Traffic Safety Agency Needs to Clarify Connected Car Authority, Audit Says

The government’s top car safety regulator is sending the auto industry mixed messages about its role regarding customer privacy protections for internet-connected vehicles, a government watchdog said Monday.

The National Highway Traffic Safety Administration has no specific authority to regulate how car companies treat consumers’ personal information, but the regulator is required to consider the way consumers’ privacy concerns will affect their willingness to accept new security mandates, according to a Government Accountability Office report.

NHTSA is also required to perform privacy impact assessments on all of its new safety regulations, the auditor said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

That means the agency increasingly weighs in on privacy as internet technology creeps into more vehicle systems, but some car manufacturers are confused about the agency’s role.

In December, for example, the agency proposed a rule about vehicle-to-vehicle communications systems that track and share cars’ locations to help prevent accidents and ease traffic congestion. The rule urged car manufacturers to address consumer concerns about whether those systems might inappropriately share their location data. If consumers’ privacy concerns weren’t dealt with, they might be unwilling to buy cars that contributed to the systems, which NHTSA said would reduce the systems’ security benefits.

The agency also released a voluntary Federal Automated Vehicles Policy in September that included recommended privacy principles for automakers to adopt.

Those actions have “left stakeholders without a clear understanding of the agency’s role with respect to privacy,” GAO said. At least one unnamed industry group suspects the agency might be exceeding its authority when it comes to regulating privacy while others are unclear about precisely what authority the agency has, the auditor found.

Other car companies and associations were unclear about the extent to which NHTSA is working with other federal agencies with responsibility for privacy, such as the Commerce Department’s National Institute of Standards and Technology.

NHTSA officials acknowledged their actions might have caused some confusion, the auditor said.

The GAO study was based on interviews with 16 automakers and several industry associations and consumer privacy groups as well as reviews of those automakers’ privacy policies.

The review found no confusion among automakers about the Federal Trade Commission’s role concerning connected car privacy. The FTC has the authority to sue companies or individuals that engage in unfair or deceptive commercial practices, including practices related to connected car privacy.