This resource article provides analysis on connected cars with a focus on Canada.

Published: June 2024

Navigate by Topic

The digital transformation of the automotive industry brings many promises for a better future. However, cars, long a symbol of individual freedom, are becoming increasingly susceptible to undisclosed privacy risks. Next to smartphones, new 21st century vehicles are among the most used connected devices by humans. A "connected car" can communicate with external systems to provide services or support driving functionality. They give drivers access to additional features, streamline the reduction of carbon emissions, eliminate high repair costs through over-the-air software updates and make driving safer. The global race to release increasingly automated vehicles to the market has accelerated in recent years. According to one estimate, 78 million cars on the road have embedded cyber connections. Consulting firm McKinsey predicted that by 2030, 95% of new vehicles sold globally will be connected cars.

Despite the widely recognized benefits, the privacy implications of connected cars have not been sufficiently examined, and legislative responses in Canada are still lacking. Although a 2022 survey found nearly 70% of Canadians consider privacy important and believe consumer data should be safeguarded, a 2023 survey by researchers at the nonprofit Mozilla Foundation found drivers of connected cars in North America have little to no control over the personal data collected by vehicles.

Furthermore, most drivers do not know what type and quantity of data is transmitted from their vehicles or who is collecting and analyzing it. Understanding the use and potential misuse of connected-car data, especially data that involves identifiable individuals within the meaning of Canadian law, is pivotal for the long-term success of this technology within the transportation industry.

Defining connected cars and their history

In 1996, General Motors became the first automaker to introduce connected-car features when they launched the OnStar system. Designed to enhance safety in the case of an emergency, OnStar allowed medical help to reach drivers more quickly by routing emergency calls through a call center agent. Then, in 2003, the connected-car technology developed to a stage where drivers could get services like vehicle health reports and directions for every turn. While connected cars originally only collected information about mileage and geolocation, the number of data points and the types of information collected have increased significantly in recent years. Currently, many companies collect and store information regarding passengers and pedestrians and have access to data from connected apps like Google Maps.

Connected cars can access a wide variety of data points. These can include how users interact with their cars, the connected services used within those cars, the cars' apps and information from third-party sources like Google Maps or Sirius XM. Certain connected-car features that were new in 2015, such as lane control and braking, have now become commonplace. Automakers are constantly identifying new opportunities to capitalize on the profitability of data collected from connected cars, often while partnering with technology companies like Google and Apple.

Types of data collected

The diversity of collected data points is important when considering the growing privacy risks associated with connected cars. A connected-car data platform called High Mobility lists 57 types of data categories, including driver fatigue, heart rate, seats and trips. The level of sensitivity of data collection was recently revealed to be much more intimate and intrusive than previously believed. In a recent evaluation of automakers' privacy policies, the Mozilla Foundation identified additional information collected by automakers, namely biometric, health, sexual and political data.

As the consumer desire for increased control over their data grows, and some jurisdictions release legislation mandating increased consumer control, there is also a trend in automaker policies to include increased customer data ownership and accountability in accordance with the EU General Data Protection Regulation. An example is BMW's European rollout of a service called CarData that operates in tandem with BMW's Connected Drive. This system allows for an opt-in process where BMW car owners can consent to share their telematics data with third parties. If customers opt in, BMW provides them with a data summary.

In the U.S., the privacy statements of GM's Chevrolet, Cadillac, GMC and Buick suggest "genetic, physiological, behavioral, and biological characteristics" data can be collected by cars. Furthermore, Nissan and Kia also reference the collection of "genetic information" in their privacy statements. Companies also suggest information can be inferred from existing data. Nissan, for example, indicates "sexual activity" and "intelligence" information can be extracted from personal data and shared with "marketing and promotional partners" for direct marketing purposes. The invasiveness of the quantity and intimacy of data collection is not apparent to most consumers.

