Data privacy: "It’s time to treat your car like a smartphone"
Connected and automated cars will collect enormous amounts of data. In an exclusive interview, we asked Lauren Smith, a U.S. data privacy expert, how customers can keep control over their data – and what price we must pay for increased road safety.
2025AD: With cars becoming connected and autonomous, the amount of data collected is steadily increasing. Are consumers aware of this fact?
Lauren Smith: The existence of data in the car is not a new phenomenon. Event data recorder and onboard diagnostics have been in cars for decades. But in the past few years there has been an explosion in the variety, the connectivity and the volume of data. Cars are no longer simply mechanical chassis that take us from point A to point B. It’s time for people to treat their cars like a computer or a smartphone. If you sell your car or return your rental car, you should think about which data you might want to delete.
2025AD: Has the law kept up with this rapid technological development?
Smith: The good news is: while this is a shift in the auto industry, the data privacy questions we are encountering are not unique to cars. Cars are just another item in the Internet of Things. Other sectors already have tackled some of the issues surrounding data privacy management and regulatory infrastructure.
2025AD: Do we need a general approach or a specific approach for data privacy in cars?
Smith: In Europe, the General Data Protection Regulation will lead to many changes around consumer privacy, and cars companies will likely be impacted by it. In the U.S. we don’t have an overall privacy law. The Federal Trade Commission (FTC) has evolved as the main consumer agency that protects consumers against unfair or deceptive trade practices. Because of the way the FTC works, a self-regulatory system has developed. In 2014, nearly every automaker agreed to a set of best practices on how they would handle consumer data. For instance, they need to get the customer’s consent before using sensitive data for marketing or before sharing it with unaffiliated third parties for their own use. The FTC can hold those companies accountable to make sure that they live up to those promises. The challenge with any prospective laws is that the industry is changing so rapidly. It will be difficult to pin down a precise set of rules.
2025AD: Do you feel that car companies are fulfilling their responsibility to keep consumer data private?
Smith: A report of the Government Accountability Office (GAO) found that most of the automakers do limit data collection, use, and sharing in accordance with privacy best practices. However, their privacy notices are difficult to understand for consumers. They do not specify data sharing and use practices, and they offer limited individualized controls to consumers. In the end, consumers had trouble understanding how they can limit the data that is being shared.
2025AD: Should car owners have full control over their data?
Smith: There will be areas where it will be difficult to provide opt-outs for consumer, such as for a growing number of safety technologies that rely on vehicle data. For example, the Department of Transportation has proposed to make vehicle-to-vehicle communication mandatory. In cases like this, safety considerations might outweigh consumer choice. But for services that are not safety critical, like infotainment, we should provide choice and transparency to consumers.
2025AD: Are we seeing opportunities for new business models arise?
Smith: McKinsey has predicted that the car data industry could be worth 750 billion U.S. dollars by 2030. Intel and Warner Bros. recently announced that they will create in-cabin entertainment for self-driving cars. There is certainly potential for more personalized services. We may opt in for services that connect to mapping and recommend a coffee shop. One could imagine a situation where recommendations could be based on your personal history or on marketing partnerships – so you might not be recommended the closest coffee shop.
2025AD: How can carmakers create transparency for consumers so they know what they are opting into?
Smith: We need to do everything we can to make it understandable to consumers. We need to go beyond the long legal, technical explanations. And we need to create more flexibility. On my mobile phone, I can go to the app store und download the app that I want. I can control whether that app gets access to my location data or not. If I don’t want it anymore, I can delete it. We often don’t have that kind of control in car software. Creating choice wherever possible would be very important. Part of the challenge is the complexity of the car ecosystem.
2025AD: What do you mean by ‘car ecosystem’?
Smith: A lot of car buyers are making their decision at the car dealership. So even if carmakers offer good explanations on their website, each individual dealership may not be able to answer all the questions consumers might have. We partnered with the National Auto Dealers Association to come up with a template Consumer Guide that they could hand out to consumers. The Guide explains in plain language what data the car might collect and what it may use it for. It details the protections that exist around that data and provides checklist of what you might think of when you sell your car to ensure that it is cleared of sensitive information.
2025AD: There are already successful start-ups selling car data. One of them is Otonomo. The start-up argues its focus is on using anonymized, aggregated customer data for the greater good — such as improving transportation, reducing emissions and saving lives with automatic crash detection. What do you say to that?
Smith: It’s important to recognize there are a lot of different types of data. Location data that can be linked to individuals could be considered more sensitive, as well as behavioral data like driving habits or biometric data. Those require a higher level of consent before the data can be shared. We don’t know exactly what types of data Otonomo is collecting. But I am sure many of their use cases could not be linked back to one single person. For instance, cities will use a lot of information collected by connected cars to help them understand how people travel, how to avoid congestion or how to improve services.
2025AD: Do we need to share more of our data to make traffic safer?
Smith: Human error is a cause in 94% of car crashes. A growing number of driver assistance technologies help mitigate that error. Especially for autonomous driving, a lot of data will be needed to train the algorithms that will increase safety. In the process your car will learn more about you, but what it learns might save your life.
2025AD: Will law enforcement or governments be able to make use of the data?
Smith: As with other technologies, law enforcement will likely be able gain access to stored data if there is proper legal process. But we have long had unique rules for privacy regarding law enforcement in the automobile context, so we will have to see how these debates develop.
2025AD: How might that look in a driverless car context?
Smith: Law enforcement may want to be able to immobilize an autonomous vehicle. Or if certain information is only on the vehicle itself, you could run into questions about encryption, like the Apple/FBI encryption debate. This could wind up being a cybersecurity issue. If you enable access for law enforcement, are you creating a vulnerability for other hackers, too?
2025AD: If you could create an ideal legal framework, how might it look?
Smith: Transparency, choice, and control are key. Consumer education is really important. We need to provide user-friendly information in plain language. We need websites where you can access to compare the OEM’s different privacy practices. And creating understandable, changeable, user-friendly options wherever possible will be critical.
About our expert:
Lauren Smith, is Policy Counsel at the Future of Privacy Forum (FPF), where she focuses on big data and the Internet of Things as related to connected cars, data ethics, algorithmic decision-making, and drones. Prior to working at FPF, Lauren was a Policy Advisor in the White House Office of Science and Technology, where she played a core role in the White House Big Data report, the launch of the Precision Medicine Initiative, and policy initiatives around privacy, intellectual property, regulatory policy, and innovation for global development. Lauren is a graduate of Wesleyan University and the UC Berkeley School of Law, where she earned a Certificate in Law and Technology.