[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 10473 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 10473
To prevent covered vehicle manufacturers from accessing, selling, or
otherwise selling certain covered vehicle data, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
December 18, 2024
Mr. Burlison (for himself and Mr. Biggs) introduced the following bill;
which was referred to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To prevent covered vehicle manufacturers from accessing, selling, or
otherwise selling certain covered vehicle data, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Auto Data Privacy and Autonomy
Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Covered vehicle.--The term ``covered vehicle'' means a
motor vehicle or a vehicle primarily used for farming or
construction.
(3) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(4) Motor vehicle.--The term ``motor vehicle'' has the same
meaning given such term in section 30102(a) of title 49, United
States Code, and includes a motor vehicle trailer.
(5) Operator data.--The term ``operator data'' means--
(A) all electronic data generated or processed
onboard a covered vehicle, such as data generated by
sensors, receivers, computer processing units, or other
vehicle components; and
(B) data stored in a covered vehicle generated by
the user of such covered vehicle.
(6) Personally identifiable information.--The term
``personally identifiable information'' means information
that--
(A) directly identifies an individual such as the
name, address, social security number or other
identifying number or code, telephone number, or email
address of an individual;
(B) indirectly identifies an individual such as the
gender, race, or date of birth of an individual; or
(C) reveals the physical location or internet
activity of an individual.
(7) Secretary.--The term ``Secretary'' means the Secretary
of Transportation.
(8) Secure.--The term ``secure'' means, with respect to the
interface for access and control of operator data described in
section 4(c), designed to prevent malicious or unauthorized use
or access of such data.
(9) Technology-neutral.--The term ``technology-neutral''
means, with respect to the interface for access and control of
operator data described in section 4(c), designed without
preference or prejudice towards any technology or service used
to access and control such data by a covered vehicle owner, and
not contingent on ownership or licensing of proprietary
technologies by a covered vehicle owner or manufacturer.
(10) User preference.--The term ``user preference'' means
any choice with respect to a configurable setting of a covered
vehicle made by or for the benefit of the owner or user of such
covered vehicle.
SEC. 3. OPERATOR DATA PRIVACY AND SECURITY.
(a) Prohibition on Manufacturers.--A manufacturer of a covered
vehicle may not, with respect to the covered vehicle of a covered
vehicle owner that is manufactured by such manufacturer--
(1) access operator data, unless--
(A) the covered vehicle owner affirmatively
consents to such manufacturer accessing such data and
such consent--
(i) is freely given;
(ii) is informed, specific, and
unambiguous;
(iii) is in writing; and
(iv) may be easily withdrawn; or
(B) such data is accessed solely to improve covered
vehicle performance or safety;
(2) sell, lease, or otherwise share operator data, unless--
(A) required to do so--
(i) pursuant to a lawfully executed
warrant;
(ii) pursuant to a court order that
provides the covered vehicle owner notice of
the order and at least 48 hours to object and
request a hearing; or
(iii) to facilitate an emergency response;
or
(B) expressly permitted to do so by the covered
vehicle owner or, in the event of the death or
incapacity of such person, the next of kin of such
owner; or
(3) sell, license, rent, trade, transfer, release,
disclose, provide access to, or otherwise make available
personally identifiable information of a United States citizen
or lawful permanent resident to the following:
(A) The Democratic People's Republic of Korea.
(B) The People's Republic of China.
(C) The Russian Federation.
(D) The Islamic Republic of Iran.
(E) The Bolivarian Republic of Venezuela.
(b) Report.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Commission shall submit to
Congress a report that describes, with respect to operator
data--
(A) the types of such data that a manufacturer of a
covered vehicle accesses;
(B) the individuals and entities, other than a
manufacturer of a covered vehicle, that access such
data;
(C) the Federal or State government entities that
access such data and how such entities use such data;
(D) the individuals and entities to whom such data
may be sold or otherwise shared;
(E) the foreign governments to whom such data may
be sold or otherwise shared and how such data is used
by such foreign governments;
(F) the cybersecurity capabilities and risks
associated with covered vehicles; and
(G) occurrences of such data being compromised,
including the prevalence of such occurrences and any
entities with ties to foreign governments associated
with such occurrences.
