Connected Cars and Data Security: A Look at 2024 and the Road Ahead for 2025
Connected vehicles promise a revolutionary shift in consumer experience, offering features that were once confined to science fiction. From navigation and smart routing to in-vehicle entertainment and over-the-air updates, the benefits of internet-connected cars are undeniable. However, these advancements also introduce significant concerns, particularly regarding data privacy, security, and potential foreign access to sensitive information.
This article examines the U.S. government’s efforts in 2024 to address these issues and provides insight into what we can expect in 2025.
Government Actors Weigh In
Over the past year, various government entities have been actively involved in addressing connected car concerns. These include the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the Commerce Department, the Texas Attorney General (Texas AG), and both federal and state legislators. With bipartisan support for privacy and national security, it’s clear that connected vehicles will remain a focal point in the near future.
National Security Concerns Drive Commerce Department Actions
The Commerce Department’s Bureau of Industry and Security (BIS) has taken action to restrict the use of components that could allow foreign governments access to U.S. vehicle data. This follows a 2019 Executive Order aimed at preventing national security risks associated with information and communications technology or services (ICTS).
The final rule, issued on January 14, 2025, prohibits the sale and import of passenger vehicles incorporating hardware or software for connected vehicle and autonomous driving systems produced by entities under the jurisdiction of the People’s Republic of China (PRC) or Russia. The rule is scheduled to take effect on March 17, 2025.
This is a significant step, as both China and Russia require companies to cooperate with their state security services. This could potentially lead to the disclosure of sensitive data or remote access to U.S. vehicles. The rule’s implications also extend to domestic manufacturers building vehicles in China.
Federal and State Agencies Focus on Data Sharing
Agencies are also addressing concerns regarding the sale of connected vehicle data. In June 2024, the Texas AG announced an investigation of “several” car manufacturers for selling consumer data to third parties, including insurance company vendors. The investigation has led to ongoing enforcement actions.
The director of the California Consumer Privacy Protection Agency has also acknowledged ongoing investigations into compliance within the connected vehicle industry.
In December, the FTC reached a settlement with an automaker to resolve a case involving similar claims. Both the Texas AG and FTC actions are rooted in consumer protection principles related to unfair and deceptive practices, including potentially misleading statements in terms of service agreements. The FTC also broke new ground by explicitly classifying driver behavior data as “sensitive” consumer data, which typically requires heightened protections. These actions provide a helpful framework for understanding how these government bodies are assessing the sharing of driver data.
Separately in 2024, then-Chair of the FCC Jessica Rosenworcel sent letters to nine of the largest automakers in the U.S. market. The letters sought details about their connected car policies for handling geolocation data and responding to requests to disconnect domestic abusers from vehicles shared with former partners.
Following these letters, the FCC launched a rulemaking proceeding. This proceeding is questioning whether the FCC rules implementing the Safe Connections Act (SCA), which protects victims of domestic violence via mobile plans, should also cover connected cars. Automakers have responded that many manufacturers already have policies. Automakers have proposed adopting legislation more narrowly. The FCC’s rulemaking is ongoing.
Legislative Developments
Several states have either passed or proposed automotive data privacy laws. California passed SB 1394, which mandates that automakers assist domestic violence survivors in terminating their abusers’ remote vehicle access and provide a method to disable location access within the car.
Tennessee proposed a bill, HB 2615, which would establish a “Do Not Sell or Release Register,” enabling new vehicle purchasers to opt out of the sale or release of their personal data.
Federal legislators were also active in 2024. Senator Jeff Merkley co-sponsored two bills addressing connected car issues, including a bipartisan bill with Senator Mike Lee called the Auto Data Privacy and Autonomy Act. That legislation would prevent sharing or selling driver data without explicit consent and prohibit sharing consumer personally identifiable information with the PRC, Russia, and other foreign states. It would have also nullified state laws with more stringent standards.
What to Expect in 2025
Enforcement agencies are expected to continue their focus on connected cars. The FTC sees disclosure and sale of location and other sensitive data as bipartisan priorities. Enforcement interest is likely to continue. The Texas AG also remains actively engaged, and other states could pursue similar legal theories.
The Commerce Department’s BIS has not postponed the connected vehicle rule, despite the 60-day freeze on rules adopted at the end of the Biden Administration. Assuming it goes into effect, vehicle compliance with aspects of the rule will begin with model year 2027 vehicles. President Trump’s “America First” trade policy memorandum also directs the Secretary of Commerce to review the connected vehicle rulemaking.
One area to watch at the FCC is its “Covered List,” which includes communications equipment and services that are identified as national security threats. The FCC may update the Covered List based on BIS findings about Chinese and Russian connected and autonomous vehicle technology. Because Covered List equipment is ineligible to receive FCC authorization for sale in the U.S., this could create further restrictions on such technology like banning uses in vehicles over 10,000 pounds and in upgrades to cars already available. New FCC Chairman Brendan Carr has frequently emphasized the FCC’s role in mitigating foreign adversary threats to communications technology.
Automakers and other connected car stakeholders can anticipate that the themes that drove activity in 2024 are likely to continue to impact policy development in 2025.
Duane Pozza, head of Wiley’s FTC regulation practice, contributed to this article.
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.
Ian Barlow, in Wiley’s telecom, media and technology practice, is a former senior FTC official and advises clients on regulatory issues related to connected cars, including data privacy, cybersecurity, and geolocation tracking, among others. He is based in Washington, D.C., and can be reached at [email protected].
Sara Baxenberg, in Wiley’s telecom, media and technology practice, co-leads the firm’s connected and autonomous vehicles practice. She advises clients on regulatory issues related to connected cars, including data privacy, cybersecurity, and spectrum access, among others. She is based in Washington, D.C., and can be reached at [email protected].
Josh Turner in Wiley’s telecom, media and technology practice, co-leads the firm’s connected and autonomous vehicles practice. He advises clients on regulatory issues related to connected cars, including data privacy, cybersecurity and spectrum access, among others. He is based in Washington, D.C., and can be reached at [email protected].
