The recent discovery that private data collected by thousands of VW, Audi, Skoda, and Seat electric vehicles was left exposed by Volkswagen’s software company, Cariad, shook Germany when researchers revealed that the information included data collected about company officials and police authorities across Europe.
It was no surprise to Gerry Kennedy of Alton, who last year filed an official complaint about Volkswagen’s unauthorized collection of personal data with the Attorney General’s Office.
The state’s response at the time was, “After careful review, the Bureau has determined that it is unable to pursue your individual complaint. As a law enforcement agency, the Bureau has jurisdiction to act in cases where there has been a violation of the New Hampshire Consumer Protection Act (CPA), RSA 358-A. Violations of the CPA occur when the State can prove that the defendant’s unfair or deceptive actions were purposeful and not merely reckless or negligent. Further, the State must show that the defendant’s actions ‘attained a level of rascality that would raise the eyebrow of someone inured to the rough and tumble world of commerce.’”
The paralegal who sent the letter added, “Although the Bureau is unable to take action in this matter, you may wish to explore all available private remedies with your own attorney.”
Kennedy did just that, following up on Dec. 9 with a nearly 17,000-word document that cited the law and how the unauthorized data collection reached the “level of rascality” required for legal action.
When contacted about the document, Assistant Attorney General Warren Cormack wrote, “The Consumer Protection and Antitrust Bureau can confirm that it received the documentation mentioned in your December 20, 2024, email. It would be premature to discuss the document because the Bureau has not yet had an opportunity to review it in full. As a general practice, the Bureau does not provide updates on open consumer complaints or investigations.”
The basis of Kennedy’s concern is that personal data has value. Stellantis, a multinational automotive manufacturing company representing 14 automotive brands, places the value of the data on its books at $588.24 per titled owner. Yet those purchasing vehicles are not compensated for that data and are not even informed that it is being collected.
Jen Caltrider, Misha Rykov and Zoë MacDonald, researchers for Mozilla’s Privacy Not Included research, found that “every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.”
In following up on his initial complaint to the Department of Justice, Kennedy spelled out how that “theft” of data has led to uncollected taxes that could help solve New Hampshire’s budget challenges.
In making his case, Kennedy claimed that third parties who purchase the data have no legitimate interest in it. Neither car dealers nor insurance agents are responsible for the problem,” he said..
Kennedy goes on to argue, “Let’s just say 200 million vehicles are connected.” Using an even 200 million vehicles with data valued at $544 per vehicle, that would equal almost $109 billion in data value “that is being taken from the Titled Owners of the vehicles without compensation.”
Casting that amount as short-term capital gains, with a tax rate of 24%, “that means that the government is not getting paid $26,112,000,000 in taxes,” Kennedy said.
Laying out the legal case for action, Kennedy argues that the data extraction from a titled vehicle represents unauthorized taking and an intent to deprive, because the data is used for profit, resale or other unauthorized purposes.
Digital data qualifies as property under RSA 637:2(I). Thus, “Since the vehicle is titled by the state of New Hampshire, both the physical and digital aspects are legally recognized property,” he says. “The theft of digital data undermines the state’s authority and the owner’s rights.”
The New Hampshire Legislature, with an endorsement by the Attorney General’s Office, amended RSA 507-G to include the expectation of privacy. That law went into effect on Jan. 1.
“Accessing personal data generated by a vehicle without consent infringes on a consumer’s reasonable expectation of privacy and control over their property,” Kennedy writes. “If the vehicle manufacturer (OEM) or third party misrepresents how data is collected, stored or used, this constitutes a deceptive practice under RSA 358-A:3. … Given the sensitive nature of vehicle-generated data (location, usage patterns, driving habits), unauthorized access is sufficiently egregious to warrant investigation.”
Thomas P. Caldwell, owner of Liberty Media, lives in Bristol.
