28 ■ In-House Defense Quarterly ■ Spring 2015

■ Beth Hill is the general counsel and chief compliance officer of FordDirect in Dearborn, Michigan. Ms. Hill’s automotive and technology experience fo-cuses on how data is transforming the automotive experience and industry. Patrick G. Seyferth is a founding partner at Bush Seyferth & Paige PLLC in Troy, Michigan. Mr. Seyferth specializes in the defense of high-exposure product liability cases, commercial litigation, and class actions. He has been a member of DRI since 1996 and serves DRI on the Product Liability Committee. Lauren K. Freund, senior associate at Bush Seyferth & Paige PLLC in Troy, Michi-

gan, specializes in product liability litigation, with experience in complex com-mercial, employment, premises liability, and financial services litigation. Ms. Freund assists BSP’s active involvement in DRI’s Strictly Automotive Confer-ence. Katie M. Hoffman is an associate of Bush Seyferth & Paige PLLC in Troy, Michigan, who focuses her practice on complex commercial litigation, product liability litigation, and financial services litigation. Ms. Hoffman is a member of the steering committee for DRI’s Strictly Automotive Conference.

Trending Technologies

Privacy, Cybersecurity, and the Connected CarBy Beth Hill, Patrick G. Seyferth, Lauren K. Freund, and Katie M. Hoffman

CY

BE

RS

EC

UR

ITY

The future of driving is (almost)

here. As the vehicle connec-

tivity and related technologies

rapidly develop, the world of in-vehicle telematics has exploded. In 2015, for the first time in its history, the “connected car” has overtaken video games at the Consumer Electronics Show (see http://www.bloomberg.com/news/articles/ 2014-12-29/connected-cars-overtake-video-games-at-electronics-show (last visited Jan. 27, 2015)), which has become known as a shadow auto show with nearly all vehi-cle manufacturers represented. (See http://www.bloomberg.com/bw/articles/2015-01-08/ces-auto-show-web-connected-cars-are-stars-of-2015 (last visited Jan. 27, 2015).) Concept cars are turning into reality. Convenience and safety features are popping up in all vehicles brands; offerings include roadside and crisis assistance, traffic and weather information, text message display, and con-cierge services, among many others. Hand-in-hand with the connected car’s consumer benefits is a potential risk: the volume and breadth of information—about the vehi-cle, its owner, even its passengers—that is generated, collected and, potentially, used. Connectivity, diagnostic, and vehicle performance information can be used by manufacturers, insurance companies, and even the federal government in analyzing emissions and traffic data. (See The Con-nected Car and Privacy, Navigating New

In-House Defense Quarterly ■ Spring 2015 ■ 29

Press+Releases/U.S.+DOT+Releases+Guidelines+to+Minimize+In-Vehicle+Distractions).) The guidelines, targeting manufacturers, estab-lish specific recommended criteria for elec-tronic devices installed in vehicles at the time they are manufactured that require drivers to take their hands off the wheel, or eyes off the road, to use them. The guide-lines provide a list of secondary tasks, such as information, navigation, and communi-cations and separate “inherently distract-ing” secondary tasks from other secondary tasks. NHTSA’s guidelines recommend designing in-vehicle devices to prevent drivers from using “inherently distract-ing” secondary task vehicle features while driving. For all other visual- manual sec-ondary tasks not deemed inherently dis-tracting, the guidelines specify a test for eye glance behavior to determine whether the task interferes with a driver’s attention too much. While the guidelines are deemed “voluntary,” they may certainly become relevant in the courtroom when plain-tiffs allege a manufacturer ignored NHT-SA’s published guidelines in the design and manufacture of a vehicle.

