The Federal Trade Commission is taking action against General Motors (GM) and OnStar following allegations that they collected, used and sold precise driver geolocation data and driving behavior information on millions of vehicles – data which can be used to set insurance rates – although this is not adequate. inform consumers and obtain their affirmative consent.
Under a proposed order settling the FTC’s allegations, General Motors LLC, General Motors Holdings LLC and OnStar LLC, which are owned by General Motors Company, will be barred for five years from disclosing sensitive geolocation and security data. consumer driver behavior to consumer reporting agencies. . They must also take other steps to provide more transparency and choice to consumers when it comes to the collection, use and disclosure of data from their connected vehicles. This is the FTC’s first action regarding connected vehicle data.
In its complaint, the FTC alleged that Michigan-based GM used a deceptive sign-up process to trick consumers into signing up for its OnStar connected vehicle service and the OnStar Smart Driver feature. GM did not clearly disclose that it collected precise geolocation and driving behavior data from consumers and sold it to third parties, including consumer reporting agencies, without consumers’ consent.
“GM monitored and sold precise geolocation data and driver behavior information, sometimes every three seconds,” said FTC Chairwoman Lina M. Khan. “With this action, the FTC is protecting Americans’ privacy and protecting people from unchecked surveillance.”
GM has offered OnStar as a service that will help consumers in emergencies and provide hands-free voice assistance as well as real-time traffic and navigation. Over time, the company increased the amount of data collected through OnStar to include precise geolocation data, collected every three seconds for some users.
Tracking and collecting geolocation data can be extremely invasive of privacy, revealing some of the most intimate details of a person’s life, such as whether they have visited a hospital or other medical facility, and exposing their daily routines.
When consumers purchased a GM vehicle, they were encouraged to sign up for OnStar and its Smart Driver feature, which they were often told would be used to help them evaluate their driving habits. The FTC alleged, however, that GM’s registration process for collecting data for its OnStar service and Smart Driver feature was confusing and misleading. In fact, some consumers did not know they were enrolled in the Smart Driver feature, according to the complaint.
Additionally, GM did not clearly disclose to consumers the types of information it collected through its Smart Driver feature, including that their geolocation and driving behavior data, such as each instance of hard braking, night driving and speeding, would be sold to consumer information agencies. These consumer reporting agencies used sensitive information provided by GM to compile consumer credit reports, which were used by insurance companies to deny insurance and set rates.
Many consumers were unaware of these practices and complained to GM after discovering that their driving habits were being used by insurance companies to set their rates. For example, one consumer told a GM customer service representative, “When I signed up for this program, it was so OnStar could track me. They didn’t say anything about reporting it to a third party. Nothing. (…) You affect our results. I pay you, now you’re making me pay my insurance company more.
Proposed order
The proposed order would prohibit GM and OnStar from misrepresenting information about how they collect, use and share consumers’ location and driver behavior data. Additional provisions of the proposed order require GM and OnStar to:
- Do not disclose covered driver data to consumer reporting agencies: The proposed order would prohibit GM and OnStar from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years from the date the order was entered.
- Obtain consent before collection: Companies must obtain express and affirmative consent from consumers before collecting data on connected vehicles, with some exceptions, such as providing location data to emergency first responders.
- Allow consumers to obtain and delete their data: Companies must create a way for all U.S. consumers to request a copy of their data and request its deletion.
- Allow consumers to limit data collection from their vehicles: Companies must also give consumers the ability to opt out of the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology and provide consumers with a way to opt out of the collection of geolocation and driver behavior data , with a few exceptions. .
During a closed meeting, the Commission voted 3-0-2 to accept the proposed consent for public comment. Commissioners Melissa Holyoak and Andrew N. Ferguson were listed as absent.
The FTC will soon publish a description of the consent agreement in the Federal Register. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission files an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it believes that a proceeding is in the public interest. When the Commission issues a final consent order, it has the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.
The lead attorneys on this case are Amy Teng, Breena Roos and Sarah Shifley of the FTC’s Northwest Regional Office.