(2) Consultation.--In completing the report required under
paragraph (1), the Commission shall consult with--
(A) the Attorney General;
(B) the Secretary of Homeland Security;
(C) the Secretary of Transportation; and
(D) the Federal Communications Commission.
SEC. 4. OPERATOR DATA ACCESS.
(a) In General.--A manufacturer of a covered vehicle shall provide
to a covered vehicle owner access to, and control of, operator data--
(1) at no cost beyond the purchase price of such vehicle;
(2) without any restriction or limitation, consistent with
subsection (c); and
(3) without a requirement that the covered vehicle owner--
(A) pay a fee or purchase a license to decrypt
operator data; or
(B) use a device provided by such manufacturer to
access and use operator data.
(b) Data Deletion and User Preferences.--To facilitate the access
and control of operator data described in subsection (a), a
manufacturer of a covered vehicle shall enable the operation of open
application programming interfaces that--
(1) facilitate deletion of all data stored in a covered
vehicle generated by the user of such covered vehicle; and
(2) enable the setting of any user preference by the
covered vehicle owner or another user of the covered vehicle.
(c) Technology-Neutral, Secure, Standards-Based Interface.--The
manufacturer of a covered vehicle shall provide to a covered vehicle
owner the access and control required by subsection (a) by means of a
technology-neutral and secure interface that meets the standards set by
the Commission pursuant to section 5.
SEC. 5. STANDARDS.
(a) Standards Report.--Not later than 180 days after the date of
enactment of this Act, the Commission shall submit to the Committee on
Commerce, Science, and Transportation of the Senate and the Committee
on Energy and Commerce of the House of Representatives a report on the
current practices employed for operator data generation, storage,
transmission, and cybersecurity.
(b) Standards Setting.--Not later than 1 year after the date on
which the Commission submits the report under subsection (a), the
Commission shall, in coordination with the Director, relevant industry
stakeholders, including manufacturers of covered vehicles and covered
vehicle owners, and with other agencies as necessary, establish 1 or
more standards for the technology-neutral, standards-based, secure
interface required by section 4(c).
(c) Standards Review and Revision.--Not later than 5 years after
the date on which the Commission, in coordination with the Director,
establishes the standards required under subsection (b), and not less
frequently than once every 5 years thereafter, the Commission shall
review and revise such standards as appropriate.
SEC. 6. ENFORCEMENT.
(a) Unfair or Deceptive Act or Practice.--A violation of this Act
shall be treated as a violation of a rule defining an unfair or
deceptive act or practice under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(b) Powers of the Commission.--
(1) In general.--The Commission shall enforce this Act in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms
and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this Act.
(2) Privileges and immunities.--Any person who violates
this Act shall be subject to the penalties and entitled to the
privileges and immunities provided in the Federal Trade
Commission Act (15 U.S.C. 41 et seq.).
(3) Authority preserved.--Nothing in this Act shall be
construed to limit the authority of the Commission under any
other provision of law.
SEC. 7. RELATION TO OTHER LAWS.
This Act supersedes any statute, rule, requirement, or other legal
obligation of a State or political subdivision thereof, or any Federal
law or regulation, that relates to the requirements in this Act.
SEC. 8. DISCLOSURE OF CONFIDENTIAL BUSINESS INFORMATION.
Except as provided in section 4, nothing in this Act shall require
a manufacturer of a covered vehicle to divulge confidential business
information (as that term is defined in section 512.3(c) of title 49,
Code of Federal Regulations).
SEC. 9. EFFECTIVE DATE.
This Act shall take effect on the date that is 3 months after the
date of enactment of this Act.
SEC. 10. NO NEW APPROPRIATIONS.
The Commission shall carry out this Act using unobligated funds
appropriated to the Commission and available as of the date of the
enactment of this Act.
<all>