Passenger and fleet vehicles collect several types of data, including geolocation data. Vehicle geolocation data support features such as navigation, emergency response services, vehicle tracking applications, personalized insurance rates, and fleet management tools. Automotive manufacturers, data brokers, insurance companies, and law enforcement are examples of entities that may access and use geolocation data for a variety of purposes.

Concerns about vehicle geolocation data collection include sensitive location tracking, data overcollection and retention, consumer awareness and consumer choice issues, data brokers’ access, and data disclosure to law enforcement or other governmental entities. Vehicle geolocation data used to track a consumer’s location may present risks that involve stalking, domestic violence, or threats from foreign adversaries. Consumers who choose to not share optional geolocation data may not realize that this choice may inhibit certain vehicle features. Consumers who share vehicle geolocation data may choose to do so on the basis of incomplete or misleading information in privacy policies and disclosures. Data brokers may facilitate the exchange of data to entities seeking to gain insights into marketing and analytics for commercial purposes or for activities such as monitoring traffic patterns and road conditions for public applications; these purposes could also make data accessible to bad actors. Law enforcement and other governmental entities might access geolocation data without a warrant, which may support them to identify a suspect’s location while potentially presenting Fourth Amendment issues and exposing consumers to further tracking and risks.

Some stakeholders in the automotive industry voluntarily created a set of principles to regulate collection of consumer data. These principles require automotive manufacturers and suppliers to, for example, inform consumers about vehicle geolocation data being collected, obtain consent prior to data collection, and require a warrant or court order from law enforcement or other governmental entities when requesting such data. The automotive industry employs various measures to minimize risks associated with collecting geolocation data (e.g., de-identification), but data may be difficult to anonymize in some circumstances.

Several agencies share federal oversight and action related to vehicle geolocation data: the Federal Trade Commission (FTC), National Highway Traffic Safety Administration (NHTSA), Department of Commerce (DOC), Federal Communications Commission (FCC), and Department of Justice (DOJ). The FTC has several authorities related to vehicle geolocation data, including oversight of consumer disclosure practices and limiting of foreign adversaries’ access to these data. NHTSA’s most relevant responsibility related to vehicle geolocation data collection is its jurisdiction over motor vehicle safety. Relevant action from DOC includes a rule that bars the sale and import of certain connected vehicle technologies. The FCC has several authorities over dissemination of vehicle geolocation data and has proposed a rule that would disable connected vehicle services that may present risks for domestic-abuse survivors. The FCC also maintains a covered equipment list of technologies that pose certain security risks. DOJ has issued a rule that prevents the bulk exchange of personal data, including precise geolocation data, with foreign adversaries and other covered persons.