The FTC’s Statements on Connected Vehicle Data
Connected cars have been on the FTC’s radar for years.[1] Its most recent blog post specifically highlights the Commission’s concerns regarding over collecting-- and the risk of secondary uses-- of sensitive data, such as precise geolocation[2] and biometric information. Its recent enforcement actions show how the Commission will prioritize protecting consumers against the illegal collection, use, and disclosure of their sensitive personal data. The FTC notes that using sensitive data for automated decision-making can also be unlawful; using this data to build algorithms could create liability for harmful automated decisions. Further, secret disclosure of sensitive data can be an unfair practice.
The Recent Class Action Involving Data Sharing with Insurance Companies
On the litigation front, unfair vehicle data sharing practices are making a scene in federal court. In his complaint, Plaintiff Romeo Chicco claims General Motors (“GM”) and OnStar sold or shared his driving data without his knowledge or consent, significantly impacting his ability to find automobile insurance coverage. Once Mr. Chicco finally did find adequate insurance coverage, his rate nearly doubled based on information collected through OnStar’s Smart Driver Program and contained in a LexisNexis driver behavior report. In compiling his data, and preparing and using that driver behavior report, Mr. Chicco alleges LexisNexis violated the federal Fair Credit Reporting Act, while GM and OnStar violated Florida’s Deceptive and Unfair Trade Practices Act and invaded his privacy under Florida common law.
The complaint alleges a lack of transparency in and around how driver behavior data can be collected and shared. Mr. Chicco purchased a new 2021 Cadillac (in which OnStar is included as a standard component) from a dealership in Delray Beach, Florida. According to the complaint, the purchase agreement and related documents made no mention of OnStar, LexisNexis, data-sharing, or anything privacy-related. Representatives from the dealership told Mr. Chicco that the OnStar Smart Driver Program “wasn’t sold at the store,” and that OnStar “did not release information to a dealer regarding when and who signed up for the [data sharing] program.”
Notably, the complaint alleges that Mr. Chicco downloaded the MyCadillac mobile application soon after leaving the dealership and received a welcome email from Cadillac, which did not mention OnStar’s Smart Driver Program. Mr. Chicco’s billing statements did not include any purchases or payments for OnStar-related services, and neither the welcome email nor subsequent diagnostic reports he received via email mentioned data-sharing with third parties. All in all, Mr. Chicco alleges he was not given any reason to believe, whether through his interaction with the dealer or subsequent emails from GM or OnStar, that his vehicle data, or any driver behavior data, was being shared with third parties.
Fast forward two years later, plaintiff had to look for new insurance and reached out to several providers. Mr. Chicco claims he was summarily denied coverage each time he attempted to purchase car insurance, ultimately learning the denials were based on information contained in his “LexisNexis driver behavior report.” He eventually received the report and discovered 258 recorded “driving events,” including sharp accelerations, hard braking, and high speeds, among other statistics.
Mr. Chicco inquired with LexisNexis and GM/OnStar, attempting to untangle how his data had been shared to create the driver report. None of the representatives he spoke with could tell him how he ever became enrolled in the Smart Driver Program. Mr. Chicco believes OnStar started sharing his data with LexisNexis after he downloaded the MyCadillac mobile application, despite his lack of express consent and enrolment in the Smart Driver Program.
Mr. Chicco eventually obtained OnStar’s SmartDriver FAQ, which confirmed that the OnStar Smart Driver program requires separate enrollment than other basic OnStar services, and that the program is not designed to collect the driving behavior data of its customers without their consent. Upon consent and enrollment, the vehicle will collect specific driving behavior data, including hard braking events, hard acceleration events, speeds over 80 miles per hour, average speed, late night driving, when a trip occurs, and the number of miles driven.
Usage-Based Insurance Is Not New; the Scope and Quantity of Data Collected from Vehicles Is.
Usage-based automotive insurance is not a new concept. The first usage-based insurance program was launched by Progressive Insurance Company in 1997. These programs were designed to assess driver risk based on miles driven: fewer miles, lower risk, lower insurance rate. Since the late 1990s, many insurance companies have followed suit. But today the calculation is more complicated; there are more factors that can be considered in whether someone exhibits “good or “bad” driving behavior. Since 1997, telematics data and vehicle technology have evolved dramatically. The type of data that can be (and is) collected from a new vehicle (and potentially shared with insurance companies and other data brokers) is more sensitive, more personally identifiable, and in significantly greater quantities per vehicle than when these usage-based insurance programs first started.
