GAO Looks at Privacy Practices for Connected Car Location Data

GAO Looks at Privacy Practices for Connected Car Location Data

Yesterday, the Government Accountability Office released its study on in-car location-based services, and its survey generally concludes that players in the connected car space are thinking seriously about driver privacy.   Companies reported that they neither share nor sell personal location data to marketing companies or data brokers, and the GAO found that all parties are taking steps to address privacy challenges.

The report, requested by Sen. Al Franken, evaluated (1) how selected companies use in-car location data and (2) whether these companies’ policies align with industry-recommended privacy practices.  For its survey, the GAO interviewed six automobile manufacturers, which together constitute 75% of new car sales in the United States, along with several makers of portable navigation devices and developers of mapping and navigation apps.  Though the report generally reflects the positive steps taken by companies to address the privacy risks posed by increased access to information about drivers’ locations, the GAO cautions that current privacy practices are in some cases “unclear” and “could make it difficult for consumers to understand the privacy risks that may exist.”

The GAO looked at how company practices comported with the Fair Information Practice Principles generally and then compared them to industry-developed privacy practices that the GAO believed were applicable to location data.  Specifically, the GAO evaluated company practices with regards to (1) disclosures, (2) consumer consent and control, (3) data safeguards and retention policies, and (4) company accountability.

  • First, the report noted that every surveyed company disclosed to drivers that they collect and share location data, but warned that some of these consumer disclosures could sometimes be unclear.  In particular, the GAO appeared to be concerned about whether consumers were receiving clear disclosures about the purposes for which their location information was being collected, used, or shared.  Current policies were “broadly worded and potentially allow for unlimited data collection and use,” the GAO reported.
  • While the report recognizes that connected car companies are offering consumers a variety of ways both to consent to the collection of location data and to control their information, the GAO was concerned that none of the surveyed companies permit consumers to delete their location data once it has been collected.  Certainly it may not be possible for individuals to delete location data that has been scrubbed of personal identifiers or aggregated with other data, but the GAO found that some companies were keeping “location data in a format that is associated with an individual vehicle” without providing drivers with the option to request the deletion of this information.
  • Every company was found to be taking positive steps to safeguard location information.  However, familiar privacy challenges such as the use of different de-identification methods and different data retention periods were discovered across the companies the GAO surveyed.  Further, no company disclosed how long location data were being retained, though the GAO noted that several companies responded that they retained location data no “longer than necessary.”
  • Finally, the GAO noted that while every company it spoke with is taking steps to be accountable for the location data it collects, this fact and any steps involved are not being disclosed to drivers themselves.  The GAO cautioned that consumers would have difficulty even being aware that companies were working to appropriately protect their data.


The Future of Privacy Forum was one of a handful of privacy organizations that met with the GAO in advance of this report.  FPF supports the development of flexible notice and choice mechanisms in connected cars, and has launched a Connected Cars Project to promote best practices in privacy and data security for connected cars. This report by the GAO should be taken as an opportunity to advance a dialogue among players in the connected car space that works to protect consumer privacy and promote the beneficial uses of in-car location data.

Leave a Reply

Privacy Calendar

10:00 am Privacy Principles in the Era of Massive Data @ Georgetown Law Center
Privacy Principles in the Era of… @ Georgetown Law Center
Apr 22 @ 10:00 am – 12:00 pm
Experts from the public and private sectors will join public policy experts from the Georgetown University McCourt School of Public Policy and privacy law experts [...]
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar