WASHINGTON — The top federal regulator for consumer protection is assuring the public that it’s looking at automakers and third-party brokers who capture and sell sensitive data.
The message from the Federal Trade Commission comes after outcry from U.S. Senators and a series of alarming New York Times reports about automakers — namely General Motors Co. — releasing consumer data without the customers’ knowledge.
“Car manufacturers — and all businesses — should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data,” the agency wrote in a recent blog post.
Modern connected cars gather mountains of data about drivers’ whereabouts, braking and acceleration habits, demographic information and more, raising concerns from consumers and advocates. The FTC does not publicly announce its investigations, but the statement suggests the regulator is attuned to growing worries as the data-collection technology inside vehicles improves and proliferates rapidly.
“If there’s any agency that can hold U.S. car-makers accountable for their terrible privacy practices, it’s them! This is definitely a step in the right direction for cars and privacy,” said the Mozilla Foundation, a nonprofit watchdog for data privacy, in a May 14 post.
A Mozilla report from September 2023 previously said that the “situation with cars and privacy is not good.” It labeled cars as “the worst category of products we have ever reviewed.”
“People don’t think about how much data they are generating,” U.S. Rep. Debbie Dingell, D-Michigan, said in an interview with The Detroit News. She added that the issue of companies using that data against them is no longer an abstract notion, referencing the New York Times reports: “People saw it really happened.”
“Anyone who thinks the Big Three can become big data should recalibrate their expectations — it will not be allowed. I’m encouraged that FTC Chair Khan has put the auto industry on notice that the agency will aggressively enforce the law to protect Americans’ rights,” said U.S. Sen. Ron Wyden, D-Oregon, an outspoken voice on data privacy issues.
“The public is justifiably outraged by recent press reports revealing that automakers have been tracking drivers and selling that information to sleazy data brokers, leading to higher insurance rates,” he added in a statement to The News.
Since the March New York Times investigation into GM’s data collection practices — which described the sale of driver behavior data that increased some consumers’ insurance rates — the automaker has since discontinued the use of its OnStar Smart Driver product. The company said in an April 24 press release it would unenroll all customers driving GM products, noting “this process will begin over the next few months.”
GM also terminated its partnerships with LexisNexis and Verisk, the data brokers who provided consumer information to insurance companies. Data sharing with those companies ended March 20.
The Detroit automaker also said it would enhance its privacy controls with the goal of increasing transparency. To help with that, GM hired Alisa Bergman as its chief trust and privacy officer.
“We take our customers’ data security and privacy very, very seriously,” GM CEO Mary Barra told The News in an interview last week. “We’re going to work hard to be very transparent and be very privacy-focused with our consumers, and (we) learned a lot of lessons in this, and we’ll get better.”
Lawmakers press for investigations, safeguards
The Mozilla report prompted U.S. Sen. Ed Markey, D-Massachusetts, to pen a December letter to automakers raising concerns about their data harvesting practices.
“Although certain data collection and sharing practices may have real benefits, consumers should not be subject to a massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese,” Markey wrote. “Cars should not — and cannot — become yet another venue where privacy takes a backseat.”
The senator was not satisfied with their responses and has stayed active on the issue, urging an FTC investigation in February after automakers “largely failed to answer important questions about whether they use the data for their own commercial benefit,” he said in a press release.
Markey, along with Wyden, called for yet another FTC investigation in late April after a probe from Wyden’s office revealed inconsistent policies from major automakers on data requested by or shared with law enforcement.
“Automakers have not only kept consumers in the dark regarding their actual practices, but multiple companies misled consumers for over a decade by failing to honor the industry’s own voluntary privacy principles. To that end, we urge the FTC to investigate these auto manufacturers’ deceptive claims as well as their harmful data retention practices,” the two Senators wrote in a joint letter to the FTC.
Targeting the issue more broadly, top lawmakers on the Republican-led House and Democrat-led Senate Commerce Committees jointly released legislation in April that aims to set the first-ever federal standard for comprehensive data privacy. The proposal — as summarized by the nonpartisan Congressional Research Service — would direct the FTC to create a new bureau dedicated to data privacy and give the agency new powers to penalize rulebreakers and fine-tune regulations over time.
Dingell said the proposal in its current form would not fully get at the issue of automakers selling data to third-party brokers, but she said she plans to pursue the issue: “I think the realness of the New York Times story has people willing to work with me.”
The FTC said last week that high-tech cars and related smartphone apps have been on its radar for years, highlighting reports and workshops it has held to explore the issue of vehicles collecting consumer data. But as the New York Times report and numerous lawsuits suggest, Washington has fallen behind in preventing automakers from participating in illegal — or at the very least unsavory — activities.
