In a follow-up to a privacy story we've been following closely, the Federal Trade Commission is taking action against General Motors and OnStar over allegations it collected, used and sold driver geolocation data and driving behavior info to insurance companies without notifying them and obtaining their consent. The FTC says GM and OnStar sold the data - which can be used to set insurance rates - from millions of vehicles.
In a press release, the FTC says as part of a proposed order that would settle the allegations, GM and Onstar will be banned for five years from disclosing consumers' sensitive geolocation and driver behavior data to consumer reporting agencies. They'll also be required to take other steps to provide greater transparency and choice to consumers over the collection, use, and disclosure of their connected vehicle data. The FTC says this is its first action related to connected vehicle data.
In its original complaint, the FTC alleged that Michigan-based GM used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature. Federal regulators also say GM failed to clearly disclose that it collected consumers’ precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers’ consent.
“GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said FTC Chair Lina M. Khan. “With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”
GM touts OnStar as a service that will help consumers during an emergency and provide hands-free voice assistance and real-time traffic and navigation. The FTC says that over time, the company has increased the amount of data it collects through OnStar to include precise geolocation data— which is collected every three seconds for some users.
The issue here is of course invading consumer's privacy. The FTC says tracking and collecting geolocation data can be extremely privacy invasive, revealing some of the most intimate details about a person’s life, such as whether they visited a hospital or other medical facility, and expose their daily routines.
The FTC says that when consumers bought a GM vehicle, they were encouraged to sign up for OnStar and its Smart Driver feature, which they were often told would be used to help them assess their driving habits. The FTC alleged, however, that GM’s enrollment process for the data collection for both its OnStar service and Smart Driver feature was confusing and misleading. In fact, it says some consumers didn't know they had signed up for the Smart Driver feature, according to the complaint.
In addition, federal regulators say GM did not clearly disclose to consumers the types of info the Smart Driver feature collected about them - including geolocation and driving behavior data—such as every instance of hard braking, late night driving, and speeding—and that the data would be sold to consumer reporting agencies. The FTC says these consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were used by insurance companies to deny insurance and set rates.
The FTC says many consumers were unaware of these practices and that the issue came to light after some consumers found out their driving habits were being used by insurers to set their rates, and complained. The FTC cites this example: one consumer told a GM customer service representative that "when I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. Nothing. You guys are affecting our bottom line. I pay you, now you’re making me pay more to my insurance company.”
Proposed Order
Here are details of the proposed order that the FTC says would prohibit GM and OnStar from misrepresenting information about how they collect, use, and share consumers’ location and driver behavior data. Additional provisions of the proposed order require GM and OnStar to:
- Not disclose covered driver data to consumer reporting agencies: The proposed order would ban GM and OnStar from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years from the date the order is entered.
- Obtain consent prior to collection: The companies must obtain affirmative express consent from consumers prior to collecting connected vehicle data, with some exceptions such as providing location data to emergency first responders.
- Allow consumers to obtain and delete their data: The companies must create a way for all U.S. consumers to request a copy of their data and seek its deletion.
- Allow consumers to limit data collection from their vehicles: The companies must also give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology and provide a way for consumers to opt-out of the collection of geolocation and driver behavior data, with some limited exceptions.
Read the full press release here →