One must consider the "reasonableness" requirement under Canada's Personal Information Protection and Electronic Documents Act to investigate this topic. Subsection 5(3) of PIPEDA states "An organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances." This provision has become a guiding principle for various PIPEDA provisions and must be considered in light of the underlying purpose of Part 1, which requires a balance between individuals' right to privacy concerning their personal information and organizations' need to collect, use or disclose personal information. Even if an individual has consented to the collection, use or disclosure of their personal information, an organization's obligation to adhere to Section 5(3) is ongoing.

The requirement suggests even if connected-car companies get consent from consumers for significant data collection, a "reasonable person" finding it inappropriate would invalidate the consent. The reasonableness assessment includes considering a four-part test derived from R v. Oakes, which requires necessity, proportionality, effectiveness and minimal intrusiveness. However, within their privacy notices, many car companies are vague about their reasons for data collection or the scope of data collected. This lack of specificity makes it difficult to assess whether automakers of connected cars meet the Canadian privacy law's reasonableness standard.

Benefits of connected cars

There are several key benefits associated with connected cars. First, the technology improves safety by minimizing driver error and consequently reducing the incidence of collisions. For instance, vehicle-to-vehicle technology can help drivers get warnings about collisions ahead or cars in their blind spots. There are also mobility benefits since drivers can get road navigation support, which will help roadways function more efficiently and cause less travel delays due to congestion. The use of vehicle-to-infrastructure technology can also help address environmental issues by reducing congestion and improving the management of lanes, the use of fuel and, consequently, emissions.

The rise of third-party connected-car data and data intermediaries

As the demand for consumer data grows, intermediaries have developed to meet this need. For example, Otonomo, an Israeli automotive technology company considered the first connected-car data marketplace, gives automakers access to raw driver data. Otonomo suggests that it keeps information anonymous and complies with the GDPR and California Privacy Act. Further, Otonomo stated it adheres to security best practices and drivers can easily revoke its access to personal data. Despite such assurances, a San Francisco connected-car owner initiated a class-action lawsuit in the California Superior Court for the County of San Francisco and argued he did not give Otonomo permission to collect and sell his GPS location data. However, the case was dismissed because Otonomo successfully argued the plaintiff granted permission for the company to collect vehicle data, and it did not attach any devices to the car, as the plaintiff alleged. Despite the dismissal, there are ongoing concerns about the privacy policies of connected-car data brokers like Otonomo. A study of Otonomo's platform revealed precise connected-car data from individuals is collected, including personal information such as where an individual lives, works and spends their time.

Increased data leads to new product development: Use-based insurance

An increase in the amount of data generated has also prompted the development of new products. An example of this is use-based insurance, also known as a black-box or telematics insurance. This is a newer insurance product that relies on the significant amount of data produced by sensors of connected cars. In exchange for giving connected-car companies access to information such as speed, braking habits and miles traveled, insurance companies can reward drivers that exhibit safe driving behavior with savings on their insurance payments. Despite the significant benefits of telematics insurance, such as lower insurance premiums and improved safety, telematics has faced slow adoption by consumers. Since telematics insurance involves the collection and analysis of personal data, consumers in a survey suggested privacy concerns were one of the primary reasons for hesitancy in signing up for usage-based insurance. In a study surveying businesses that owned fleets of vehicles, 40% of businesses said their staff expressed concerns about the possibility of installing telematics in vehicles because of possible privacy invasions associated with 24-hour tracking.

In 2024, New York Times technology writer Kashmir Hill told the story of Kenn Dahl who experienced a 21% hike on insurance premiums for his Chevrolet Bolt despite never having had an accident. Pursuant to the Fair Reporting Act, Dahl requested a consumer disclosure report from the risk solutions division of Lexis Nexis. He was shocked to learn the data collected about his driving, which amounted to 258 pages, included speeding, hard braking and sharp accelerations. It is clear obtaining meaningful consent is one of the primary barriers faced by telematics adoption, and as a consequence, it is important for insurance companies to develop policy solutions that promote increased transparency in privacy policies to generate consumer trust and adequately address privacy concerns.

