On November 21, the Director of the Bureau of Consumer Protection of the Federal Trade Commission commented on the National Highway Traffic Safety Administration’s Federal Automated Vehicles Policy.  The Director opened the comment with a brief review of the FTC’s focus on privacy and security efforts related to connected devices and the Internet of Things:  (1) enforcement actions against manufacturers of connected devices; (2) writing reports and holding workshops to discuss privacy issues with connected devices; and (3) consumer and business education on privacy and data security issues. 

The Director’s comments on the NHTSA’s Policy were positive in nature and focused on four key themes that are prevalent throughout the FTC’s privacy and data security activities.  First, the Director recognized the challenging privacy issue that data sharing can bring.  On the one hand, data sharing, particularly with respect to performance information of autonomous vehicles, could give industry participants a wealth of knowledge from which a variety of issues may be addressed that may not become as readily apparent if the information were not shared.  On the other hand, depending on the nature of the information that is shared, consumer privacy issues may arise.  Thus, the Director and the NHTSA acknowledged that stripping the personally identifiable information of consumers from the data collected through autonomous vehicles would help to protect consumer privacy while still allowing the manufacturers (and consumers) to realize the benefits of sharing this valuable information.  

Second, the Director noted the importance of requiring vehicle manufacturers to publish public-facing privacy policies focused on FTC guidance and the Consumer Privacy Bill of Rights.  Importantly, companies should accurately state their information collection and use practices in their privacy policies, or potentially face an enforcement action by the FTC.  

The Director’s third and fourth comments related to cybersecurity.  The Director commended the NHTSA Policy’s recognition of cybersecurity risks potentially posed by autonomous vehicles and its emphasis on the importance of product development in addressing threats and vulnerabilities.  In order to fully and completely address these threats and vulnerabilities, the Director agreed with the NHTSA that companies involved with autonomous vehicles should share their cybersecurity experiences throughout the industry.  As noted above, the more information that is shared, the greater the likelihood that the industry will be able to proactively identify threats and mitigate or prevent security incidents.  As long is the information is shared properly, antitrust issues are not likely to come into play, the Director noted. 

However, what standards the NHTSA and FTC will ultimately recommend remains to be seen.  Although both have clearly indicated that cybersecurity is important, government and industry are now locked in intense debates over whether “security and safety” also requires that companies share more user data with government than is typically required in other industries.  The outcome of such discussions will likely impact what technologies for cybersecurity are ultimately viable for automated vehicles.