cars
Image: Unsplash+/Getty

Senators to FTC: Car companies’ data privacy practices must be investigated

Updated 7/29 with statements from GM and Hyundai

Senators probing how connected cars violate consumer privacy found that some major automakers share and sell drivers’ data, including their location, on a vast scale, and often obtain consent through deception.

An ongoing Senate investigation led by Sens. Ron Wyden (D-OR) and Ed Markey (D-MA) prompted them to write to the Federal Trade Commission (FTC) for the second time since late April, imploring the agency to investigate the auto industry for shoddy data privacy practices.

The senators provided FTC Chair Lina Khan with detailed statistics to make their case.

Hyundai gave data from 1.7 million cars to the data broker Verisk, which paid the auto manufacturer more than $1 million (61 cents per car) for the information, according to a 16-page letter the senators sent Khan Friday.

The letter also showcased the data protection failings of two other auto manufacturers, General Motors and Honda, and said all three car makers used what the senators called “deceptive design techniques“ to trick drivers into agreeing to the data sharing. For example, the letter said, GM merged data sharing consent requests with important items such as consumers agreeing to receive vehicle safety updates and alerts when their car alarms were triggered.

Referring to those deceptive techniques as “dark patterns” the senators said in a press release that they were used to “manipulate consumers into signing up for programs in which driver data was shared with data brokers, for subsequent resale to insurance companies.”

Honda gave Verisk data from 97,000 cars, which yielded the Japanese automaker $25,920 (26 cents per car), the letter to Khan said.

General Motors would not tell the senators how many cars' data it shared with data brokers or how much it was compensated. The senators’ letter to Khan said the company did not receive informed consent from consumers and tricked them into registering for its Smart Driver program in order to obtain the data. 

The company sold data from eight million cars to data brokers who primarily peddled it to insurers, according to previous reporting.

The automaker also told Wyden’s staff that it “shared location data on all drivers who activated the internet connection for their GM car, even if they did not enroll in Smart Driver,” the letter said, noting that the location data sharing to unknown third parties has been “going on for years.”

This latter disclosure on location data sharing may prove a trigger for FTC action.

“Cars are much like mobile phones when it comes to revealing consumers’ persistent, precise location,” a May FTC blog post from the agency’s Division of Privacy and Identity Protection said. 

“In a series of seminal cases in recent years, the Commission has established that the collection, use, and disclosure of location can be an unfair practice,” it added, emphasizing that geolocation data sales receive “enhanced protections” under the FTC Act. 

FTC blog posts are not casual communications and are instead seen as warnings to industry about its enforcement priorities and how it draws lines between legal and illegal corporate practices.

A GM spokesperson said in a statement that the company shares the senators’ “desire to protect consumers’ privacy while enhancing safety and preserving innovation.”

“We vehemently deny the assertion that we used 'manipulative design techniques' to coerce consumers into enrolling in Smart Driver,” the statement said. “Each consumer was given choice at the time of enrolling and throughout the life of the product.”   

The company also said its now defunct Smart Driver program was designed to “promote safer driving behavior for the benefit of customers who elected to participate.” 

“Data was only shared with an insurer if a customer initiated a quote directly with their chosen carrier and provided a separate consent to that carrier,” it added. 

Honda sent a statement asserting that it “operates from a customer-focused mindset, aiming to build trust with each customer that lasts a lifetime.” 

“Toward this goal, as with any modern company, Honda collects customer-related data by various means, including during the operation of our vehicles when equipped with connected capabilities,” the statement added. “This is a part of our focused effort to improve and advance our products and provide our customers with better user experiences.”

The spokesperson said its data sharing program requires consumers to “expressly” opt-in.

A Hyundai spokesperson sent a statement saying that the senators’ letter “mischaracterizes Hyundai’s data policies and the safeguards it implemented to ensure customer consent for sharing driving behavior information with insurers.”

“The letter also inaccurately describes the customer consent required for the sharing of customer driving behavior data with Verisk, a third-party data-sharing service provider,” the statement added. The company said its data sharing program was “launched as a value-added feature for Bluelink customers to enable a better understanding of their driving habits.”

