
UPDATE: Two more Congress members ask FTC to investigate alleged consumer data selling by automakers
By onLegal
U.S. Sens. Ron Wyden and Edward J. Markey have asked the Federal Trade Commission (FTC) to investigate automakers’ alleged disclosure of driving data from millions of American consumer vehicles to data brokers.
The letter follows a New York Times investigation earlier this year that exposed how driver behavior data was collected by General Motors, Honda, and Hyundai then sold to the insurance industry.
“If the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives responsible,” the senators wrote.
Wyden’s office confirmed with General Motors, Honda, and Hyundai that they shared driver data such as acceleration and braking data with broker, Verisk Analytics, according to the letter. GM also confirmed that it disclosed customer location data to two other companies, which it refused to name.
“One of the company’s products, which it shut down in April 2024 following New York Times’ reporting, scored drivers on their safe driving habits using data from internet-connected cars,” the senators wrote in their July 26 letter.
“Automakers shared drivers’ data with Verisk, which mined it to prepare Driving Behavior Data History Reports. Verisk sold these reports to auto insurance companies and also provided automakers with some of this information, including a driving score and safe driving suggestions, to provide to their customers.
“GM and Honda confirmed that they required consumers to enroll in a specific voluntary program, in which Verisk’s role was obscured, before sharing their data. Hyundai enrolled all consumers who activated their new car’s internet connection into the company’s driving score program, which included sharing their data with Verisk.”
That program by GM is Smart Driver, which the senators say the opt-in disclosure didn’t inform consumers that their driving data would be shared with data brokers and resold to insurance companies.
GM declined to confirm to the senators how many cars’ data it shared with data brokers; the New York Times reported 8 million. GM did, however, confirm that it shared data with Verisk from 2015-2024 and with LexisNexis Risk Solutions from 2018-2024.
GM also confirmed to Wyden’s staff that it shared location data on all drivers who activated the internet connection for their cars, even if they didn’t enroll in Smart Driver. The only way to opt out was to disable the internet connection, the letter states.
Following the original publication of this article, GM reached out to Repairer Driven News with the following statement:
“We share the desire to protect consumers’ privacy while enhancing safety and preserving innovation. We vehemently deny the assertion that we coerced consumers into enrolling in Smart Driver. Each consumer was given choice at the time of enrolling and throughout the life of the product. To be clear, we established the Smart Driver product to promote safer driving behavior for the benefit of customers who elected to participate. Data was only shared with an insurer if a customer initiated a quote directly with their chosen carrier and provided a separate consent to that carrier.
“As is common industry practice, we share de-identified data not associated with specific drivers or vehicles with select partners for purposes that include enhancing city infrastructure and road safety for pedestrians, cyclists, and drivers.”
Concerning Honda, the senators found out that between 2020 and 2024, it shared data with Verisk from 97,000 cars, and was paid $25,920, or 26 cents per car. Honda did so without informed consent from consumers, according to the letter.
Drivers’ data wasn’t shared automatically. Verisk gained access through Honda’s Driver Feedback program.
“Honda asked consumers for consent for the company to track them so that it could determine the consumer’s driving score and their eligibility for insurance discounts,” the letter says. “Users who provided consent were then prompted to accept the company’s lengthy legal terms, in which Honda stated that Verisk would receive the consumer’s data. However, Honda buried the disclosures about its business relationship with Verisk, which did not appear on the first page and were not likely to be seen by many consumers.”
Between 2018 and 2024, the senators found that Hyundai supplied data to Verisk from 1.7 million vehicles and was paid more than $1 million, or 61 cents per car. Hyundai also didn’t get informed consent from consumers to share their data, according to the letter.
Hyundai confirmed to the senators that it shared consumer data with Verisk by default when internet connectivity was enabled through automatic enrollment in its Driving Score program.
