Automakers Under Fire For Allegedly Selling Driver Data to Third Parties


Written by:

Key takeaways

  • Automakers are under fire for allegedly selling driver data to third parties. Consumers say they were unaware of the data collection or sharing, with murky privacy policies hidden in fine print.
  • Third-party data brokers sell driver data to car insurance companies, which use the information to assess risk and determine premiums.
  • Telematics programs differ from manufacturer data collection. Telematics is an optional insurance product that offers discounts for safe driving, with consumers informed about how collected data factors into premiums.
  • Your smart car’s entertainment system, advanced safety feature sensors and cameras, GPS, devices connected through a USB, smartphone apps, and event data recorders (a car’s “black box”) provide data that could affect your insurance premiums.
  • Connected cars may access data from plug-in devices about your exercise habits, photos, calendars, disability status, sexual orientation, and dozens of other factors unrelated to driving behaviors, according to the Mozilla Foundation.1

Your connected car knows a lot more about you than you might think, and what it knows could be the reason behind your skyrocketing insurance rates, a March 11 New York Times exposé revealed.2

Car insurance rates increased by 24% in 2023, and Insurify’s data scientists predict an additional 7% rise in 2024. For many drivers, data sharing could factor into rate hikes.

The Times investigation included detailed accounts from a driver who found brokers like LexisNexis had 130 pages of data on his driving habits and trips — information he never knowingly consented to sharing.

GM is at the center of the controversy, but Honda, Kia, Mitsubishi, Acura, and Hyundai also offer optional connected-car apps that rate driving and may share data with data brokers, including LexisNexis and Verisk.

As legislators grapple with emerging technology and related privacy issues, drivers are seeing the effects of data sharing on their insurance premiums.

Your car might know you better than you think

From your car’s built-in GPS to advanced driver assistance system (ADAS) sensors to the phone you plug in to play music, there’s no shortage of ways for modern vehicles to collect data. And connected cars collect a lot of it.

Your car manufacturer can collect data about your name, address, age, and other expected information. But it may also gather data from plug-in devices about your purchases, disability status, sexual orientation, facial features, exercise habits, to-do lists, photos, or calendars, according to a Mozilla Foundation report that lists more than 160 collectible data points.

More than half the car manufacturers analyzed in Mozilla’s report also collected information about the world outside your car, including weather and road surface conditions.

If you drive a connected car and forget to buckle up, hit the brakes a little too hard, or swerve in traffic, your vehicle probably knows.

Your favorite music genre or philosophical beliefs might seem irrelevant to driving, but your car could track this data, too. Nearly 90% of the car brands Mozilla analyzed create “inferences” about drivers. These inferences combine multiple data points to make assumptions about drivers. Of the manufacturers who make inferences, 39% say they may sell data to third parties.

Third parties include data brokers like LexisNexis and auto insurance companies, which then use this data to calculate your insurance premium.

Automakers face lawsuit and FTC investigation over data privacy

Romeo Chicco received rejections from seven insurers before finding out through a Liberty Mutual representative that his LexisNexis report was the culprit. He initiated a class action lawsuit against GM and LexisNexis on March 13 — two days after the New York Times story broke.

The complaint alleges that invasive data tracking by Chicco’s 2021 Cadillac XT6 caused a significant increase in his premium. Chicco alleges GM and OnStar collected his driving data without his knowledge or consent.2

Data privacy lawsuits aren’t the only issue auto manufacturers face. Sen. Ed Markey of Massachusetts urged the Federal Trade Commission (FTC) to investigate automakers for data privacy practices in an open letter to FTC Chairperson Lina Khan.3 The letter follows Markey’s December request to major manufacturers for transparency about how they collect, use, and sell data.

Telematics vs. manufacturer data collection

The discomforting thought of a company tracking every move a driver makes behind the wheel has fueled a backlash against automakers’ data privacy practices.

But at least 16.8 million drivers had signed up for exactly that by the end of 2022. The telematics insurance market is growing and is expected to reach 30 million policies by 2027, according to the industry publication Insurance Business.4

Consumer consent is perhaps the most significant difference between automaker and telematics insurance data collection. Telematics insurance has an obvious opt-in process, while drivers with smart cars have been blindsided by manufacturers collecting and selling data. 

Another key distinction is the effect each type of data collection has on insurance rates. While telematics insurance programs offer premium discounts for safer driving, automaker data collection doesn’t offer the same benefit to drivers. 

How automaker data collection affects car insurance rates

Nearly every product or service people use today collects and sells data, from smartwatches to credit cards to robot vacuums. Car manufacturers are the rule, not the exception. The issue for consumers is that driving data can significantly affect insurance rates — and it’s not always positive.