EDR-related legislation has been enacted at both the state and federal lev-els, and continues to develop. Senate Bill 1813, passed in March 2012, mandated that 49 C.F.R. §563 be revised to require all vehicles manufactured after Sep-tember 2015 be equipped with an EDR. (The full text of S. 1813 (112th) is avail-able at https://www.govtrack.us/congress/ bills/112/s1813/text. Section 31406 relates to EDR.). Bill 1813 also requires automakers to make third-party data readers available to the public and provides that the data is the property of the vehicle owner. (49 C.F.R. 563, published on October 1, 2014, “specifies uniform, national requirements for vehicles equipped with event data recorders (EDRs) concerning the collec-tion, storage, and retrievability of onboard motor vehicle crash event data. It also specifies requirements for vehicle man-ufacturers to make tools and/or meth-ods commercially available so that crash investigators and researchers are able to retrieve data from EDRs.” See 49 C.F.R. §563.1). As of November 2014, 15 states had enacted legislation relating to EDRs: Arkansas, California, Colorado, Con-

device installed in a motor vehicle to record technical vehicle and occupant information for a brief period of time, typically seconds before, during, and after a crash. Tradi-tionally, EDRs were used to obtain infor-mation about air bag functionality, such as if an air bag light was on at the time of a crash. Now, EDRs collect more data, rais-

ing new liability and privacy concerns. The EDR has evolved to provide a host of infor-mation, including, for example, whether a brake was applied, the maximum change in forward speed during a crash, the num-ber of crash events, and the time between two crash events, all of which is extremely valuable information used to understand and potentially reconstruct the accident during litigation.

Emerging Law on Telematics and EDRTelematics technology is advancing faster than courts and governmental regulators can act. Many of the potential telematics- related product liability issues have not percolated through the court system to result in reported legal decisions, but recent efforts have been made to enact regulations and legislation governing vehicle technolo-gies that affect product liability cases.

In April 2013, the U.S. DOT’s National Highway Safety Traffic Administration (NHTSA) issued voluntary visual- manual Driver Distraction Guidelines for In-Vehi-cle Electronic Devices to promote the safe use of electronic devices in vehicles. (See NHTSA’s Visual-Manual Driver Distrac-tion Guidelines for In-Vehicle Electronic Devices, available at http://www.distraction.gov/downloads/pdfs/visual-manual-nhtsa-driver-distraction-guidelines-for-in-vehicle-electronic-devices.pdf (for additional information, see “U.S. DOT Releases Guidelines to Min-imize In-Vehicle Distractions,” avail-able at http://www.nhtsa.gov/About+NHTSA/

■

Now, EDRs collect more

data, raising new liability

and privacy concerns. ■

Data Issues, Future of Privacy Forum (Nov. 13, 2014).) Connected vehicles will also be able to collect biometrics information (e.g., physical data such as facial recognition, vital signs, or voice samples) and behav-ioral information about the driver. For instance, is the driver a habitual speeder or does he tend to slam on the brakes?

According to an estimate by Industry Solutions Automotive & Mobility, new information about vehicle usage, wear and tear, or defects will grow from approxi-mately four megabytes to over five giga-bytes of data per vehicle per month. (See Deutsche Telekom, Connected Cars Get Big Data Rolling, http://www.telekom.com/media/media-kits/179806 (last visited Jan. 13, 2014).) This expansion brings with it a number of product liability and privacy concerns about how that information—often uniquely personal and sensitive—is collected, stored, and used. Manufacturers and suppliers should understand the spe-cific issues they are likely to face in order to proactively address them.

Evolving Vehicle Telematics and Event Data Recorders Present New Liability and Privacy ConcernsThe “connected car” refers to the use of in-vehicle telematics, which is commonly understood to be any integrated use of tele-communications and information technol-ogy. Telematics in today’s vehicles range from providing convenient information to drivers, such as GPS, traffic and weather reports, and vehicle diagnostics, to serving as a critical safety device, such as automatic collision notification (ACN). According to the U.S. Department of Transportation (DOT), vehicle connectivity will support an elaborate network of communica-tion among vehicles, infrastructure, and any wireless device in the vehicle. (See Deutsche Telekom, Connected Cars Get Big Data Rolling, http://www.telekom.com/media/media-kits/179806 (last visited Jan. 13, 2014).) Whether for convenience or safety, connec-tivity directly expands the vehicle’s data collection capabilities of a car and brings new liability and privacy concerns.