Customers could choose whether to link their “driver score” to their insurance for “potential benefits, such as a good driving discount, thereby enhancing their driving experience and potentially saving on insurance costs,” the statement said, adding that customers could opt out at any time via their account’s privacy portal.

Dark patterns

Wyden and Markey attached screenshots to their letter to illustrate how dark patterns were used.

“The lengthy disclosures presented by GM before the opt-in did not disclose to consumers that as part of enrolling in Smart Driver, their driving data would be shared with data brokers and resold to insurance companies,” the letter said.

ron-wyden.jpg

Sens. Ron Wyden (D-OR) and Ed Markey (D-MA) have sent multiple letters asking the FTC to investigate car companies.

GM discontinued the Smart Driver program in June in the face of mounting public pressure about its handling of drivers’ data. The company has previously acknowledged selling car data to data brokers going as far back as 2015.

Other manufacturers used dark patterns in different ways, Wyden and Markey’s letter said.

Honda customers who signed up for an optional Driver Feedback program were directed to an enrollment screen where prominent language asked them to give consent for the company to track them so it could gauge whether they were candidates for insurance discounts, the letter said.

After users gave consent for that offer they were then asked to agree to far lengthier legal terms which buried the fact that the consumers' data would be shared with Verisk, according to the senators.

Hyundai customers were enrolled in data sharing by default, the letter said.

“The company shared data with Verisk from consumers who enabled internet connectivity, by automatically enrolling those drivers in its Driving Score program without telling them,” according to the letter.

Hyundai required drivers to “click through a consent form to enable the internet connection for a new car, but the company did not disclose that it would also share consumers’ data with Verisk if they agreed,” the letter said, noting that drivers could not disenroll from the program via the company’s website or app after they signed up.

Continuing pressure on the FTC

The senators have been focused on how car companies collect, store and sell driver data for several months.

In April, Wyden and Markey also jointly wrote to Khan, imploring the agency to investigate the practices of connected car manufacturers, with a focus on how many of them turn driver location data over to law enforcement without a warrant — a fact the senators said many car companies had lied about.

Markey demanded data sharing information from 14 major auto manufacturers in December, lambasting their privacy practices and asserting that consumers should not be trapped in a “massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese.”

The senator sent his own letter to Khan in February, telling her the 14 automakers' answers were “evasive and vague.”

Car manufacturers “sidestepped my questions or focused on the beneficial uses of this data — all while ignoring the real privacy risks their data practices create,” Markey wrote to Khan, asking her to investigate.

Most of the manufacturers refused to tell him whether they transfer data to make money, Markey said at the time.

The tone of Wyden and Markey’s latest letter is even angrier than their last.

“It is particularly insulting for automakers that are selling cars for tens of thousands of dollars to then squeeze out a few additional pennies of profit with consumers’ private data,” the senators told Khan.

“The problematic practices we have uncovered and documented in this letter are likely just the tip of the iceberg,” they added. 

They said they focused on Verisk to decide “if there is a problem that warrants further oversight by federal regulators” but added that many other data brokers are still selling driver data.

The senators’ letter cited the FTC’s January enforcement actions against two geolocation data brokers, which extracted and sold data from mobile phone apps without consent, arguing that the precedent means an agency investigation of the auto industry should be a no-brainer.

“The FTC should hold accountable the automakers, which shared their customers’ data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner,” the letter said. 

It cited the vast number of affected consumers and the “outrageous manipulation of consumers using dark patterns,” telling Khan the agency should also go after senior executives for their “flagrant abuse of their customers’ privacy.”

Vehicle data privacy has become increasingly important to consumers, according to Andrea Amico, CEO of Privacy4Cars, who said recent surveys show 39% of vehicle buyers consider data privacy "highly important" and more than 9 out of 10 don't trust manufacturers with their data.

Correction: Due to an editing error, an earlier version of this story misstated the amount of money a data broker gave to Hyundai.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.