Stories like Chicco’s highlight how selling vehicle data to third-party insurers can lead to more expensive insurance rates — if those drivers are approved for coverage at all. Multiple insurers rejected Chicco before he found coverage with a higher premium.

Tracking driver behavior can have positive safety outcomes. When enrolled in usage-based insurance programs, the riskiest drivers improved their behavior and reduced the odds of a bodily injury claim by 5.5%, a Cambridge Mobile Telematics study revealed.5 When manufacturers collect data, drivers are often unaware, eliminating the safety benefits.

How telematics affects car insurance rates

Every insurance company has its own method of calculating driver scores using telematics. Most programs track where and when you drive, mileage, and driving behaviors like hard braking or rapid acceleration. Some telematics programs also track phone usage while driving and collect information about weather conditions.

Most telematics programs require a phone app opt-in or a plug-in device, so data tracking happens with your awareness and permission.

Telematics programs can lead to a significant premium discount for safe driving. These programs also alert drivers to dangerous behavior and give them an opportunity to correct it.

Unsafe driving can still result in premium increases in some telematics programs, like Progressive’s Snapshot, in which about 2 in 10 drivers see premium hikes due to risky driving behaviors.6

How to opt out of manufacturer data collection

Opting out of manufacturer data collection can be difficult outside the five U.S. states with robust consumer privacy laws. California, Connecticut, Colorado, Utah, and Virginia have privacy laws that allow consumers to restrict how businesses use their personal information or to delete their data.

“While each state’s cyberlaw and data privacy statutes require publication of a privacy notice, they differ somewhat on what must be included,” said Jamie E. Wright, founder of The Wright Law Firm Employment Lawyers. “And while, for example, Colorado, Connecticut, and Virginia permit processing of ‘sensitive’ information only with prior consent, California and Utah permit processing unless the consumer has opted out.”

A new class of consumer privacy laws will take effect in Florida, Montana, Oregon, and Texas in July 2024. Recently passed privacy laws in Delaware, Iowa, New Jersey, and Tennessee will be enforced beginning in 2025, and Indiana’s data privacy law will take effect in 2026.7

For drivers in many states, manufacturers have the legal right to collect consumer data and don’t offer an opt-out option. Just two of the 25 car brands the Mozilla Foundation analyzed in its *Privacy Not Included series gave customers control over data deletion — and those two brands are available only in Europe, which has more robust privacy laws.8

“State codes and statutes give people certain legal rights to opt out of data collection or delete driver data in states without comprehensive data privacy laws,” said Wright. “Practically speaking, end users should receive clear and accessible notice that an organization is collecting their location prior to or at the point of collection.”

“If someone alleges that their car manufacturer collected and sold personal data without permission, they may have several legal recourses. They could seek an injunction to prevent the manufacturer from acquiring and using personal information without written consent in the future, as well as damages and relief as permitted by their causes of action.”

A driver could also allege a car manufacturer was in violation of statutes based on fraudulent misrepresentation or omission, advised Wright. But some laws permit automakers to access customer data from a dealer’s system with written permission from the dealer. Data shared with third parties used for marketing, advertising, or servicing the car could also be exempt.

The future of driver data collection

As coverage costs continue rising, telematics insurance programs offering attractive discounts could see more adoption from financially strained drivers. Consumer reactions will largely determine whether telematics becomes the universal standard in car insurance.

“Now, some insurers are starting their business on the telematics model. So whether or not they’re successful may determine how often we see telematics as a built-in feature in the future,” said Betsy Stella, vice president of carrier management and operations at Insurify.

The result of an FTC investigation or Chicco’s class action lawsuit against GM could also affect how automakers and insurers collect and use customer data. But auto manufacturers have been sued for data privacy violations before.

A federal judge upheld the dismissal of a class action in November 2023. The lawsuit alleged that Ford, GM, Honda, Toyota, and Volkswagen had recorded and intercepted drivers’ private texts and call logs, but the ruling determined that the automakers were not violating the Washington Privacy Act.

The U.S. doesn’t currently have comprehensive consumer data protection legislation like Europe’s robust General Data Protection Regulation (GDPR) law. Without a federal law, data privacy falls into the hands of state legislators.

Drivers can find out how much data their cars can collect by looking up the vehicle identification number (VIN) in the Vehicle Privacy Report tool from Privacy4Cars. People can also request their LexisNexis and Verisk reports directly from the data brokers.

This article originally appeared on Insurify and was syndicated by MediaFeed.

More from MediaFeed:

Like MediaFeed’s content? Be sure to follow us.