Connectivity also augments existing in-vehicle technologies, such as Event Data Recorders (EDRs). An EDR, sometimes referred to as a vehicle’s “black box,” is a

30 ■ In-House Defense Quarterly ■ Spring 2015

CY

BE

RS

EC

UR

ITY necticut, Delaware, Maine, Nevada, New

Hampshire, New York, North Dakota, Oregon, Texas, Utah, Virginia, and Wash-ington. (For more information, see http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-of-data-from-event-data-recorders.aspx). Most of these state statutes include provisions that require disclosure of EDRs in vehicles (e.g., in a written notice at the time of a new vehicle purchase from a dealership or in the own-er’s manual of new cars) and set forth con-ditions that must be met before the data can be downloaded, namely with permis-sion from the vehicle’s owner.

Some cases dealing with EDR issues have promulgated opinions. The case law provides that there must be a proper pro-tocol and chain of custody for EDR data to be presented into evidence. (See Laborde v. Shelter Mutual Ins. Co., 82 So.3d 1237 (La. 2012)). EDR data has been found to not be novel scientific evidence and is therefore admissible under the Frye test. (See Com. v. Safka, 95 A.3d 304 (Pa. Super. 2014)). EDR data may make the difference between win-ning and losing a product liability case, so manufacturers should have a proper proto-col in place to prevent the exclusion of such valuable evidence.

Emerging Privacy Concerns“Privacy,” “cybersecurity,” “big data,” “Internet of Things,” and the issues related to them are hot topics in Washington, the Silicon Valley, among the press, and inter-nationally. Hacking and unintended dis-closure of consumer information is an ever-present threat to corporations and their customers. Privacy Rights Clear-inghouse reports 195 data breaches due to hacking/malware or unintended dis-closure in 2014 and 2015 alone. (See Pri-vacy Rights Clearinghouse, Chronology of Data Breaches for 2014 and 2015, available at https://www.privacyrights.org/data-breach/new (last visited Jan. 14, 2015).) Insurance companies, universities, retailers, gov-ernmental agencies, apps, and even the Catholic Church have been targets. (See In Pictures: the worst data breaches of 2014… so far (Q1), available at http://www.cso.com.au/slideshow/542459/pictures-worst-data-breaches-2014-far-q1/?image=6 (last vis-ited Jan. 14, 2015); The Big Data Breaches of

2014, available at http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/ (last visited Jan. 14, 2015). On Jan-uary 5, 2015, President Obama called for federal legislation—the Personal Data Notification and Protection Act—intended to require companies to be forthcoming when consumer data is lost in an online

breach like the kind that hit Sony, Target, and Home Depot in 2014. (See Obama to Call for Laws Covering Data Hacking and Student Privacy, available at http://www.nytimes.com/2015/01/12/us/politics/obama-to-call-for-laws-covering-data-hacking-and-student-privacy.html?_r=0 (last visited Jan. 14, 2015).) President Obama stated: “If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business[.]” (Id.)

In the United States, there is a patchwork of laws, rules, and regulations regarding the collection, storage, use, and disclosure of personal information. The rise of con-nectivity by the addition of telematics to vehicles and the expansion of data collected and used has made motor vehicle privacy a very hot topic. Vehicle owners want the

convenience that connectivity provides, but do not want to relinquish their personal information. For those entities collecting, storing, and using this information, pri-vacy considerations must be paramount. Similar to telematics technology, laws in the privacy area are evolving and argu-ably have not caught up to these emerging technologies.

In the last few years alone, legislators on both sides of the aisle have introduced several cybersecurity bills in Congress. In February 2012, the White House unveiled the first ever “Consumer Pri-vacy Bill of Rights,” which was devel-oped in part to promote transparent disclosures to consumers about how their data is handled by companies, in-cluding those offering mobile device applications and interactive services such as those being developed by all vehicle manufacturers and those in the consumer electronics industry today.

