FTC Testifies on Proposed Legislation Addressing Privacy and Security in Connected Automobiles

In testimony before Congress today, the Federal Trade Commission provided feedback on proposed legislation to address privacy and security concerns around the growth of so-called “connected cars.”

Testifying on behalf of the Commission, Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection, highlighted the FTC’s history as the nation’s lead privacy and data security enforcement agency and noted a number of concerns with the proposed legislation.

The testimony before the Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee noted that the Commission has been actively examining privacy and security issues related to connected cars, specifically pointing to discussion at a recent Commission workshop as well as a comment from the FTC to the National Highway Traffic Safety Administration on its proposed vehicle-to-vehicle privacy and data collection rulemaking.

In regards to the proposed legislation, the testimony noted that it “could substantially weaken the security and privacy protections that consumers have today.”

The testimony stated that the proposed safe harbor for auto manufacturers who submit privacy policies to the Department of Transportation was possibly too broad, allowing manufacturers a safe harbor from FTC enforcement actions even for privacy policies that significantly limit consumer protections, and even if they do not follow the terms of the privacy policies they submit. In addition, the safe harbor would prevent the FTC from taking action related to privacy issues beyond a manufacturer’s cars, including its use of consumer data collected from its websites. Finally, the safe harbor would allow manufacturers to make changes to privacy policies that would apply retroactively to consumer data that was collected previously.

The testimony also expressed support for the goal of deterring criminals from accessing vehicle data. The testimony noted, however, that portions of the proposed legislation related to hacking would reduce researchers’ incentive to seek out privacy and security vulnerabilities in consumer products, and that the work of these researchers has been important to enhancing consumer security.

The testimony also expressed concern with provisions of the draft legislation regarding the creation of a council to develop cybersecurity best practices for the industry. Specifically, the council, which would operate by a simple majority, would include enough industry representatives that they could act without support from government or consumer advocates on the council. In addition, the legislation does not require the council to address particular areas for best practice, and creates an overly broad safe harbor, according to the testimony.

The Commission vote approving the testimony and its inclusion in the formal record was 4-0.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.