Bipartisan Bill Introduced to Protect Consumers' Privacy and Vehicle Data

On December 18, 2024, Senators Mike Lee (R-UT) and Jeff Merkley (D-OR) introduced the bipartisan Auto Data Privacy and Autonomy Act (the Bill) to restore vehicle owners’ control over their personal data.  Representative Eric Burlison (R-MO) leads the companion bill in the House of Representatives.

The text of the Bill outlines that the Bill is seeking to “prevent covered vehicle manufacturers from accessing, selling, or otherwise selling certain covered vehicle data, and for other purposes.” According to a Press Release from the Senators, connected vehicles are projected to make up 95% of all new vehicles on the road by 2030.  The Bill provides vehicle owners with essential rights and protections by:

• Requiring Informed Consent: Mandating that original equipment manufacturers (OEMs) establish opt-in features for vehicle data collection.
• Restricting Data Sharing: Prohibiting OEMs from sharing, selling, or leasing collected customer data without explicit consent, with narrow exceptions required by law.
• Protecting National Security: Barring data sharing with adversarial nations.
• Ensuring Transparency: Directing the Federal Trade Commission (FTC) to report to Congress on data collection practices.
• Empowering Owners: Allowing vehicle owners access to their vehicle’s data through technology-neutral standards set by the National Institute of Standards and Technology (NIST).
• Enabling Data Deletion: Giving owners the right to delete their data after connecting to a vehicle.
• Balancing Interests: Protecting OEM confidential business information while safeguarding consumer rights.

The Bill also requires the FTC to submit a report (the Report), within 180 days after the date of enactment, on the current practices employed for "operator data" to the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce. Pursuant to the Bill, ‘‘operator data’’ is defined as:

1. all electronic data generated or processed onboard a covered vehicle, such as data generated by sensors, receivers, computer processing units, or other vehicle components; and 
2. data stored in a covered vehicle generated by the user of such covered vehicle. 

The Report will require the FTC to outline:

1. the types of such data that a manufacturer of a covered vehicle accesses; 
2. the individuals and entities, other than a manufacturer of a covered vehicle, that access such data; 
3. the Federal or State government entities that access such data and how such entities use such data; 
4. the individuals and entities to whom such data may be sold or otherwise shared;
5. the foreign governments to whom such data may be sold or otherwise shared and how such data is used by such foreign governments; 
6. the cybersecurity capabilities and risks associated with covered vehicles; and  
7. occurrences of such data being compromised, including the prevalence of such occurrences and any entities with ties to foreign governments associated with such occurrences. 

Within one year after the FTC submits the Report(s), the Bill would require the FTC, NIST director, vehicle manufacturers, vehicle owners, and other agencies, as necessary, to collaborate to establish one or more standards for a technology-neutral, standards-based, secure interface. The standards decided on would be reviewed in five years and then every five years thereafter.