(See Administration released Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Pro-moting Innovation in the Global Economy (available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf).

The report contains a Consumer Privacy Bill of Rights with the following principles:• Individual Control: Consumers have a

right to exercise control over what per-sonal data companies collect from them and how they use it.

• Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

• Respect for Context: Consumers have a right to expect that companies will col-lect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

• Security: Consumers have a right to secure and responsible handling of per-sonal data.

• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

• Focused Collection: Consumers have a right to reasonable limits on the per-

■

Many of the potential

telematics- related product

liability issues have not

percolated through the court

system to result in reported

legal decisions, but recent

efforts have been made

to enact regulations and

legislation governing vehicle

technologies that affect

product liability cases.■

In-House Defense Quarterly ■ Spring 2015 ■ 31

sonal data that companies collect and retain.

• Accountability: Consumers have a right to have personal data handled by com-panies with appropriate measures in place to assure they adhere to the Con-sumer Privacy Bill of Rights.

(See also http://www.whitehouse.gov/the-press-office/2012/02/23/fact-sheet-plan-protect-pri-vacy-internet-age-adopting-consumer-privacy-b).)

In introducing the Consumer Privacy Bill of Rights, President Obama stated that “even though we live in a world in which we share personal information more freely than in the past, we must reject the con-clusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.” (Consumer Data Privacy in a Networked World, available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf (Feb. 23, 2012).) According to a Jan-uary 2015 Press Release published by the White House:

Online interactions should be governed by clear principles—principles that look at the context in which data is collected and ensure that users’ expectations are not abused. Those were the key themes of the Administration’s 2012 Consumer Privacy Bill of Rights, and today the Commerce Department announced it has completed its public consultation on revised draft legislation enshrin-ing those principles into law. Within 45 days, the Administration will release this revised legislative proposal and today we call on Congress to begin active consideration of this important issue.

(See Jan. 12, 2015 White House Press Release, Fact Sheet: Safeguarding American Con-sumers & Families, available at http://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families (last visited Jan. 14, 2015).)

Similarly, the Federal Trade Commis-sion’s (FTC) approach to enforcement in the privacy and data security areas has gen-erated several new initiatives, including one to police privacy policies associated with mobile services, devices, and appli-cations. (See Federal Trade Commission articles available at http://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security.)

In January 2015, the FTC recommended a series of concrete steps for businesses to enhance and protect consumers’ privacy and security. (See FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks, available at http://www.ftc.gov/news-events/press-releases/2015/01/ftc-

report-internet-things-urges-companies-adopt-best-practices (last visited Jan. 29, 2015).) Despite over 25 billion connected de-vices in use worldwide, FTC Chair Edith Ramirez said “[t]he only way for the Inter-net of Things to reach its full potential for innovation is with the trust of American consumers.” (Id.) The FTC’s best practices are aimed at companies developing In-ternet of Things devices, and include rec-ommendations on building security into devices at the outset, training employ-ees about the importance of security, en-suring security and oversight of outside service providers, and monitoring con-nected devices throughout their expected lifecycle, among other things. (Id.) The FTC acknowledges that any Internet of Things legislation would be premature at this point, given the rapidly evolving na-ture of the technology. (Id.) However, the FTC does have a range of tools to protect consumers’ privacy related to the Inter-net of Things, including enforcement ac-tions under the FTC Act, the Fair Credit Reporting Act, developing consumer edu-cation and business guidance, and advo-cacy to other governmental agencies. (Id.)

