General Motors on Thursday said that it has reached a settlement with the FTC “to address privacy concerns about our now-discontinued Smart Driver program.”
Those concerns, articulated in the US watchdog’s formal legal complaint [PDF] against the car maker, are that GM “collected precise geolocation data from millions of Gen10+ OnStar vehicles through a particular task that collected and transmitted precise geolocation data every three seconds.”
OnStar is GM’s subscription-based, in-car communication service, sold to drivers for security, emergency services, navigation, and remote diagnostics. But according to the FTC, GM launched a program called OnStar Smart Driver in 2015 and subsequently struck deals with telematics analysis firms to provide those businesses with driver data.
The program allegedly provided driver behavior data at least since 2018, without informed consent, to partners Verisk and LexisNexis. That data, it’s claimed, ended up being used against those drivers – it was offered to car insurance companies and used to raise the rates of those deemed to be bad drivers – a determination that isn’t always accurate.
“Respecting our customers’ privacy and earning their trust is deeply important to us,” the car maker claimed in a statement Thursday. “Although Smart Driver was created to promote safer driving behavior, we ended that program due to customer feedback.”
An example of that feedback can be found in the FTC complaint.
GM says it discontinued its Smart Driver program last April, and “ended our third-party telematics relationships with LexisNexis and Verisk.” And in September, the manufacturer consolidated multiple privacy statements into a single document, to make the legalese perhaps a little easier to understand.
The proposed consent decree [PDF] – the draft settlement between GM and the FTC to avoid a court battle – forbids the automaker from disclosing geolocation and driver behavior data to consumer reporting agencies for five years.
The overall agreement, which lasts 20 years, also requires: Affirmative consent from drivers prior to collecting connected vehicle data, with exceptions for emergency services; letting folks obtain and delete their data – a service now through GM’s website; and ensuring that people can disable the collection of geolocation data and can opt-out of the collection of geolocation and driver behavior data, with exceptions for emergency services and legal compliance.
“Secretly collecting and sharing driver location data is a terrible practice that can cause real harm to unsuspecting consumers,” said Justin Brookman, director of technology policy at CR and a former policy director of FTC’s Office of Technology, Research, and Investigation, in a statement.
“We are encouraged that the FTC is taking action under existing consumer protection law to put a stop to it. But because of ambiguity in the law, the best way to avoid these types of abuses in the future is a strong and clear comprehensive privacy law that restricts unwanted data sharing by default.”
The proposed settlement is open to public comment for 30 days, after which the regulator will make a final decision. Bear in mind there will be a change in administration from Monday.
- Data broker leaves 600K+ sensitive files exposed online
- FTC scolds two data brokers for allegedly selling your location to the meter
- Biden’s antitrust crackdown on tech M&As may linger into Trump’s reign
- FTC scolds two data brokers for allegedly selling your location to the meter
Separately, GM was sued last August by Texas Attorney General Ken Paxton based on unlawful data collection allegations related to OnStar. That case continues and appears to be headed for trial. More recently, Paxton sued Allstate and its Arity subsidiary, alleging that the insurance biz had conspired with mobile app developers to get them to install the Arity SDK in order to gather driver data without consent.
Allstate maintains it obtained consent from drivers to use their data lawfully – because who wouldn’t knowingly consent to have their driving assessed by their insurance company?
The implications of access to data about cars and their drivers extends beyond privacy to national security. Last year, the US Commerce Department issued a Notice of Proposed Rulemaking titled, “Securing the Information and Communications Technology and Services Supply Chain.”
The concern, the Commerce Department said, is that “connected vehicles could present an undue or unacceptable risk to US national security when those systems are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
On Tuesday, the Commerce Department finalized that rulewhich prohibits the sale or import of vehicles that integrate certain software or hardware components that include components from China or Russia.
“Cars today aren’t just steel on wheels – they’re computers,” said US Secretary of Commerce Gina Raimondo, in a statement. “They have cameras, microphones, GPS tracking, and other technologies that are connected to the internet.
“Through this rule, the Commerce Department is taking a necessary step to safeguard US national security and protect Americans’ privacy by keeping foreign adversaries from manipulating these technologies to access sensitive or personal information. This is a targeted approach to ensure we keep PRC and Russian-manufactured technologies off American roads and protect our nation’s connected vehicle supply chains.” (r)