GAO: Feds lag in vehicle data policy

As the auto industry evolves and more vehicles are outfitted with smart capabilities, consumers can expect more of their personal information to be collected and shared.

There's no uniform standard, but automakers report collecting data on location, driver behavior, vehicle health and driver use of onboard entertainment and communications. Data can be used to support roadside assistance plans, conduct usability and other product research, and even market products and services to motorists.

The federal government’s role in overseeing that data collection is unclear, as are rules for storing and sharing such information.

According to a recent Government Accountability Office report, the National Highway Traffic Safety Administration and the Federal Trade Commission are best positioned to take on the vehicle safety and consumer protection challenges.

Auditors said NHTSA needs to better define and communicate its own policies for connected vehicle data. The agency mandates safety standards for passenger vehicles and can issue voluntary safety guidance, but it has no clearly defined regulatory responsibilities for consumer privacy.

The agency is wading into the regulatory challenges posed by vehicle-to-vehicle communications technology. In a proposed rule mandating V2V technology, NHTSA sounded an optimistic note about the promise of such communications to improve road safety but noted that various challenges, including cybersecurity and privacy, "could prevent this promising safety technology from achieving sufficiently widespread use throughout the vehicle fleet to achieve these benefits."

Paul Brubaker, president and CEO of the Alliance for Transportation Innovation, agreed that NHTSA needs to clarify its role with regard to privacy policy but cautioned that limits should not be imposed on the data vehicles can collect.

"Anything that would have a chilling impact on the ability to gain situational awareness or improve safety is a bad thing," he said. "I'm for more data use, not less."

Privacy concerns are "not a simple subject," Brubaker acknowledged, but he urged greater use of anonymized data with the caveat that driver safety remain the priority. "If there is a safety of life deficiency identified to a particular [vehicle], wouldn't you want to be informed?" he asked.

"I don't want NHTSA calling for all of the data coming off of the vehicles," he said. Instead, he'd like to see "an independent, third-party, nongovernment entity accessing the data, performing the analysis and informing NHTSA. The analysis can also be subject to independent audit and/or peer review."

But the effort is not solely up to NHTSA because the FTC has the authority to take legal action against companies over privacy matters, and it has a recent focus on safeguarding consumer privacy issues that are emerging as challenges from the constellation of connected devices in the internet-of-things sector.

Generally, the FTC has been wary of such regulation. An agency spokesperson told FCW that the FTC is reviewing the report and will work with NHTSA and other federal partners.