The road to driver-privacy hell is paved—and paid for—in nickels, dimes and pennies, courtesy of driver data that car makers sell to data brokers without their customers’ consent, according to new findings from two Democratic lawmakers.Sens. Ron Wyden (D.-Ore.) and Edward J. Markey (D-Mass.) today asked the Federal Trade Commission to investigate how automakers collect and disseminate this information.Previously, the two lawmakers and their staffers investigated how manufacturers took data about how their customers drive and sold it to third parties who then marketed it to insurance agencies that used it to jack up rates for some customers. This time, they put prices on this information aftermarket as found in two automakers’ transactions with a data broker named Verisk:Hyundai sold data from 1.7 million cars for $1,043,315.69, amounting to 61 cents per vehicle;Honda sold Verisk data from 97,000 cars for $25,920, just 26 cents each.The investigation also covered GM’s practices but did not yield numbers of cars or data prices. It further found that all three used misleading “dark pattern” interfaces to coax drivers to sign up for having their vehicles record data about driving practices—for instance, when they accelerated or braked sharply—without disclosing who else would get that information and how those third parties might use it against them. “Companies should not be selling Americans’ data without their consent, period,” the senators wrote in a letter to FTC chair Lina Khan (PDF). “But it is particularly insulting for automakers that are selling cars for tens of thousands of dollars to then squeeze out a few additional pennies of profit with consumers’ private data.”The letter asks Khan, who has been a critic of for-profit privacy abuses and a skeptic of corporate power since President Biden appointed her in June 2021, to investigate these practices as examples of the unfair and deceptive conduct the FTC was created to police.The letter adds that even at the state level, few safeguards prevent insurance agencies from using this telematics data, citing an unnamed “national expert at an insurance industry trade association.” Only Louisiana and Montana ban using it to raise premiums, while California limits its application to verifying customers’ mileage.
Some of the privacy-option screens you can see setting up a Honda CR-V. (Credit: Sens. Markey and Wyden)
The letter wraps up with an appendix featuring screen grabs of the sign-up experiences with GM, Honda, and Hyundai, as well as an email from GM’s executive director of federal affairs saying that “we are taking a very hard, serious look at our privacy program.”After publication, GM provided a statement supporting the senators’ privacy priorities while contesting their description of its user experience.“We vehemently deny the assertion that we used ‘manipulative design techniques’ to coerce consumers into enrolling in our product,” it read in part. “Each consumer was given choice at the time of enrolling and throughout the life of the product, which was discontinued in June 2024.” (New York Times privacy reporter Kashmir Hill, who had uncovered this data collection in March, wrote in April that she had not realized it was ongoing in the Chevy Bolt that she and her husband had bought in December.) The statement also said that GM follows “common industry practice” in sharing “de-identified data not associated with specific drivers or vehicles with select partners for purposes that include enhancing city infrastructure and road safety for pedestrians, cyclists, and drivers.”
Recommended by Our Editors
For at least a decade, privacy advocates have been warning about the potential for misuse of all of the data vehicles can now collect and then transmit back to manufacturers via built-in cellular connectivity. For example, in 2015 Markey published a report warning of security risks in this category of vehicles. In September of last year, the Mozilla Foundation published a report denouncing the industry’s habit of publishing opaque and open-ended “privacy” policies. And in April, Markey and Wyden documented how car companies have given this data to law-enforcement investigators who had not obtained search warrants.The duo’s report Friday notes one small improvement on that last front: Volvo now requires a warrant before turning over car location data to police, joining GM, Ford, Stellantis, Honda, and Tesla. An updated version of their chart (PDF) shows that Tesla remains the only firm with a policy of telling customers when it provides their data. Markey and Wyden’s digital-privacy activism contrasts with the continued apathy of Congress as a whole. Year after year, the legislative branch has failed to enact a comprehensive privacy bill that could ban this kind of surreptitious harvesting and resale of data, and 2024 now looks all but assured to continue that streak. Editors’ note: We updated the post with a statement from GM.
Get Our Best Stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
