Senators Expose Car Companies’ Terrible Data Privacy Practices
In a letter to the Federal Trade Commission (FTC) last week, Senators Ron Wyden and Edward Markey urged the FTC to investigate several car companies caught selling and sharing customer information without clear consent. Alongside details previously gathered from reporting by The New York Times, the letter also showcases exactly how much this data is worth to the car companies selling this information.
Car companies collect a lot of data about driving behavior, ranging from how often you brake to how rapidly you accelerate. This data can then be sold off to a data broker or directly to an insurance company, where it’s used to calculate a driver’s riskiness, and adjust insurance rates accordingly. This surveillance is often defended by its promoters as a way to get discounts on insurance, but that rarely addresses the fact your insurance rates may actually go up.
If your car is connected to the internet or has an app, you may have inadvertently “agreed” to this type of data sharing when setting it up without realizing it. The Senators’ letter asserts that Hyundai shares drivers’ data without seeking their informed consent, and that GM and Honda used deceptive practices during signup.
When it comes to the price that companies can get for selling your driving data, the numbers range wildly, but the data isn’t as valuable as you might imagine. The letter states that Honda sold the data on about 97,000 cars to an analytics company, Verisk—which turned around and sold the data to insurance companies—for $25,920, or 26 cents per car. Hyundai got a better deal, but still not astronomical numbers: Verisk paid Hyundai $1,043,315.69, or 61 cents per car. GM declined to share details about its sales.
The letter also reveals that while GM stopped sharing driving data after The New York Times’ investigation, it did not stop sharing location data, which it’s been sharing for years. GM collects and shares location data on every car that’s connected to the internet, and doesn’t offer a way to opt out beyond disabling internet-connectivity altogether. According to the letter, GM refused to name the company it’s sharing the location data with currently. While GM claims the location data is de-identified, there is no way to de-identify location data. With just one data point, where the car is parked most often, it becomes obvious where a person lives.
Car makers should not sell our driving and location history to data brokers or insurance companies, and they shouldn’t make it as hard as they do to figure out what data gets shared and with whom. This level of tracking is a nightmare on its own, and is made worse for certain kinds of vulnerable populations, such as survivors of domestic abuse.
The three automakers listed in the letter are certainly not the only ones sharing data without real consent, and it’s likely there are other data brokers who handle this type of data. The FTC should investigate this industry further, just as it has recently investigated many other industries that threaten data privacy. Moreover, Congress and the states must pass comprehensive consumer data privacy legislation with strong data minimization rules and requirements for clear, opt-in consent.