To reassure automotive customers that their privacy is taken seriously by car manufacturers, the Alliance of Automo-bile Manufacturers (AAM) issued Con-

sumer Privacy Protection Principles in November 2014. (See Auto Alliance Nov. 13, 2014 Press Release, Automakers Pledge to Protect and Respect Consumer Privacy. For updated Consumer Privacy Protection Principles, visit http://www.automotiveprivacy.com or https://www.globalautomakers.org/topic/privacy.) These principles, which all U.S. Original Equipment Manufacturers have agreed to follow, apply to the collection, use, and sharing of covered information in association with vehicle technologies and services available on cars and light trucks. The principles are built on three important hallmarks, according to AAM president and CEO Mitch Bainwol: (1) transparency to the consumer, (2)  heightened protec-tion for the most sensitive types of con-sumer information, and (3)  clear notice regarding limited circumstances where the information may be shared with gov-ernment authorities. (Id.) Covered infor-mation includes identifiable information that vehicles collect, generate, record, or store that is retrieved from the vehicles by or on behalf of an OEM in connec-tion with vehicle technology or personal subscription information. (See http://www.automotiveprivacy.com.) In publishing these principles, which AAM urges other com-panies to adopt as well, AAM acknowl-edges that “[c]onsumer trust is essential to the success of vehicle technologies and services.” (Id.)

Few cases involving vehicle telematics and privacy issues have made their way to the courts. For example, in Skuro v. BMW of North America, LLC, et al., a class action lawsuit in federal court in California, the plaintiffs claimed that BMW unlawfully recorded calls placed through its BMW Assist service without first disclosing that calls might be monitored or recorded. (See Sean Skuro et al. v. BMW of North America LLC et al., case number 2:10-cv-08672, in the U.S. District Court for the Central Dis-trict of California.) The 2012 settlement, which included customers choosing from cash payments or an extension or upgrade of existing BMW Assist service, exceeded $5 million. (For a related article, see Jona-than Randles, “BMW Reaches $5M Deal In Call Recording Action,” available at http://www.law360.com/articles/313799 (Law360, Feb. 27, 2012).)

■

Vehicle owners want

the convenience that

connectivity provides, but

do not want to relinquish

their personal information. ■

32 ■ In-House Defense Quarterly ■ Spring 2015

CY

BE

RS

EC

UR

ITY Emerging Telematics Product Liability

Concerns: Focusing on Automatic Crash Notification SystemsThere are numerous in-vehicle telematics designed for a driver’s convenience that may raise distracted driving concerns, but when telematics support a critical safety device, such as Automatic Crash Notifica-tion, a new set of legal issues arise. Critical safety devices are expected to perform as designed, but the reality is that technology will never be fail-proof. Accordingly, tech-nology such as an ACN system creates both opportunities and challenges. Manufactur-ers must balance the benefits of offering the technology, which could save many lives, with the potential legal ramifications when the technology fails. While the case law has not caught up to ACN technology, manu-facturers should understand the potential claims that they may face and take steps now to prepare their future defenses.

ACN systems immediately transmit information about vehicle crashes to 911, company call centers, or both. This infor-mation includes, among other things, crash location, speed, delta-v, air bag deploy-ment, and principal direction of force. ACN systems are designed to provide faster emergency responses to help save lives and reduce injuries.

From a product liability perspective, manufacturers incorporating ACN systems into their vehicles may face design or man-ufacturing defect claims, failure to warn claims, and failure to recall claims, among others. For example, potential design and manufacturing defect claims may involve the following:• The survivability of an ACN system dur-

ing a crash (Does the system rely upon a battery, which may not survive the crash?);

• Inadequate testing of the ACN system;• Out-of-subscription ACN functional-

ity (See, e.g., In re OnStar Contract Liti-gation, 600 F. Supp. 2d 861 (E.D. Mich. 2009).);

• Service levels and Public Safety Answer-ing Points, notification success rates (What if the ACN is linked to a cell phone that cannot find a signal?);

• ACN triggering events (Will the ACN call only be triggered if there is an air bag signal sent? What if the air bag

improperly fails to deploy, and the ACN system is not triggered?);

• Privacy or security claims related to data collection, security and storage, and use.Failure-to-warn claims may include alle-

gations regarding the methods of delivering warnings and disclaimers to consumers, and the language chosen for those warn-

ings, disclaimers, owner’s manuals, user guides, and “terms and conditions.”

