Senators Ron Wyden a Democrat from Oregon, and Edward Markey, a Democrat from Massachusetts, want the Federal Trade Commission (FTC) to investigate how car companies collect data and punish them if theyâve violated the law. The two senators called on the commission to look into auto manufacturers in a July 26 letter to FTC Chair Lina Khan.
New cars are a data privacy nightmare. Hyundai, GM, Honda, and other manufacturers outfit their vehicles with sensors that gather reams of telemetric data which is then sold on to third-party brokers. In April, a New York Times investigation into GM revealed how widespread the privacy violations are.
According to the letter, Wydenâs office contacted GM to figure out what the hell was going on.
âGM failed to obtain informed consent from consumers before sharing their data, and used manipulative design techniques, known as dark patterns, to coerce consumers into enrolling in its Smart Driver program, according to information the company provided Senator Wydenâs office,â the letter said.
If youâre alive and online then youâve dealt with dark patterns before. Itâs when a company uses deceptive practices to trick you into agreeing to something you normally wouldnât. A GM car prompts new drivers to enroll in its Smart Driver program by telling them theyâll get emails about safety reports or their car alarm going off. When they agree, theyâre also agreeing to let GM sell their data.
But not enrolling in GMâs Smart Driver program wonât save you.
âGM also confirmed to Senator Wydenâs staff that it shared location data on all drivers who activated the internet connection for their GM car, even if they did not enroll in Smart Driver,â the letter said. âThese disclosures of location dataâto other, unnamed third parties â have been going on for years.â
Two of the big companies buying customer data are LexisNexis Risk Solutions and Verisk, data brokers that work with insurance companies. The data is a valuable resource for insurance companies that provide information about a driverâs habits on the road to adjust their premiums. Often, this leads to people paying more for insurance than they would if their car werenât spying on them.
GM said it would break off its relationship with LexisNexis following the New York Times story, but it still has a relationship with other data brokers. And the car manufacturers are cagey about who, exactly, theyâre selling peopleâs data to. Using telematic data to raise insurance rates is illegal in Louisiana and Montana. In California, companies can only use it to verify mileage.
âDetermining if insurance companies in fact used telematics data sold by Verisk to raise premiums, as opposed to using this data solely for discounts, would require a manual review of insurance industry filings to state insurance regulators, which are not easily searchable,â the letter said.
According to Wyden and Markey, this stuff is âlikely just the tip of the iceberg.â
Wyden and Markey want the FTC to investigate Honda, Hyundai, and GM to get a grip on how bad this problem is.
âGiven the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customersâ privacy,â it said.
GM pushed back in a statement to Gizmodo. “We share the desire to protect consumersâ privacy while enhancing safety and preserving innovation. As a reminder, the Smart Driver product ceased to exist in June 2024. We vehemently deny the assertion that we used âmanipulative design techniquesâ to coerce consumers into enrolling in Smart Driver. Each consumer was given choice at the time of enrolling and throughout the life of the product,” it said. “To be clear, we established the Smart Driver product to promote safer driving behavior for the benefit of customers who elected to participate. Data was only shared with an insurer if a customer initiated a quote directly with their chosen carrier and provided a separate consent to that carrier. As is common industry practice, we share de-identified data not associated with specific drivers or vehicles with select partners for purposes that include enhancing city infrastructure and road safety for pedestrians, cyclists, and drivers.“
The letter comes on the heels of a July 19 report from the Congressional Research Service about who is allowed to access a carâs telemetric data. Often car companies will not allow customers to access the telemetric data they generate and sell on to third parties. The REPAIR Act, a new bill working its way through Congress, would change that.
The FTC has been aggressive about consumer protection under Khan. It supported right-to-repair legislation and recently signaled itâs interested in taking on auto manufacturers over their data collection practices.
âThe easiest way that companies can avoid harming consumers from the collection, use, and sharing of sensitive information is by simply not collecting it in the first place,â the FTC said in a May blog post.
UPDATE 7/29/24: This story has been updated with information about the CRS report and a statement from GM.
