In a recently published “Staff Perspective,” the Federal Trade Commission (FTC) appears to be staying true to the regulatory humility approach Acting Chairman Maureen K. Ohlhausen underscored in her opening remarks to the connected cars and autonomous vehicles workshop the FTC co-hosted with the National Highway Traffic Safety Administration (NHTSA) last summer. The Consumer Protection Bureau of the FTC ultimately distills the privacy and data security workshop that covered a wide range of existing and future connected car technologies from infotainment systems such as GM’s new Marketplace feature to vehicle-to-vehicle and vehicle-to-infrastructure (such as traffic lights and cameras) communications capabilities to fully automated “driverless” vehicles down to the following takeaway: Connected vehicles will generate – and businesses will collect – a vast amount of aggregated, non-sensitive and sensitive data, which may lead to privacy risk due to unexpected uses and data security risk.
Last June, Chairman Ohlhausen emphasized the importance of consumer and business education and claimed the FTC will use its civil law enforcement authority under Section 5 of the FTC Act where necessary and appropriate against connected car manufacturers (as it has done in the context of connected routers, cameras and TVs) and potentially against service providers; however, Chairman Ohlhausen also reminded regulators to take into account the benefits of connected cars when considering a regulatory approach to the industry and to collaborate to avoid hindering innovation through unnecessary or duplicative regulation. In particular, Chairman Ohlhausen mentioned that the FTC aims to exercise its authority “responsibly” while avoiding overlap with NHTSA. The Department of Transportation released NHTSA’s Automated Driving Systems: A Vision for Safety 2.0 guidance last September, focusing on safety and deferring to the FTC on matters of consumer privacy. Version 3.0 is underway, and the agency published a notice for public comment on Removing Regulatory Barriers for Automated Vehicles on January 10, 2018.
In addition to general FTC guidance such as Start with Security and Careful Connections and NHTSA safety guidelines, industry groups have created Consumer Privacy Protection Principles for Vehicle Technologies and Services and an Auto-ISAC to share cybersecurity information, the UK has published The Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles, and the 39th International Conference of Data Protection and Privacy Commissioners adopted a Resolution on Data Protection in Automated Vehicles specific to the connected car and automated vehicle industry. In the current regulatory environment in which there are no federal laws enacted that specifically address privacy and data security in the context of connected cars and autonomous vehicles, companies are encouraged to innovate but cannot lose sight of the FTC’s jurisdiction over unfair or deceptive practices – they aren’t afraid to use it.