General Motors – once a trusted symbol of American innovation – was outed last year for secretly collecting and selling drivers' detailed driving information without their consent, with its OnStar Smart Driver technology. Now the FTC has smacked GM with a settlement that we can live with.
In March of 2024, the New York Times put together a bang-up exposé on GM's data collection habit – everything from your exact geolocation, instances of hard braking, speeding, and even if you went for a late-night drive.
"It felt like a betrayal," Kenn Dahl told the New York Times. "They’re taking information that I didn’t realize was going to be shared and screwing with our insurance."
In addition to your gas and brake pedal habits, OnStar could collect and sell other data, like your seatbelt habits, or what station you're listening to on your factory-installed XM radio.
The sale of this information to companies like LexisNexis and Verisk – data brokers who would in turn resell that data to interested insurance companies and more – would often lead to insurance premium hikes or even outright denial of insurance to some people. Verisk, in particular, would aggregate trip data along with a "risk score" before selling it to insurance companies.
As the Federal Trade Commission put it in yesterday's press release, "GM failed to clearly disclose that it collected consumers' precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers' consent."
"GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds," FTC Chair Lina M. Khan goes on to say. "With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance."
It took almost a year, but the FTC is finally doing something about it.
In the very first connected-vehicle-data order by the FTC, GM "will be banned for five years from disclosing consumers' sensitive geolocation and driver behavior data to consumer reporting agencies."
They further ordered that the automaker must be more transparent about data collection in addition to making the opt-in-or-out choice clearer ... once the ban is over, of course.
That being said, the ban isn't quite final yet. While it was voted in at 3-0-2 (three for yes, zero nays, and two absent), the vote must sit in the Federal Register for 30 days before a final FTC ruling will be made.
GM isn't the only automaker to collect data without drivers' knowledge. other examples include Hyundai with its BlueLink service and Kia's Connect, which both face a class action lawsuit from August 2024, stemming from similar allegations.
In all, real-world data from about 14 million cars has been collected.
Indeed, this kind of behaviour seems to be the rule rather than the exception. The Mozilla Foundation – parent company to the Firefox internet browser – released a report in September of 2023, titled "It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy."
The company that advocates for transparency, privacy, and user control goes on to say "They collect too much personal data (all of them)," after reviewing 25 car brands.
84% of the vehicles they investigated share or sell your driving data. 76% of them sell your personal data. And if law enforcement makes a request (not even a warrant, just a request), over half of the auto manufacturers will share your information with them.
In Mozilla's very comprehensive report, Tesla ranked as the absolute worst privacy offender and is the only car company to receive "five stars" for checking every single metric Mozilla has to grade against. Only the AI chatbot Replika has ever received five out of five negative checkmarks prior to Mozilla's 2023 report.
While the order isn't set in stone, GM seems to have taken the situation seriously and issued a statement yesterday: "Respecting our customers' privacy and earning their trust is deeply important to us."
The company goes on to say it had already discontinued its Smart Driver program last year, unenrolling all of its customers, and terminating its "third-party telematics relationships with LexisNexis and Verisk."
What can you do about it? Stick to classic hotrods or other similarly "dumb" vehicles. And if you haven't done that, the damage may already have been done, depending on what and how you drive. However, GM was kind enough to include a tidbit of info at the end of yesterday's press release:
To exercise your privacy rights, visit GM’s US Consumer Privacy Request Form or call 1-866-MYPRIVACY (1-866-697-7482).
The FTC has its work cut out for it if it truly wishes to protect the privacy (and bank accounts) of drivers. I guess this is a start though.
Source: FTC