The rise of privacy as a feature

Strengthened privacy controls have become a key feature of connected devices, emphasized in marketing campaigns such as that of the Apple iPhone. Recently, car manufacturers have begun to follow suit with Porsche announcing the new luxury Taycan SUV, which would include fine-grained privacy controls that give the customer more control and transparency than other cars do. However, privacy features that are merely marketing tactics to sell a car do not ensure that all manufacturers will develop consistent, effective privacy controls. This signals an ongoing gap in privacy legislation that marketing campaigns are being used to fill.

Privacy breaches involving connected cars

Recently, researchers have identified that most automakers collect significant quantities of personal data for purposes other than vehicle operation and management of customer relationships. According to one study conducted by the Mozilla Foundation, 84% of automakers sold or shared the personal data that was collected. The privacy policies of automakers have changed a few times in the past several years, generally for the better. However, they are still widely considered inadequate by researchers. After reviewing connected-car privacy policies and terms of service in Canada, British Columbia Freedom of Information and Privacy Association researchers found the industry violates data protection principles and requirements under Canadian data protection legislation.

Many agreements contain a lack of consent and force agreement to inappropriate and unnecessary personal information collection use cases, such as marketing. Furthermore, some privacy policies violate Canadian privacy law standards of openness, accountability, retention, use and disclosure of customer data.

Within original equipment manufacturer policies, automakers have made efforts to delineate their uses of personal data more clearly. However, many clauses within OEM policies are broadly articulated and continue to lack clarity. For example, some OEMs include broad purposes for collecting, using and sharing personal data, sometimes without specific details. There is a wide disparity among OEMs in terms of the adequacy of connected-car privacy policies and certain issues are evident across the board.

Privacy risks associated with front-facing cameras

Several brands have integrated front-facing cameras inside connected cars. In the case of Volvo, the company suggested interior cameras are meant to detect intoxicated or erratic drivers. The popularization of interior cameras has made protecting individual privacy and data security more challenging.

One company that has made headlines in recent years is Tesla. For example, it has been reported that employees allegedly shared videos and images recorded on the vehicles' interior cameras depicting intimate and invasive content with other employees, despite the singular purpose of in-car cameras to assist with driving. Some of the videos, which were shared within Tesla's internal messaging system, included a man approaching a vehicle while nude, road-rage range moments and a Tesla hitting a child on a bike.

Cybersecurity risks

Another ongoing privacy risk associated with connected cars is their vulnerability to being hacked. This cybersecurity risk led automakers to establish a global information-sharing community called the Automotive Information Sharing and Analysis Centre, which includes all manufacturers, more than thirty automakers and suppliers.

The issue was studied in a 2015 experiment in which a journalist from Wired magazine had his jeep remotely hacked. The hackers manipulated the air conditioning, radio and windshield wipers and cut the vehicle's transmission. The situation, although later remedied by a software patch released by the manufacturer, highlights the susceptibility of connected cars to external interferences, which can be dangerous. Initially, the car-hacking tests suggested connected cars could only be accessed through a direct Wi-Fi link, which would limit the potential attack to a range of a few dozen yards. Later experiments found a concerning reality: Anyone could perpetrate an attack on a connected car through the internet.

Recent patent applications signal future concerns

Not all connected-car changes will benefit consumers; some could be used to create additional revenue streams that leverage consumer data without their consent. In 2023, one company submitted a patent application for a system that would use connected-car technology to streamline the ability to carry out vehicle repossession when payments are delinquent, including enabling interference from law enforcement and financial lending institutions. The technology would include features such as locking drivers out of their vehicles, disabling vehicle functions like air conditioning and limiting the radius of drivers to a certain time frame or geographic area. This proposed platform could expose owners to increased privacy and security risks, including potentially losing personal data, being hacked and being tracked.

Regulatory environment

The regulatory environment affecting connected cars continues to evolve across different jurisdictions. In the future legislative landscape, the EU will build upon the GDPR through the EU Data Act and Canada will introduce requirements affecting connected cars using Bill C-27.

Canada

Currently, Canada does not have data protection legislation that directly addresses connected vehicles. There is a general lack of standards for connected vehicles, with only some features such as advanced lighting, mandatory backup cameras and electronic stability control systems regulated; however, there are no specific privacy-related requirements. Proposed Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, will have implications for the connected-car industry. Bill C-27 has not yet been finalized.

