A new report by Consumer Watchdog calls OEMs and others “data miners” that are monopolizing personal information obtained by vehicles for profit and accuses California Insurance Commissioner Ricardo Lara of “privately working with insurance companies on a proposal to allow electronic surveillance.”
“Connected Cars and the Threat to Your Privacy,” written by Consumer Watchdog’s Justin Kloczko, cites a 2018 study by Harvard Journal of Law & Technology that found vehicle owners often sign away their ownership of the data that’s collected without knowing it when they purchase a new vehicle. Kloczko didn’t respond to an interview request from Repairer Driven News by the publication deadline.
An investigation by Consumer Watchdog into Lara’s alleged dealings with insurers includes a recording of a December meeting in Sacramento with telematics company Root Insurance.
“Root’s VP of Government Affairs said, ‘Yes, so we have a lot of conversations with commissioner Lara in California,'” Kloczko’s report states. “‘He is supportive of what we’re doing. He has asked us to go back and do a couple of things for him before he makes this move. He has asked us to, number one: build a coalition of partners so when he makes this move, he has support. If there is criticism he will have coalition of partners to say, ‘No, this is a good thing’….We’re building a coalition of partners in California, including the Hispanic Chamber of Commerce to have his back, give him the political cover when he makes this move. …We’re grateful for his support and we’re working behind the scenes to provide everything we can as political cover for him.'”
According to the report, Root Insurance wants to incorporate speed and braking data into determining insurance rates based on comments Consumer Watchdog says they’ve made and have talked to Lara about. California Department of Insurance Communications and Press Relations Deputy Commissioner Michael Soller told RDN the report is “fictitious.”
“California’s rules on telematics are clear and Commissioner Lara will not bend on protecting consumer data, privacy, and fair rates,” Soller said. “The Department of Insurance continues to uphold and implement the consumer protections set forth in voter-enacted Proposition 103 and, since 2009, California has allowed vehicle data only to determine actual miles driven, and only in a way that protects the driver’s privacy.”
Kloczko notes in the report that The New York Times reported in 2019 there isn’t a way to opt out of data collection in cars like there is with smartphones.
“However, California is poised to be the first in the nation with an ‘opt-out’ for precise geo-location that is set to take effect under the California Privacy Rights Act (CPRA) by 2023, when the newly-formed California Privacy Protection Agency issues rules in 2022 to allow for it under the CPRA – a ballot initiative passed by the voters in 2020 as Proposition 24.”
According to the report, the Alliance for Automotive Innovation (AAI), which represents many major auto manufacturers, is lobbying the California Privacy Commission to stop the opt-out.
On its website, AAI states, “[Vehicle] Owners can opt out of subscription-based services or choose not to contract with certain vendors who seek access to various types of data.” It also states their 20 “Auto Innovator” OEM members “meet or exceed commitments contained in the Consumer Privacy Protection Principles for Vehicle Technologies and Services,” and are “providing customers with clear, meaningful information about the types of information collected and how it is used [and] obtaining affirmative consent before using geolocation, biometric, or driver behavior information for marketing and before sharing such information with unaffiliated third parties for their own use.”
By 2023, 95% of new cars will be connected meaning they’ll be “online computers on wheels,” the report states. “And personal car data is the new gold rush of the auto industry.” OEMs named in the report include General Motors, Ford, Toyota, Nissan, and Tesla.
A 2017 U.S. Government Accountability Office study found that “all 13 selected automakers’ written privacy notices were easily accessible, but none was written clearly” and none said they were “sharing or selling data that could be linked to a consumer for unaffiliated third parties’ use.” The OEMs that were selected for the study aren’t revealed in the document.
However, Consumer Watchdog argues that “…car companies basically reserve the right to do whatever they want with your data: to track, market products, and manipulate your insurance rates. A future where targeted ads pop up on your dashboard is not far off.”
The report also states, “As long as a car has some version of connected services, such as an OnStar, it will collect data.”
The consumer group’s top concern, according to the report, is the ability of connected cars to pinpoint users’ geolocation, which is using data to find out where they’re located. “Cars record geolocation every few minutes, some every few seconds. Companies acquire our location by lulling us in via the cloak of safety. A car may ask if a driver would like to share his or her information with emergency responders. Who is going to say no to that?” asks Amico, the founder of Privacy4Cars. “The problem is your information is not only being used for emergency respond purposes, but for an array of other uses unrelated to safety.”
It’s not just automotive OEMs that collect data via connected cars, according to the Federal Trade Commission, as cited in Consumer Watchdog’s report. “Many different entities will collect data from connected vehicles, ‘including car manufacturers, manufacturers of ‘infotainment’ systems, third parties that provide peripherals that plug into ports on cars, and auto insurance companies.”
Automotive technology supplier Aptiv and connected vehicle startup Wejo are named in the report as companies that reap profits from the data that’s collected. Software company Telenav is also noted in the report as saying “there is a large opportunity to capitalize on the $212 billion commuters spend while driving” through in-car advertising software, according to a Wards Auto article.
“…Aside from cars recording your every move, people also unknowingly surrender their personal data by simply making an in-car call, connecting to Spotify, or even just charging their phone.”
And by 2030, consulting firm McKinsey & Co. estimates automotive data could be a $400 billion industry, Kloczko wrote.
“While data is utilized in a number of ways to the consumer’s advantage, such as locating a car after an accident or helping relieve traffic congestion, the financial incentive that comes from having such a massive trove of personal information is also a slippery slope. Tracking your location for emergency purposes doesn’t mean manufacturers have the right to sell or share that information for something else. Many companies say their data is anonymized, meaning it’s not attributable to a person’s identity. But is it really anonymized?”
Consumer Watchdog says no and that “there is no such thing as ‘anonymized data.'”
“Anonymized data, when paired with other data points such as credit card usage, can be used to identify you and target you, according to car technologists and privacy advocates interviewed by Consumer Watchdog,” the report states.
The group has found that collected data is also used by governments and police for “police state surveillance and mass surveillance” under the guise of “public safety and mass transportation.”
“This poses a huge risk for constitutional protections against unreasonable searches,” the report states.
Progress is being made in California to protect consumers’ data under the CPRA with a major part of the law going into effect next year that “enshrines consumers with new rights over a new subset of data deemed ‘sensitive personal information,” according to Consumer Watchdog. “The law will allow consumers to ‘opt out’ of their data being shared or sold, as well as requesting access to personal information collected, with the option to delete or modify it.”
According to Consumer Watchdog the CPRA also provides:
- The option for consumers to correct personal information held by a business, such as an automotive OEM, which the AAI is against;
- Access to information about automated data decision-making;
- Limitations on the use and dissemination of sensitive personal information by businesses for “secondary” purposes, such as sharing with third parties, absent certain exemptions;
- The requirement of businesses to have third parties delete personal information shared with them; and
- Regulation of advertising based on personal information.
The five-member California Privacy Protection Agency (CPPA) is tasked with implementing and enforcing the CPRA. Consumer Watchdog expects that CPPA will determine whether or not geolocation is considered sensitive personal information. The CPPA is currently undergoing a rule-making process.
Featured image credit: MarioGuti/iStock