Car companies’ data privacy practices must be investigated

Senators probing how connected cars violate consumer privacy found that some major automakers share and sell drivers’ data, including their location, on a vast scale, and often obtain consent through deception.

An ongoing Senate investigation led by Sens. Ron Wyden (D-OR) and Ed Markey (D-MA) prompted them to write to the Federal Trade Commission (FTC) for the second time since late April, imploring the agency to investigate the auto industry for shoddy data privacy practices.

The senators provided FTC Chair Lina Khan with detailed statistics to make their case.

Hyundai gave data from 1.7 million cars to the data broker Verisk, which paid the auto manufacturer more than $1 (61 cents per car) for the information, according to a 16-page letter the senators sent Khan Friday.

The letter also showcased the data protection failings of two other auto manufacturers, General Motors and Honda, and said all three car makers used what the senators called “deceptive design techniques“ to trick drivers into agreeing to the data sharing. For example, the letter said, GM merged data sharing consent requests with important items such as consumers agreeing to receive vehicle safety updates and alerts when their car alarms were triggered.

Referring to those deceptive techniques as “dark patterns” the senators said in a press release that they were used to “manipulate consumers into signing up for programs in which driver data was shared with data brokers, for subsequent resale to insurance companies.”

Honda gave Verisk data from 97,000 cars, which yielded the Japanese automaker $25,920 (26 cents per car), the letter to Khan said.

General Motors would not tell the senators how many cars’ data it shared with data brokers or how much it was compensated. The senators’ letter to Khan said the company did not receive informed consent from consumers and tricked them into registering for its Smart Driver program in order to obtain the data. 

The company sold data from eight million cars to data brokers who primarily peddled it to insurers, according to previous reporting.

The automaker also told Wyden’s staff that it “shared location data on all drivers who

activated the internet connection for their GM car, even if they did not enroll in Smart

Driver,” the letter said, noting that the location data sharing to unknown third parties has been “going on for years.”

This latter disclosure on location data sharing may prove a trigger for FTC action.

“Cars are much like mobile phones when it comes to revealing consumers’ persistent, precise location,” a May FTC blog post from the agency’s Division of Privacy and Identity Protection said. 

“In a series of seminal cases in recent years, the Commission has established that the collection, use, and disclosure of location can be an unfair practice,” it added, emphasizing that geolocation data sales receive “enhanced protections” under the FTC Act. 

FTC blog posts are not casual communications and are instead seen as warnings to industry about its enforcement priorities and how it draws lines between legal and illegal corporate practices.

Hyundai and GM did not respond to requests for comment.

A Honda spokesperson said it “operates from a customer-focused mindset, aiming to build trust with each customer that lasts a lifetime.” 

“Toward this goal, as with any modern company, Honda collects customer-related data by various means, including during the operation of our vehicles when equipped with connected capabilities,” the statement added. “This is a part of our focused effort to improve and advance our products and provide our customers with better user experiences.”

The spokesperson said its data sharing program requires consumers to “expressly” opt-in.

Dark patterns

Wyden and Markey attached screenshots to their letter to illustrate how dark patterns were used.

“The lengthy disclosures presented by GM before the opt-in did not disclose to consumers that as part of enrolling in Smart Driver, their driving data would be shared with data brokers and resold to insurance companies,” the letter said.

Sens. Ron Wyden (D-OR) and Ed Markey (D-MA) have sent multiple letters asking the FTC to investigate car companies.

GM discontinued the Smart Driver program in April in the face of mounting public pressure about its handling of drivers’ data. The company has previously acknowledged selling car data to data brokers going as far back as 2015.

Other manufacturers used dark patterns in different ways, Wyden and Markey’s letter said.

Honda customers who signed up for an optional Driver Feedback program were directed to an enrollment screen where prominent language asked them to give consent for the company to track them so it could gauge whether they were candidates for insurance discounts, the letter said.

After users gave consent for that offer they were then asked to agree to far lengthier legal terms which buried the fact that the consumer’s data would be shared with Verisk, according to the senators.

Hyundai customers were enrolled in data sharing by default, the letter said.

“The company shared data with Verisk from consumers who enabled internet connectivity, by automatically enrolling those drivers in its Driving Score program without telling them,” according to the letter.

Hyundai required drivers to “click through a consent form to enable the internet connection for a new car, but the company did not disclose that it would also share consumers’ data with Verisk if they…