Finally, failure-to-recall claims may occur if a manufacturer is aware of a per-centage of failure in a system and chooses to keep it on the market. Is it better to offer a novel safety device subject to its inherent technological limitations or nothing at all despite the available technology? Signifi-cant liability ramifications may result from that decision.

Connectivity, Data, and Privacy ConcernsIn addition to the ACN’s safety benefits to the consumer and driver, the use of telematics data can greatly benefit the man-ufacturer in its product development, in-cluding improvements based on data; cost savings (that may be passed on to con-sumers); competitive customization and personalization of features permitting a vehicle to “know” a driver and improve the driving experience with seating prefer-ences, climate control, music choices, and

mapping technology; and other “concierge” features, such as service notifications, oil check reminders, and service-related cou-pons. However, the collection of this data raises security concerns and the use of such data may raise privacy concerns with many consumers.

In the context of the evolving vehicle- to- vehicle (V2V) technology, the systems’ functionality is based on transmitting vehicle data. Connectivity is required for these connected cars to be able to sense and interact with the outside world, including other vehicles and the environment. (See Dirk Wollschlaeger, What’s Next? V2V (Vehicle- to- Vehicle) Communication with Connected Cars (Sept. 10, 2014), available at http://www.wired.com/2014/09/connected-cars/ (last visited Jan. 14, 2015) or vehicle- to- infrastructure (V2I or V2X) (U.S. DOT, Vehicle- to- Infrastructure (V2I) Communi-cations for Safety (Dec. 18, 2014), available at http://www.its.dot.gov/safety/v2i_comm_safety.htm (last visited Jan. 14, 2015; see also The Connected Car and Privacy, Navigating New Data Issues, Future of Privacy Forum (Nov. 13, 2014).) Some benefits of V2V and V2I data use include saving lives, improv-ing the environment by reducing emis-sions, and reducing traffic. According to a NHTSA study, advance warnings through V2V could prevent up to 592,000 crashes and save up to 1,083 lives annually. (Press Release, U.S. DOT Issues Advance Notice of Proposed Rulemaking to Begin Implemen-tation of Vehicle- to- Vehicle Communica-tions Technology, NHTSA (Aug. 18, 2014), available at http://www.nhtsa.gov/staticfiles/rulemaking/pdf/V2V/Readiness-of-V2V-Technol-ogy-for-Application-812014.pdf). If consumers want to avail themselves of these emerging technologies, it must come with voluntary consent (implicit or explicit) to the use of personal and vehicle information.

Manufacturers and suppliers face pri-vacy and data protection challenges in developing their connected vehicle plat-forms, including, among others:• Data collection (What data is collected,

and how is it collected?);• Data ownership (Who owns the data?

The OEM? The supplier of the technol-ogy? The consumer? Is the data stored in the vehicle or in a centralized storage center?);

■

Failure-to-warn claims may

include allegations regarding

the methods of delivering

warnings and disclaimers

to consumers, and the

language chosen for those

warnings, disclaimers, owner’s

manuals, user guides, and

“terms and conditions.”■

In-House Defense Quarterly ■ Spring 2015 ■ 33

• Date use (How do we manage the specific uses of data? What about at all points in the data flow? Who is ultimately respon-sible for the data through the data flow?);

• Governance and consent (Can the vehi-cle owner opt out or cancel an ACN call? Can a consumer choose not to provide consent? If so, does it affect a consum-er’s ability to receive services?);

• Consumer privacy awareness (Has a vehi-cle owner received notice of the system and the data it collects? What about rental cars? Fleet vehicles?).The FTC has broad authority to reg-

