No CRS summary available for this bill.
This section requires each motor vehicle manufacturer to provide the vehicle's owner secure access to, and joint control of, the vehicle's data as follows: (1) at no cost beyond the purchase price; (2) in real time; (3) without restrictions on the owner's use of the data for lawful purposes or authorization of third-party access (except to entities owned or controlled by a foreign adversary, as defined in 15 C.F.R. § 791.2); (4) without requiring a fee, license, or manufacturer-provided device to decrypt or access the data; (5) through an onboard diagnostics port or wireless transmission (if equipped); (6) in a manner facilitating deletion of stored user data; and (7) in compliance with voluntary automotive cybersecurity standards (e.g., ISO/SAE 24134).
This section prohibits motor vehicle manufacturers from selling covered data unless providing vehicle owners a clear and conspicuous opportunity to opt out of such sales. It imposes the same opt-out requirement on motor vehicle fleet owners with respect to data from leased or owned fleet vehicles, requiring notice to drivers or operators, except for data generated by commercial or governmental fleet vehicles driven during employment unless sold for profiling that knowingly causes negative legal or significant harmful effects outside employment. This section further prohibits manufacturers and fleet owners from knowingly selling motor vehicle data to the Democratic People’s Republic of Korea, People’s Republic of China, Russian Federation, Islamic Republic of Iran, or Bolivarian Republic of Venezuela. It specifies that a sale does not include specified activities (e.g., transferring data to emergency responders; research, repairs, or safety enhancements; warranty administration; cybersecurity responses; or disclosures to affiliates, processors, or in mergers).
This section provides that a violation of section 2 constitutes a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act regarding unfair or deceptive acts or practices and authorizes the Federal Trade Commission to enforce section 2 using the same jurisdiction, powers, duties, penalties, privileges, and immunities as provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.). (Thus, the Commission may pursue civil penalties, injunctions, and other remedies available under the act for such violations.)
This section clarifies that, except as provided in section 2, nothing in this Act requires a motor vehicle manufacturer to disclose confidential business information (as defined in 49 CFR 512.3(c)).
This section preempts any state or local law, rule, regulation, requirement, standard, or other provision having the force of law that relates to section 2.
This section provides definitions for terms used in the Act, including (1) "biometric identifier" (motor vehicle data on fingerprints, facial features, iris or retina patterns, gait, voice, body measurements, or weight); (2) "covered data" (personal data relating to a biometric identifier, precise geolocation, or driver behavior, including data received from a personal device, but excluding deidentified, pseudonymous, aggregate, or publicly available information); (3) "driver behavior" (motor vehicle data used for profiling that knowingly causes negative legal or significant harmful effects on a motor vehicle owner's conduct outside employment); (4) "motor vehicle" (as defined in 49 U.S.C. §30102(a), including trailers); (5) "motor vehicle owner" and "motor vehicle fleet owner" (owners, designees, those with beneficial interests, or lessees under 180-day leases, with fleet owners owning or controlling 5 or more vehicles); (6) "personal data" (motor vehicle data linked to an identified or identifiable person, excluding deidentified, pseudonymous, aggregate, or publicly available information); (7) "precise geolocation" (location data identifying a person within a 1,750-foot radius); (8) "sale" (exchange of data for monetary consideration, excluding disclosures to third parties for requested products or services); and (9) "user data" (data transferred from a personal or external device to a motor vehicle).