There is existing privacy legislation that places responsibility upon connected-car automakers, but it does not address all the privacy issues associated with connected cars. Through the PIPEDA, the Canadian government is responsible for some of the privacy issues involving personal information connected by automakers, except for in British Colombia, Alberta and Quebec, where there is similar provincial legislation. There is still a significant lack of clarity on how PIPEDA principles can be applied as best practices for automakers. One of the legislative barriers is the requirement of consent from consumers to share personal information, which can conflict with big data, where new opportunities for data collection and usage are constantly emerging, and make it difficult for the regulatory environment to stay consistent with market trends.

In 2018, the Senate undertook a Transport Committee study to guide the federal government in developing legislation to address issues involving autonomous and connected cars, including security and privacy. Two of the recommendations advanced by researchers involved privacy and security concerns:

Europe

As technology continues to advance, there has been a marked push for more comprehensive and stronger legislation. One of the most significant legislative changes in privacy that has garnered international recognition is the GDPR. The GDPR is considered one of the strictest data regulation legislations in the world. It provides a framework for data customers and OEMs. However, certain provisions, such as data ownership, are not clearly defined in EU law, which has led to disputes between automakers and those looking to access vehicle data.

The GDPR impacts connected-vehicle providers through several rules and principles. Data processing principles such as data minimization apply to connected cars by suggesting data collection is focused only on data that is adequate, relevant and necessary for a specific purpose.

In response to the GDPR, some automakers operating in the EU suggested individuals should not have the right to access their personal data in order for vehicles to maintain adequate security levels. On the other hand, others suggested there is a need for data portability given the competitiveness of the industry, and precluding individuals from having access to their data would undermine competition. It is hoped the EU Data Act will clarify this issue.

Evaluation of proposed recommendations

There have been increased calls for industry-specific regulation for connected cars given the ongoing digital transformation and associated high risks. However, automakers have suggested such a tailored approach would be inappropriate for Canadian privacy regulations and consumers would bear the burden of the adoption costs.

One proposed solution for industry-specific regulation is a code of practice for connected-car providers. A code of practice is an industry code designed with the involvement of market participants to establish good business practices and minimum standards for an industry. When evaluating the code of practice as a possible legislative solution, it is important to consider that this would align with the federal government's position outlined in the 2018 Senate Transport Committee study, "Driving Change: Technology and the Future of the Automated Vehicle, federal government response. In the report, the government suggested the preferred solution was the "development of an industry-specific code of best practices for privacy protection" instead of regulations. Given that the flow of data in the connected-car industry is complex, the government suggested developing the industry-specific code should involve multiple industry stakeholders.

There is evidence of the code of practice for connected cars serving as the regulation model in other jurisdictions for testing purposes, rather than for production. In the U.K., the government implemented a code of practice for testing and trials of automated and connected-car technologies. The code was designed to support safe trials of the technology, support cooperation between trialing organizations and encourage information sharing to develop high safety standards. This code was not, however, designed as a substitute for production standards. Thus, it is not a comparable international example for the Canadian government. Arguably, data protection should be considered during the design phase, when the system's functionality is being established.

Although a code of practice can establish trust within the market and create a fairer economic environment, there are some challenges to consider. Industry codes can have litigation risks for firms because litigants can rely on them in actions against a firm and regulators can use them to investigate suspected misconduct. The level of risk depends on several factors, including to what extent, if at all, a firm references the code within contracts, marketing materials or its agreement to adhere to a code. Express references to an agreement to a code within contracts will likely render the code obligatory. However, references to an industry code within contracts can lead to implied terms if the code is considered necessary for the business efficacy of a contract. The enactment of legislation with clear enforcement mechanisms would likely be more effective than a code of conduct if the interests of market participants can be appropriately reflected to avoid stifling innovation.

It is important to note Bill C-27 includes a codes of practice concept that allows private companies to establish "code" and certification programs for complying with the Consumer Privacy Protection Act internally, which requires approval from the OPC. After approval, the established code sets the standard for the company's legal compliance requirements.

