As cars become more technologically complex, they are increasingly able to gather information on drivers and their habits. Some metrics are what drivers are used to and often appreciate—such as fuel efficiency. But newer vehicles can also collect detailed data on how drivers behave—such as instances of rapid acceleration and braking or even location data.
How companies can use collected data like this is typically subject to privacy agreements included in terms and conditions at the time of purchase. Privacy agreements are typically long, expansive, and written in legalese, meaning when consumers read them—though they rarely do—it is unclear exactly what data is being collected, how it is being used, and, often, to whom it is being sold. Consumers often take it for granted that products like social media platforms collect and sell their data but may not expect that a product like their car is also collecting and storing their personal data.
In September of 2023, the Mozilla Foundation, a data privacy-focused non-profit, published a report on the data privacy practices of 25 automakers as part of their *Privacy Not Included series. After some tire-kicking, Mozilla labelled the auto industry the “worst product category” they had ever reviewed. The report brought forth an issue that has since drawn the interest of multiple government regulators and spurred multiple lawsuits in federal courts. (See the Mozilla report or details on what data is collected and how)
Mozilla’s report raised eyebrows in Congress. In December, Senator Ed Markey (D-MA), who sits on the Subcommittee on Consumer Protection, Product Safety and Data Security, asked 14 automakers doing business in the US to clarify their data collection policies. After lackluster responses from automakers, Sen. Markey sent a letter to the Federal Trade Commission asking it to investigate their data collection and privacy practices. (Read the letter and the responses from automakers)
In mid-May, the FTC released a blog post focused on data-rich vehicle manufacturers that reminded them that misuse of sensitive data will result in FTC action. The post referenced several recent situations where the FTC acted on misuse of data like geolocation by companies in other industries. While the notice did not announce any official actions or investigations, it was a strong reminder that corporate abuse of consumers’ private data will not go unnoticed. (Read the FTC’s post) The Federal Communications Commission also released a noticed of proposed rulemaking in April related to automobile data collection that would prevent victims of domestic abuse from having their connected vehicle data exploited by abusers, underscoring the need for robust data privacy practices. (See the rulemaking proposal)
Federal regulators may not have yet acted formally, but the drivers whose data is at risk have launched legal action against carmakers. In March, the New York Times reported General Motors had sold highly detailed and personalized driving data to third parties, including insurance companies, without their consent. (See the whole article.)
Multiple lawsuits in federal court, including some class action suits, have followed, claiming GM distributed driving data to two consumer credit reporting agencies who do business with auto insurance companies without the consent of vehicle owners. GM ran an opt-in program called OnStar Smart Driver which claimed to provide “customers with information about their driving behavior to help them maximize their vehicle’s overall performance, reduce vehicle wear and tear and encourage safer driving.” Consumers who enrolled in the program and subsequently sued GM say the terms and conditions did not give GM permission to give their data to insurance companies, and, in at least one case, say GM shared data even though they were never part of the program at all.
If true, these alleged claims would mean reckless misuse of drivers’ personal data by automakers for profit, underscoring the need for regulators and lawmakers to act to protect the privacy of consumers and reign in unfair practices.