ulate in this arena and many privacy- related enforcement actions have been imposed on companies, often involv-ing fees, penalties, and a 20-year consent order requiring annual privacy audits. (See Federal Trade Commission 2014 Pri-vacy and Data Security Update, available at http://www.ftc.gov/system/files/documents/repor ts /privacy-data-security-update-2014/ privacydatasecurityupdate_2014.pdf (last visited Jan. 14, 2015).) The FTC uses its author-ity to enforce companies’ representations to consumers about their collection and use of personal data. (See Federal Trade Commission, Enforcing Privacy Promises, available at http://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises (last visited Jan. 14, 2015) (“When companies tell consumers they will safeguard their personal infor-mation, the FTC can and does take law enforcement action to make sure that com-panies live up these promises. As of May 1, 2011, the FTC has brought 32 legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensi-tive consumer information. In these cases, the FTC can charge the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and prac-tices in or affecting commerce.”).) Then, the FTC looks at the harm the act or prac-tice may cause, and may bring action if it is deemed unfair, unavoidable, misleading, and not offset by certain benefits. Accord-ing to the FTC, these consumer protections provide a strong baseline of security for consumers who suffer a substantial harm from the misuse of their personal infor-mation, regardless of whether the entity

using the information made a promise to the consumer.

RecommendationsIn order to protect against liability and to reduce privacy-related concerns, manu-facturers should heed the following rec-ommendations. There are preemptive measures that manufacturers can take to protect themselves from liability before the inevitable product and privacy claims arise. Manufacturers should focus on developing a robust, crash-tolerant design. The reality is that different manufacturers will take different approaches to the design, manufacturing, and warnings of their sys-tems. These differences will open the door to alternative design arguments, and each manufacturer should be prepared to tell its due care story and explain why it made the decisions that it did. It is important to show that design alternatives were consid-ered, strenuous testing was conducted, and the manufacturer took all possible steps to put a safe product on the market.

Also, manufacturers should provide suf-ficient information and warnings to con-sumers regarding all telematics and the data that will be collected by its use. Con-sumer awareness is critical. The AAM and the Association of Global Automakers, Inc., FTC, FCC, the Consumer Privacy Bill of Rights, self- regulatory entities and trade associations such as the Mobile Marketing Association, and others all have developed principles and recommendations for better practices when it comes to data collection, use, and disclosure. Some of the key princi-ples for developing and designing technol-ogies that rely on data include:• Notice• Choice (consent) and control• Transparency• Security• Focused collection• Accountability• Privacy by design (proactive)

Manufacturers should develop detailed yet clear and readable privacy policies and must implement operational controls to ensure that their policies are being fol-lowed, including monitoring the complex third party vendor ecosystem they may be relying on to provide the actual soft-ware, services, components, or connec-

tivity. Just as importantly, manufacturers should develop a method to ensure that consumers have notice of the privacy poli-cies and a meaningful opportunity to con-sent. Privacy concerns can be reduced if consumers have a clear understanding of the benefits and limitations of the systems in their vehicles, what personal and vehicle data will be collected and by whom, how it will be stored, and the specific uses for the data. Automotive manufacturers, relatively new to the tech world and recently commit-ted to AAM’s Consumer Privacy Protection Principles, may want to consult technology companies for guidance in this area.

The FTC takes the position that “con-sumers who wish for a higher standard of protection for their information or wish to share less information can seek out busi-nesses that promise a higher standard of care that matches the consumers’ prefer-ences.” (Statement of FTC Commissioner Ohlhausenen, June 5, 2013, available at ht tp: //www.f tc.gov/sites /default / files /docu-ments/public_statements/remarks-commissioner- maureen-k.ohlhausen/130605daasummit.pdf (last visited Jan. 29, 2015).) This statement conveys a message that trust and sensi-tivity to privacy concerns can be a com-petitive advantage in the marketplace and encourages companies to compete on the basis of the privacy protections that they offer. Alongside AAM’s Principles for vehi-cle technologies and services, automo-tive manufacturers and their supply base should consider FTC’s best practices to enhance and protect consumers’ privacy and security.

ConclusionEmerging technologies offer exciting capa-bilities in today’s connected cars and pro-vide new conveniences and safety features. It is a delicate balance between the ben-efits of offering these technologies and the legal ramifications associated with doing so, especially because legislation and case law struggle to keep up. By antic-ipating product liability and privacy con-cerns and implementing proper steps to address them, manufacturers can embrace the opportunity to provide these progres-sive new features to consumers.