Regulatory guidance from the EU

The European Data Protection Board published guidelines on the processing of personal data in the context of connected vehicles and mobility-related applications, which identify areas of risk for organizations and establish measures that should be adopted to ensure that technology complies with the law. Within the guidelines, personal data is defined as data that is processed within a vehicle, communicated between a vehicle and a connected device such as a smartphone, and vehicle telemetry that is sent to external entities such as the manufacturer, insurance company, vehicle repair company or another service provider.

The guidelines help create risk-mitigation measures to promote compliance. These include guidance such as prompting companies to consider the specificity and frequency of data collection for each functionality. An example is a weather application that can access a vehicle's location at longer intervals, instead of at every second. Another relevant recommendation is to communicate accurate and appropriate information about the purposes and occurrence of data processing, such as how data can be shared with third parties and how long data storage lasts. Users should be able to deactivate location tracking at any moment.

The guidelines also provide important considerations for processing biometric data, which automakers increasingly collect. When biometric data is used for purposes such as authentication or accessing a vehicle, the data should be stored and compared in encrypted form on a local level instead of transmitted externally. The guidance has helped facilitate connected-vehicle compliance with the GDPR. Canada does not currently have equivalent guidance available.

The importance of addressing the risks of anonymized and aggregated data in legislation

When considering which legislative solution would be appropriate to address the privacy risks associated with connected cars, it is important to consider the risks of anonymized and aggregated data. When significant quantities of data are collected, despite anonymization, the reidentification risk can be higher if the data is intercepted or there is a breach. The mere use of anonymized and aggregated data does not isolate a business from the risk of privacy breaches. A business must engage in continuous scrutiny to prevent reidentification risks from emerging.

Given the risk of reidentification of anonymized data in the event of a data breach, it is important to consider mitigation measures. For instance, companies should limit data transmission by processing data on a local level and using encryption wherever possible, especially when local processing is not feasible.

The consent challenge

Consent, if uninformed, is not meaningful consent. The concept of consent at an individual level, which protects citizens' autonomy, is a central tenet of Canadian privacy sector laws. As suggested by the federal and provincial working group on connected cars, the complex design of connected cars can make it difficult for individuals to make informed choices about the handling of their personal information. This means meaningful consent is a concept that should be highlighted in connected-car companies' design processes to remove consumers' lack of awareness. For example, individuals should get choices about their personal information, such as the ability to turn sensors on and off or request deletion of user histories, with clear yes and no options.

Companies should also consider the perspectives of those who cannot consent, such as pedestrians whose images may be inadvertently captured by cameras. Companies can hedge against privacy risks to such third-party pedestrians by including automatic deletion or deidentification of this data. To address individuals' capacity to consent, former Privacy Commissioner of Canada Daniel Therrien, jointly with the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner of British Columbia, released new guidelines in 2019 on consent under PIPEDA. These suggest companies should employ communication strategies to explain their privacy practices more effectively, such as customized mobile interfaces and "just-in-time" notices. However, it is important to note these recommendations, while relevant to the issue of data privacy in connected cars, are not enforceable and are simply guidelines. The clarification of connected-car consent is an issue that should be set out in legislation to enforce compliance and clear breach mechanisms.

Conclusion

Consumer interest in connected cars is growing and the technology continues to rapidly evolve, providing clear benefits such as increased safety and efficiency in vehicles. Currently, the regulatory environment in Canada is in flux, as there is no dedicated connected-car legislation and legislation that would address this issue is still forthcoming. Looking to other jurisdictions, the EU has developed principles that clearly apply to connected cars, such as the right to erasure found in the GDPR. When developing a legislative response, the Canadian government needs to consider several factors that have been highlighted as key concerns by experts. These include considering regulatory guidance from leading jurisdictions, such as the connected-car guidance published by the European Data Protection Board. They should also consider including requirements for companies to address the risks of anonymous and aggregated data within legislation. Through considering multiple stakeholders' interests, consumers' needs and other jurisdictions' guidance, federal and provincial governments can successfully align on legislation and develop regulatory frameworks that protect consumers without limiting innovation.

Additional resources