General Motors (GM) is banned for five years from disclosing consumers’ sensitive geolocation and driver behavior data to consumer reporting agencies in an consent agreement agreed to with the Federal Trade Commission (FTC).
In its complaint, the FTC had alleged GM used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature. GM failed to clearly disclose that it collected consumers’ precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers’ consent.
Under a proposed order, GM is prohibited for five years from disclosing consumers’ sensitive geolocation and driver behavior data to consumer reporting agencies. They also must take other steps to provide greater transparency and choice to consumers over the collection, use, and disclosure of their connected vehicle data. This is the FTC’s first action related to connected vehicle data.
Khan Comment
“GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” FTC Chair Lina M. Khan said in a statement announcing the agreement. “With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”
When consumers bought a GM vehicle, they were encouraged to sign up for OnStar and its Smart Driver feature, which they were often told would be used to help them assess their driving habits.
FTC Allegations
The FTC alleged, however, that GM’s enrollment process for the data collection for both its OnStar service and Smart Driver feature was confusing and misleading. In fact, some consumers were unaware that they had been signed up for the Smart Driver feature, according to the complaint.
In addition, GM failed to clearly disclose to consumers the types of information it collected through its Smart Driver feature, including that their geolocation and driving behavior data—such as every instance of hard braking, late night driving, and speeding—would be sold to consumer reporting agencies.
These consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were used by insurance companies to deny insurance and set rates.
Proposed Order
The proposed order would prohibit GM and OnStar from misrepresenting information about how they collect, use, and share consumers’ location and driver behavior data. Additional provisions of the proposed order require GM and OnStar to:
- Not disclose covered driver data to consumer reporting agencies: GM and OnStar are banned from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years from the date the order is entered
- Obtain consent prior to collection: The companies must obtain affirmative express consent from consumers prior to collecting connected vehicle data
- Allow consumers to obtain and delete their data as well as allow consumers to limit data collection from their vehicles that includes providing a way for consumers to opt-out of the collection of geolocation and driver behavior data
GM Response
In a written statement published on their site after the settlement was announced, the Detroit-based automaker noted the Smart Driver was discontinued across all GM vehicles, unenrolled all customers, and ended their third-party relationships with LexisNexis and Verisk. And they had previously consolidated many of our U.S. privacy statements into a single, simpler statement as part of our broader work to keep raising the bar on privacy.
“The FTC consent order includes new measures that go above and beyond existing law, while capturing steps we’ve already taken to establish choices for customer data collection and communications about how the information is used,” according to the written statement. “As part of the agreement, GM will obtain affirmative customer consent to collect, use, or disclose certain types of connected vehicle data (with exceptions for certain purposes). The duration of the agreement is 20 years.”
