Auto Data Privacy and Autonomy Act
- Bill Number
- S. 3494
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Commerce
- Status
- Introduced
- Latest Action
- 2025-12-16: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- Last Updated
- 2026-04-29T12:55:11Z
AI-Generated Summary
Purpose
The Auto Data Privacy and Autonomy Act (S. 3494) aims to safeguard the privacy and security of data generated by or transferred to modern vehicles. It prevents vehicle manufacturers from accessing, selling, or sharing personal and vehicle data without owner consent, while ensuring owners have free, real-time access and control over this data. The legislation addresses growing concerns about data collection in connected and autonomous vehicles, emphasizing owner autonomy and national security by restricting data flows to certain foreign adversaries.
Key Provisions
- Definitions: Establishes terms like "covered vehicle" (any motor vehicle, including trailers, or those used for farming/construction), "covered data" (user-input data transferred to the vehicle plus all onboard-generated data from sensors, GPS, etc.), "geolocation data" (location information of the vehicle or individuals), and "personally identifiable information" (PII; details that directly or indirectly identify a person, such as name, address, or online activity).
- Prohibitions on Data Access and Sharing (Sec. 3):
- Manufacturers cannot access covered data without the owner's (or next of kin's in case of death/incapacity) explicit, written, informed consent that can be easily withdrawn; limited exceptions allow access for vehicle safety/performance improvements.
- Manufacturers cannot sell, lease, or share covered data without similar consent or legal mandates (e.g., warrants, court orders with notice and objection rights, or emergencies).
- Bans sharing U.S. citizens' or permanent residents' PII with governments of North Korea, China, Russia, Iran, or Venezuela.
- Requires the Federal Trade Commission (FTC) to submit a report to Congress within 180 days of enactment, detailing data access types, sharing practices, cybersecurity risks, data breaches (especially those linked to foreign entities), and feasibility of secure, open data interfaces.
- Owner Access and Control Rights (Sec. 4):
- Manufacturers must provide owners free, real-time access to all covered data via vehicle ports or wireless transmission (if equipped), without fees, licenses, or restrictions on third-party use.
- Requires an open application programming interface (API; a technical standard allowing software to interact with vehicle systems) for deleting user data and setting preferences.
- Overrides conflicting state or local laws on these access requirements.
- Enforcement (Sec. 5): Violations are treated as unfair or deceptive practices under the FTC Act, empowering the FTC to investigate, penalize, and enforce like consumer protection cases; preserves FTC's existing authorities.
- Exceptions and Implementation (Secs. 6-8): Protects manufacturers' confidential business information (trade secrets) from disclosure, except for required data access. Takes effect 3 months after enactment; no new funding authorized—FTC uses existing budget.
Significant Changes to Existing Law
- Introduces the first federal standards specifically for vehicle data privacy, filling a gap in current laws like the FTC Act (which covers general deceptive practices) or state privacy laws (e.g., California's data protections), by mandating consent for access/sharing and owner control.
- Overrides state laws on data access, creating uniform national rules that preempt local variations.
- Adds novel restrictions on sharing PII with designated foreign adversaries, expanding beyond existing export controls or sanctions under laws like the International Emergency Economic Powers Act.
- Requires a comprehensive FTC report on vehicle data ecosystems, which could inform future regulations absent in prior vehicle safety laws (e.g., under the National Highway Traffic Safety Administration).
Potential Impacts
- On Citizens: Empowers vehicle owners with greater control over personal data (e.g., location tracking or driving habits), reducing risks of unauthorized surveillance or commercial exploitation; could enable new services like independent repair or data analytics without manufacturer gatekeeping.
- On Government Agencies: FTC gains enforcement role, potentially increasing workload without new funds; other agencies (e.g., Department of Justice for warrants, Department of Homeland Security for cybersecurity, Department of Transportation for vehicle standards, FCC for wireless tech) must collaborate on the required report, fostering interagency coordination on data privacy.
- On Manufacturers and Industry: Imposes compliance costs for data interfaces and consent systems, possibly slowing innovation in connected vehicles but promoting open standards; limits data monetization, affecting business models reliant on selling anonymized data.
- On International Relations: Restricts data flows to adversarial nations, signaling U.S. priorities on national security and data sovereignty; could strain trade ties with affected countries (e.g., China, a major auto parts supplier) or prompt retaliatory measures, while aligning with broader U.S. efforts to counter foreign cyber threats.
Main Stakeholders Affected
- Vehicle Owners and Users: Primary beneficiaries, gaining rights to data control and privacy protections.
- Vehicle Manufacturers: Directly regulated, facing prohibitions, access mandates, and potential FTC penalties for non-compliance.
- Third Parties: Data buyers (e.g., insurers, advertisers), repair shops, or app developers who may gain easier access to vehicle data via open APIs.
- Government Entities: FTC (enforcer and reporter), plus DOJ, DHS, DOT, and FCC (consultants on the report); Congress (receives insights for oversight).
- Foreign Governments and Entities: Adversarial nations (e.g., China, Russia) lose access to U.S. vehicle data, impacting their intelligence or commercial interests.
Notable Legal, Constitutional, or Political Implications
- Legal: Treats violations as FTC violations, enabling civil penalties (up to $50,120 per violation under existing FTC rules) without criminalizing conduct; the preemption of state laws may face challenges under the 10th Amendment (states' rights), though it aligns with federal commerce authority over interstate vehicle sales.
- Constitutional: Bolsters privacy expectations under the 4th Amendment (unreasonable searches) by requiring warrants/court orders for data access, potentially influencing court interpretations of vehicle data as personal property; consent requirements echo GDPR-like standards, raising questions on balancing owner rights with manufacturer intellectual property.
- Political: Advances bipartisan concerns on data privacy and national security amid rising vehicle connectivity (e.g., 96% of new cars have internet by 2025 projections), but could spark debates over federal overreach into auto industry innovation or economic impacts on global supply chains; the no-new-funds clause highlights fiscal conservatism, while the foreign bans underscore geopolitical tensions without needing new sanctions legislation.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Recent Actions
- 2025-12-16: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- 2025-12-16: Introduced in Senate
Bill Versions
- Auto Data Privacy and Autonomy Act — issued 2025-12-16 — PDF (9 pages)