GM, Honda, and Hyundai also allegedly deceived consumers by exclusively advertising its safe driver programs as a means to lower their insurance bills, without revealing that some insurers might charge some drivers more based on their telematics data, the letter states.
“Verisk officials confirmed to Sen. Wyden’s office that the company’s contracts with automakers and insurers did not require that driver telematics data only be used to provide discounts.
“…The problematic practices we have uncovered and documented in this letter are likely just the tip of the iceberg… The FTC has already taken action against data brokers that have committed unfair and deceptive acts or practices by selling location data obtained without consumers’ informed consent. Although two cases this year involved location data collected from smartphone apps, the same principle applies to location data collected from internet-connected cars.”
The Associated Press reports that, in an email, GM denied that it deceived customers into enrolling in the data-sharing program with Verisk.
Data-sharing partnerships with Verisk and LexisNexis were canceled in March, and Smart Driver ended in June, according to the AP.
“In a statement, Hyundai said the senators’ letter mischaracterizes its data policies and that it has safeguards to make sure customers agree to sharing driving information with insurers,” the article says.
Honda also said that without a clear second opt-in by the customer when they were offered insurance discounts no identifiable information was shared with any insurance company, according to the AP.
U.S. Rep. Debbie Dingell (D-Michigan-District 6) spoke during a recent House Energy and Commerce Committee hearing, urging the FTC to investigate and questioning FTC Chair Lina Khan.
“We must focus on ensuring consumer data collection is minimized and that only necessary data is collected, used, retained, and transferred,” she said. “Building consumer trust requires building robust protections for sensitive data and stringent enforcement mechanisms for when those protections are violated. As vehicles become increasingly connected and capable of collecting vast amounts of data, it is essential to understand the implications of the potential privacy risks associated with this technology and its impact on consumers.”
Dingell noted that she and Ann Kuster (D-New Hampshire-District 2) had already written to the FTC to express concerns about automaker data privacy practices.
“I think the American people have no idea how much of their privacy is being given away, and until they read in the New York Times, that car companies were giving their data to insurance companies and it was hiking up their prices. It wasn’t real and it didn’t cost them money,” Dingell said.
Kahn called it a major issue and said the FTC is tracking privacy practices closely while hinting at an ongoing investigation that hasn’t been made public.
“I think across the board people have been waking up to the reality that unfortunately their precise geolocation is not only being collected and tracked by private companies but oftentimes is being trafficked; being bought and sold including to foreign adversaries and companies around the world,” she said.
“More generally, the FTC has been very focused on categories of sensitive data. That includes health data and geolocation data. Through our enforcement actions, we have made clear that there has to be a presumption against selling this sensitive data.”
In a December 2023 memo, the Alliance for Automotive Innovation (Auto Innovators), which represents most automakers, wrote that vehicle telematic data supports the proper functioning of a vehicle and its onboard computer systems.
“It produces information that affirmatively improves safety, can help support compliance with government safety rules, and enables a range of (optional) connectivity and personalization features for customers,” the memo says. “Yes, your vehicle is generating and transmitting certain safety data. That’s by design. No, your car isn’t spying on you.”
According to a voluntary 2014 “Consumer Privacy Protection Principles” agreement automakers are prohibited from using sensitive vehicle data for marketing purposes or sharing it with third parties without consent. The agreement was last reviewed in 2022.
“These principles are in effect today and enforceable by the Federal Trade Commission (FTC)… The auto industry also continues to support Congressional enactment of a federal privacy law with consistent protections for consumers across the country and consistent rules for automakers that build a product operating across state lines,” the memo says.
In March of this year, the Future of Privacy Forum (FPF) released a report that explained how safeguarding driver privacy and data protection will be critical to ensuring widespread acceptance of new safety technology in vehicles.
Privacy implications of vehicle safety systems explored by FPF include advanced driver assistance systems (ADAS) and driver monitoring systems (DMS) as well as impairment detection technologies.
Image
Featured image credit: Peter Carruthers/iStock