ArsTechnica article on the letter. Just a short summary, with some more context on other works and investigations into the auto industry’s privacy issues.
Does your company collect user data from its vehicles, including but not limited to the actions, behaviors, or personal information of any owner or user?
If so, please describe how your company uses data about owners and users collected from its vehicles. Please distinguish between data collected from users of your vehicles and data collected from those who sign up for additional services.
Please identify every source of data collection in your new model vehicles, including each type of sensor, interface, or point of collection from the individual and the purpose of that data collection.
Does your company collect more information than is needed to operate the vehicle and the services to which the individual consents?
Does your company collect information from passengers or people outside the vehicle? If so, what information and for what purposes?
Does your company sell, transfer, share, or otherwise derive commercial benefit from data collected from its vehicles to third parties? If so, how much did third parties pay your company in 2022 for that data?
Once your company collects this user data, does it perform any categorization or standardization procedures to group the data and make it readily accessible for third-party use?
Does your company use this user data, or data on the user acquired from other sources, to create user profiles of any sort?
How does your company store and transmit different types of data collected on the vehicle? Do your company’s vehicles include a cellular connection or Wi-Fi capabilities for transmitting data from the vehicle?
Does your company provide notice to vehicle owners or users of its data practices?
Does your company provide owners or users an opportunity to exercise consent with respect to data collection in its vehicles?
If so, please describe the process by which a user is able to exercise consent with respect to such data collection. If not, why not?
If users are provided with an opportunity to exercise consent to your company’s services, what percentage of users do so?
Do users lose any vehicle functionality by opting out of or refusing to opt in to data collection? If so, does the user lose access only to features that strictly require such data collection, or does your company disable features that could otherwise operate without that data collection?
Can all users, regardless of where they reside, request the deletion of their data? If so, please describe the process through which a user may delete their data. If not, why not?
Does your company take steps to anonymize user data when it is used for its own purposes, shared with service providers, or shared with non-service provider third parties? If so, please describe your company’s process for anonymizing user data, including any contractual restrictions on re-identification that your company imposes.
Does your company have any privacy standards or contractual restrictions for the third-party software it integrates into its vehicles, such as infotainment apps or operating systems? If so, please provide them. If not, why not?
Please describe your company’s security practices, data minimization procedures, and standards in the storage of user data.
Has your company suffered a leak, breach, or hack within the last ten years in which user data was compromised?
If so, please detail the event(s), including the nature of your company’s system that was exploited, the type and volume of data affected, and whether and how your company notified its impacted users.
Is all the personal data stored on your company’s vehicles encrypted? If not, what personal data is left open and unprotected? What steps can consumers take to limit this open storage of their personal information on their cars?
Has your company ever provided to law enforcement personal information collected by a vehicle?
If so, please identify the number and types of requests that law enforcement agencies have submitted and the number of times your company has complied with those requests.
Does your company provide that information only in response to a subpoena, warrant, or court order? If not, why not?
Does your company notify the vehicle owner when it complies with a request?
They do in MA, because we have the right to vehicle telematics data under our right to repair law, which is constantly being fought including by the feds.