a Mercedes-Benz owner tried to flee from her abusive husband but, to no avail, he was able to track the movements of her car through his connected mobile phone app.[28] The owner received a restraining order against her husband and was granted sole use of the car during their divorce proceedings.[29] But, when she requested that Mercedes remove her husband’s access to the connected app, Mercedes refused because the loan and title was in his name.[30] In a similar case, another victim of harassment reported that her husband would turn on her Lexus—using the connected app—as it sat in her garage at night.[31] These women were unable to receive any help from the automakers to take away their abusers’ connection to their vehicles; the Mercedes-Benz owner hired a mechanic to disable her car’s navigation system and the Lexus owner sold her car.[32]

III. Discussion: Legal Protection for Users

Suing automakers for negligence

As connected cars and apps become a potential tool for abuse in the context of domestic violence and stalking, some place blame on the automakers for enabling harassers.[33] In 2020, a woman in San Francisco brought claims of assault and sexual battery against her husband, and a claim of negligence against Tesla for providing her husband access to her car despite her restraining order against him.[34] The woman and the police officer investigating her case requested remote-access logs to prove that her husband used the connected app to find her, but Tesla informed them that these logs were only saved for seven days.[35] As a result, Tesla prevailed at trial because the woman could not bring forward sufficient proof that her husband used the connected app to stalk her.[36]

California Consumer Privacy Act

The California Consumer Privacy Act was adopted in 2018 and grants certain privacy rights to California consumers, “including the right to know personal information collected about them by businesses, the right to delete that information, and the right to stop its sale or sharing.”[37] The California Consumer Privacy Act is implemented and enforced by the California Privacy Protection Agency, an independent data protection authority. The California Privacy Protection Agency recently announced that it would be evaluating the data privacy practices of connected carmakers, remarking the “wealth of information [collected by connected cars] via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”[38]

The Alliance for Automotive Innovation, a technology trade group composed of automakers, advocates against the California Consumer Privacy Act and argues that the law may actually be misused by perpetrators of domestic violence.[39] The Alliance for Automotive Innovation warns that a car owner may improperly request personal data on a co-owner/user of the same vehicle, using that information to then stalk and harm their spouse.[40]

Safe Connections Act

The Safe Connections Act, among other things, permits “survivors of domestic abuse to separate a mobile phone line from an account shared with an abuser.”[41] The Safe Connections Act was passed to address situations where an abuser shares a phone service contract with their victim and therefore has access to sensitive information about the victim.[42] In February 2023, the Federal Communications Commission (FCC) began promulgating rules to implement the Safe Connections Act and sought comments on how best to help survivors.[43]

In particular, the FCC sought comments on how the Safe Connections Act could be implemented to protect domestic violence survivors from the potential harms of connected cars.[44] FCC Chair Jessica Rosenworcel acknowledged the importance for survivors to have access to a car disconnected from their abusers: “A car is a critical lifeline that can give survivors a way to escape their abusers, gain independence, and seek support…survivors of domestic abuse shouldn’t have to choose between giving up their vehicle and feeling safe.”[45] Accordingly, Rosenworcel stressed the need for automakers and connected technology manufacturers to understand the ways in which connected cars can be used by bad actors to stalk, harass, and intimidate.[46]

In response to the FCC’s request for comments, a coalition of anti-domestic violence advocacy groups and data privacy groups argued that the best way for the FCC to protect survivors is to encourage minimal data collection and implement data protection protocols when data collection and retention is necessary.[47] In particular, the coalition explained how, in recent years, best practices in data protection has changed: whereas the old practice was to notify users and request their consent to collect data, the new practice should be to avoid collecting sensitive data in the first place and, for data that must be collected, to use secure storage protocols.[48]

IV. Conclusion

Car users’ discomfort with extreme amounts of data collection is justified by the various risks flowing from leaks or misuse of this data.[49] Automakers like Tesla and Toyota have a track record of leaking their own users’ data.[50] Further, domestic abusers have used connected car services to stalk and harass their victims.[51] State laws like the California Consumer Protection Act may protect users from data privacy invasions through connected cars, and federal rules like the Safe Connections Act will hopefully provide security against the use of connected cars for stalking and harassing.[52]

---

[1] Cheryl Winokur Munk, New cars are now ‘the worst’ products when it comes to protecting consumer data, CNBC (Mar. 23, 2024, 9:34 AM), https://www.cnbc.com/2024/03/23/how-to-stop-your-internet-connected-car-from-selling-your-driving-data.html.

[2] Meet Android Auto, Android, https://www.android.com/auto/ (last visited Apr. 5, 2024); CarPlay, Apple, https://www.apple.com/ios/carplay/ (last visited Apr. 5, 2024).

[3] Kashmir Hill, Your Car Is Tracking You. Abusive Partners May Be, Too, N.Y. Times (Dec. 31, 2023), https://www.nytimes.com/2023/12/31/technology/car-trackers-gps-abuse.html.; Munk, supra note 1.

[4] Munk, supra note 1; Connected Car Disconnect: 65% of U.S. Drivers Don’t Understand ‘Connected Cars’ but Many Will Trade Data for Personalization, Salesforce (Jan. 8. 2024), https://www.salesforce.com/news/stories/connected-car-research/.                

[5] Connected Car Disconnect, supra note 4.

[6] Id.

[7] Automotive Infotainment Systems Market, Straits Research, https://straitsresearch.com/report/automotive-infotainment-systems-market (last visited Mar. 29, 2024).

[8] Android, supra note 2; Apple, supra note 2.

[9] Apple, supra note 2.

[10] Automotive Infotainment Systems Market, supra note 7.

[11] Kyle Stock, Are Car Touch Screens Getting Out of Control?, Bloomberg (Feb. 13, 2023), https://www.bloomberg.com/news/features/2023-02-13/are-car-touch-screens-getting-out-of-control?embedded-checkout=true.

[12] FordPass, Ford, https://www.ford.com/support/category/fordpass/ (last visited Mar. 29, 2024); Connected Services, Toyota, https://www.toyota.com/connected-services/ (last visited Mar. 29, 2024).

[13] Ford, supra note 12.

[14] Toyota, supra note 12.

[15] What is Connected Services?, Mopar, https://www.mopar.com/en-us/technology/uconnect.html (last visited Mar. 29, 2024).

[16] Jen Caltrider et al., What Data Does My Car Collect About Me and Where Does it Go?, Mozilla (Sep. 6, 2023) https://foundation.mozilla.org/en/privacynotincluded/articles/what-data-does-my-car-collect-about-me-and-where-does-it-go/.

[17] Privacy Notice, Toyota (Sep. 8, 2023), https://www.toyota.com/privacyvts/.

[18] Connected Vehicle Privacy Notice, Ford, https://www.ford.com/help/privacy/#connectedvehicleprivacynotice (last visited Mar. 29, 2024);Privacy Notice, supra note 17.

[19] Caltrider, supra note 16.

[20] Id.

[21] Id.

[22] Steve Stecklow, Waylon Cunningham, & Hyunjoo Jin, Tesla workers shared sensitive images recorded by customer cars, Reuters (Apr. 6, 2023), https://www.reuters.com/technology/tesla-workers-shared-sensitive-images-recorded-by-customer-cars-2023-04-06/.

[23] Id.

[24] Id.

[25] Zack Whittaker, Toyota Japan exposed millions of vehicles’ location data for a decade, TechCrunch (May 12, 2023, 8:20 AM), https://techcrunch.com/2023/05/12/toyota-japan-exposed-millions-locations-videos/.

[26] Id.

[27] Hill, supra note 3.

[28] Id.

[29] Id.

[30] Id.

[31] Id.

[32] Id.

[33] Id.;Kristina Cooke & Dan Levine, An abused wife took on Tesla over tracking tech. She lost, Reuters (Dec. 19, 2023, 10:48 AM), https://www.reuters.com/technology/an-abused-wife-took-tesla-over-tracking-tech-she-lost-2023-12-19/.

[34] Cooke, supra note 33.

[35] Id.

[36] Id.

[37] CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies, Cal. Priv. Prot. Agency (Jul. 31, 2023), https://cppa.ca.gov/announcements/2023/20230731.html.

[38] Id.

[39] Cooke, supra note 33.

[40] Id.

[41] FCC Adopts Rules Implementing the Safe Connections Act for Survivors of Domestic Abuse, Fed. Commc’n Comm’n (Nov. 17, 2023), https://www.fcc.gov/consumer-governmental-affairs/fcc-adopts-rules-implementing-safe-connections-act-survivors-domestic-abuse.

[42] H.R. Rep. No. 117-438, at 7 (2022).

[43] Lauren Feiner, New regulations could stop abusers from stalking via connected cars, The Verge (Feb. 28, 2024), https://www.theverge.com/2024/2/28/24085723/fcc-domestic-abuse-survivors-connected-cars-proposed-rule.

[44] Id.

[45] FCC Chairwoman Calls on Agency to Help Stop Abusers From Using Connected Cars to Harass and Intimidate Their Partners, Fed. Commc’n Comm’n (Feb. 28, 2024), https://docs.fcc.gov/public/attachments/DOC-400812A1.pdf.

[46] Id.

[47] In the Matter of Supporting Survivors of Domestic and Sexual Violence (NOI), Elec. Priv. Info. Ctr. (Aug. 18, 2022), https://epic.org/documents/in-the-matter-of-supporting-survivors-of-domestic-and-sexual-violence/.

[48] Id.

[49] Hill, supra note 3; Stecklow, supra note 22; Whittaker, supra note 25; Cooke, supra note 33.

[50] Stecklow, supra note 22; Whittaker, supra note 25.

[51] Hill, supra note 3; Cooke, supra note 33.

[52] CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies, supra note 37; FCC Chairwoman Calls on Agency to Help Stop Abusers From Using Connected Cars to Harass and Intimidate Their Partner, supra note 45.