Consumers sue, GM backtracks
GM, OnStar, LexisNexis and Verisk are now facing class-action lawsuits over Smart Driver with several filed by Rochester attorney E. Powell Miller, founding partner of Miller Law.
Miller is heading to Salt Lake City for a May 30 hearing before the Judicial Panel on Multidistrict Litigation to advocate for the cases to be centralized in Detroit.
“We have excellent judiciary in Michigan who are experienced in cases involving automotive manufacturers as well as privacy rights,” Miller said in an interview. “And it’s a central location. It’s the headquarters of both General Motors and OnStar.”
Miller has an interest in both the auto industry and consumer privacy rights. He was “shocked” when a few years ago, he learned how widespread data collection is.
“This problem became a very high priority for me to pursue, and it’s just taken off,” he said, adding that his firm has received “many calls” from consumers upset about their driving data being collected and offered to insurance companies.
“You don’t expect when you buy a General Motors car that your data is being sent to your insurance company and then they use that to jack up your rates,” Miller said. “There are a lot of people who are very unhappy about this.”
He called GM’s decision to discontinue its partnerships with LexisNexis and other data collection companies a “baby step in the right direction.”
“Certainly, we applaud any effort to stop this,” he said. “And thank goodness we have lawyers to help deter this and to encourage companies to do the right thing, so it’s definitely a step in the right direction.”
But, he added, the firm wants to “make sure people are fully compensated. We want to understand exactly what happened. We want to learn the full extent of the data that was collected and transmitted. We want to learn how many victims there were, and we want to get folks fairly compensated and to prevent this from happening again.”
Powell’s clients include Karen and Melvin Drews from Concord near Jackson, owners of a 2019 Chevrolet Corvette they purchased in 2020. The Drews, according to the lawsuit filed May 3, did not know the sports car had OnStar or Smart Driver. They say they did not activate the Smart Driver service and “have no knowledge” of agreeing to share their driver data.
Also in 2020, the couple purchased a Buick Enclave and had a free trial OnStar subscription from March until June 2020 and then canceled the service, according to the lawsuit. Again, the Drews say in their lawsuit, they did not activate the Smart Driver service and do not recall agreeing to share their data.
In January 2024, the couple’s insurance agency told them their insurance rates would go up to $3,741.03 per year from $1,940.87 per year. When they asked why, the agency informed the couple “it was because of a credit pull” from LexisNexis, according to the lawsuit.
On April 30 this year, the Drews received an emailed notice from Chevrolet that the Smart Driver service would discontinue on June 26.
“This email came as a surprise to the Drews because until this time, they were unaware that the Corvette was even equipped with OnStar, let alone the Smart Driver feature that was tracking their every trip,” the lawsuit states.
“We are reviewing the complaints and have no further comment at this time,” GM spokesperson Malorie Lucich said in a statement about the lawsuits filed against the automaker.
When asked if GM was previously selling the driver data to LexisNexis and Verisk, Lucich said: “GM’s relationship with Lexis Nexis and Verisk was commercial, but the revenue to GM was de minimis. Rather, the purpose of sharing the data with Lexis Nexis and Verisk was to ensure the availability of driving data in the event the customer was interested in obtaining lower insurance rates with their insurer, which also required the customer to accept a third consent to enable their insurer to see their driving score and limited driving data.”
Where Ford and Stellantis stand
Crosstown rival Ford Motor Co. “provides customers with a choice as to whether or not they wish to share connected vehicle data with us,” Ford spokesperson Amy Mast said in a statement, adding customers may turn off connectivity using in-vehicle settings.
Ford previously announced exploratory partnerships with LexisNexis and Verisk and they “ended without launching any products, and we never shared any connected vehicle data with them,” Mast said.
Ford “does not sell any connected vehicle data to brokers, period,” Mast said, adding that the Dearborn, Michigan, automaker until recently “did support customers who wished to take advantage of usage-based insurance policies with their insurance carriers.”
The “opt-in experience” had customers first opt-in with their insurance company and again on a consent screen within their vehicle’s interface. This business was “small in scale,” so Ford phased out supporting usage-based insurance products, Mast added. Retail customers using the service will be phased out over the next 12 months.
In a statement, Stellantis NV spokesperson Eric Mayne said: “Any data collection we conduct is in accordance with applicable state privacy laws. We take very seriously the issue of data privacy and we welcome and support efforts by Congress to enact a comprehensive federal consumer privacy law.”
The Federal Trade Commission did not respond to a Detroit News inquiry about next steps it is considering to protect consumers’ privacy and financial welfare from vehicle data collection and illegal, or unwanted, use.
But it did offer a blanket, voluntary remedy for automakers in its post last week: “The easiest way that companies can avoid harming consumers from the collection, use, and sharing of sensitive information is by simply not collecting it in the first place.”