Dealers Should Re-Examine Their Data Sharing Disclosure Practices at the Point of Sale
Vehicle data collection-- and what dealerships know or don’t know about what OEMs are doing with customers’ data-- can certainly harm the customer and may ultimately find its way back to harm the dealership in the form of an enforcement action or class action. While a dealer may be transparent with customers about what the dealership is doing with customers’ data, that same transparency may not exist between the dealer and OEM. The dealership may not be in the best position to provide customers with the most transparent, complete picture of how their data is being collected and shared at the point of sale.
The dealership where Mr. Chicco purchased his Cadillac is not named as a party in his class action, but Mr. Chicco’s allegations against GM and OnStar are intimately linked to his experience at the dealership, and his understanding of what he was signing up for at the time he purchased his vehicle. Mr. Chicco’s experience should serve as a warning to dealers of how a lack of transparency with respect to vehicle data can create an impression of deceptive trade practices, and also turn customers off from the brand. The New York Times article that originally broke this story references a “Palm Beach Cadillac owner” who “said he would never buy another car from GM. He is planning to sell his Cadillac.”[3] So not only does failing to disclose data sharing practices create legal risk under privacy and consumer protection laws; it’s also just bad business.
Recent State Laws Related Specifically to Vehicle Data and Connected Car Technology
Recent shifts in the U.S. privacy regulatory landscape with respect to vehicle data collection and sharing, should make manufacturers and dealers reconsider whether they provide adequate transparency to customers regarding data sharing at the point of sale; are current practices good enough to meet the technological and regulatory moment?
Current consumer-oriented state privacy laws don’t deal directly with the types of vehicle data insurance providers are interested in; traditional “telematics” data. Vehicle history, brake data, speed, and hard accelerations aren’t the types of data defined as “personal” by the state privacy laws. Since 2023, state legislatures have been introducing vehicle-related privacy bills that focus on the types of data not typically dealt with in the state comprehensive privacy laws.
New Jersey, Tennessee, New York, and California have all passed or introduced legislation related specifically to vehicle data. These recent laws aim to enhance privacy protections related to in-car surveillance technologies, such as sensors, cameras, and even connected car applications that capture vehicle telematics and location data.
New Jersey enacted a law in January 2024 requiring dealers to delete consumers’ personal information from vehicles they sell or trade in.[4] It is likely the information implicated in this law consists of anything that could be stored in a vehicle infotainment system, or transferred to the vehicle via a Bluetooth connection. This could include navigation history, geolocation data, internet browsing history, text and voice communication records, and garage codes.
Tennessee proposed a law in January 2024 to develop a registry of drivers who do not want car companies to collect their data, which would require automakers to give drivers a right to opt out. In New York, a bill was introduced in the state Senate earlier this year that would update New York’s insurance laws to require automotive insurers to disclose how they factor telematics data into automotive insurance rates.[5] In California, several proposed bills consider connected vehicle issues. One, signed into law in October 2023, requires auto manufacturers to disclose the presence of in-vehicle cameras.[6]
In sum, the regulatory landscape for connected vehicle data is in a massive state of flux. Manufacturers and dealers can protect themselves by (1) understanding what data flows through vehicles and how; (2) providing increased transparency to customers at the point of sale; and (3) limiting their collection and use of personal data to what is necessary to provide the product or service.
[1] From its 2013 workshop on the Internet of Things, to the 2018 connected cars workshop, vehicle data collection is not a new concern for the Commission.
[2] Sensitive data, such as geolocation data, is subject to enhanced protections under the FTC Act.
[3] “Automakers are Sharing Consumers’ Driving Behavior with Insurance Companies,” Kashmir Hill, The New York Times, March 11, 2024, Updated March 13, 2024, available at https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html?searchResultPosition=2. Ms. Hill has published subsequent articles in a series of reporting on this story.
[4] The Governor of New Jersey signed Bill A4723 in January 2024. Montana and Kentucky have introduced similar legislation.
[5] See New York Senate Bill S553. The National Highway Traffic Safety Administration is also weighing rulemaking on what data protections to require for vehicle safety systems to monitor driver behavior.
[6] See California SB 286. Under this law, photos and videos collected or retained by an in-car camera may only be shared with a third party under certain conditions: where the user provides affirmative consent; where necessary to service or repair the in-vehicle camera; where necessary for the consumer to exercise their rights under the California Consumer Privacy Act; or where required in a court proceeding or following a valid request by law enforcement.