March 12, 2025 - "Connected" vehicles offer a new frontier of consumer convenience and features that would have seemed like science fiction in the 20th century. Location-based services like navigation and smart routing. Sophisticated sensors and telematics systems that improve driving safety and vehicle diagnostics. In-vehicle entertainment and communications services. Even over-the-air updates that bring new and updated features to cars while their owners sleep, transforming every vehicle into a car of the future. It's clear that connecting vehicles to the internet offers enormous benefits.
But with these benefits come concerns. Some policymakers are concerned about foreign countries gaining access to U.S. data or remote control of U.S. vehicles. And others are concerned about privacy and security of certain vehicle data when shared with third parties.
In this article, we discuss government efforts in 2024 to address data privacy and security concerns involving connected cars, and government action we're likely to see in 2025.
A range of government actors have weighed in on these issues in the last year. These include the Federal Communications Commission (FCC), Federal Trade Commission (FTC), Commerce Department, Texas Attorney General (Texas AG), and federal and state legislators. And with bipartisan interest in privacy and national security issues, we expect continued focus on connected vehicles in 2025.
National security concerns are driving Commerce Department actions
The Commerce Department's Bureau of Industry and Security (BIS) recently adopted rules that will restrict use of parts that could allow certain foreign governments to access U.S. vehicle data. This proceeding, initiated in February 2024, implements a 2019 Executive Order directing the Secretary of Commerce to prohibit transactions involving information and communications technology or services (ICTS) that pose national security risks.
The final rule, issued on Jan. 14, 2025, prohibits the sale and import of passenger vehicles that incorporate hardware or software for connected vehicle and autonomous driving systems that was produced by entities subject to the jurisdiction of the People's Republic of China (PRC) or Russia.
Because both the PRC and Russia require companies to cooperate with their state security services, Chinese or Russian automakers or suppliers could be forced to turn over sensitive data or even provide remote access to U.S. vehicles. Indeed, the final rule appears to ban even domestic manufacturers from building vehicles in China.
The rule is scheduled to go into effect March 17, 2025. For additional details on this BIS rule, please see this prior article, opens new tab by co-author Sara Baxenberg.
Federal and state agencies focus on sharing of sensitive driver data
Agencies also took action in 2024 to address concerns about the sale of connected vehicle data. In June, the Texas AG announced an investigation, opens new tab of "several" car manufacturers for selling consumer data to third parties, including insurance companies' vendors. This investigation was followed by an enforcement action that is currently being contested.
The director of the California Consumer Privacy Protection Agency also acknowledged ongoing investigations, opens new tab of compliance in the connected vehicle industry.
In December, the FTC announced a settlement with an automaker to resolve a case with similar allegations. Both the Texas AG and FTC actions were based on consumer protection principles under unfair and deceptive practices laws, including allegations about statements in the terms of service.
The FTC action also broke new ground by explicitly alleging driver behavior data is "sensitive" consumer data, which is typically subject to heightened protections. Together they help establish a roadmap for how these agencies are looking at sharing of driver data.
Separately in 2024, then-Chair of the FCC Jessica Rosenworcel sent letters, opens new tab to nine of the largest automakers in the US market. Those letters asked automakers for details about their connected cars and policies for handling geolocation data and for responding to requests to disconnect domestic abusers' access to vehicles shared with former partners.
Following those letters, the FCC launched a connected vehicles rulemaking, opens new tab. The proceeding asks whether FCC rules implementing the Safe Connections Act (SCA), which protects against harassment of domestic violence victims through shared mobile plans, should be extended to cover connected cars.
In response, opens new tab, automakers explained that many manufacturers already have policies that address these issues. Rather than try to read the SCA as covering connected cars, automakers have instead proposed adopting legislation more narrowly tailored to this issue. The FCC's rulemaking remains pending.
Legislative developments echoed these data privacy and national security concerns
Amidst 2024's wave of attention on connected car privacy issues, several states passed or proposed specific automotive data privacy laws. California passed SB 1394, opens new tab, which requires automakers to facilitate domestic violence survivors terminating their abusers' remote access to the vehicle, and to provide a mechanism for turning off location access from inside the car.
And a proposed Tennessee bill, HB 2615, opens new tab, would have established a "Do Not Sell or Release Register" that would allow purchasers of new motor vehicles to object to the sale of their personal data and information.
Federal legislators also were active in 2024. Senator Jeff Merkley co-sponsored two bills addressing connected cars issues, including bipartisan legislation with Senator Mike Lee called the Auto Data Privacy and Autonomy Act, opens new tab. That bill would have prohibited sharing or selling driver data without express consent from the vehicle's owner, and sharing of consumer personally identifiable information with the PRC, Russia, and other foreign states. It also included preemption language that would invalidate state laws with stricter standards.
What can we expect next
From the enforcement agencies, we expect continued interest in connected cars. At the FTC, disclosure and sale of location and other sensitive data have been bipartisan priorities for the agency, and enforcement interest is likely to continue. The Texas AG also remains engaged in these issues, and other states have shown an interest and could pursue similar legal theories as well.
From the Commerce Department, despite the Trump administration's 60-day freeze on rules adopted at the end of the Biden Administration, BIS has not publicly postponed the connected vehicle rule. Assuming it goes into effect, compliance with various aspects of the rule will begin with model year 2027 vehicles. President Trump's "America First" trade policy memorandum, opens new tab also directs the Secretary of Commerce to review the connected vehicle rulemaking and "consider whether controls on ICTS transactions should be expanded to account for additional connected products."
One area to watch at the FCC is its "Covered List," a list of communications equipment and services identified as national security threats. The FCC may consider updating the Covered List based on BIS's findings on Chinese and Russian connected and autonomous vehicle technology.
Because Covered List equipment is ineligible to receive FCC authorization necessary for sale in the US, this could result in significant additional restrictions on such technology beyond those imposed by the BIS rule, like banning use in vehicles over 10,000 pounds and in upgrades to cars already on the market. New FCC Chairman Brendan Carr has repeatedly emphasized the FCC's role in addressing foreign adversary threats to communications technology.
Thus, automakers and connected car stakeholders can expect that the themes that drove connected car activity in 2024 are likely to continue to drive policy in 2025.
Duane Pozza, head of Wiley's FTC regulation practice, contributed to this article.
Commentary - Attorney Analysis from Westlaw Today, a part of Thomson Reuters.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
