Big news on the spying-car front.
“GM banned from selling your data for five years,” is a headline from The Verge that should give you pause for more reasons than one. On Friday, amid one of the noisiest, most chaotic news cycles of our time, the settlement the automaker reached with the Federal Trade Commission (FTC) in the U.S. should be sounding like a train whistle. Unfortunately, it might not hit the radar of consumers who are being compromised. This is an important move by the FTC, and it needs more light.
We’re inundated with proof that the automotive industry is one of the most porous when it comes to protecting your privacy. Back in September 2023, the Mozilla Foundation published a report entitled “Privacy Nightmare on Wheels: Every car brand reviewed by Mozilla…flunks privacy test”. My colleague David Booth has written extensively on the hacker dream/privacy nightmare that is your late-model vehicle, but it was a New York Times investigation last year that finally revealed the extent to which drivers were being compromised.
Drivers’ privacy being compromised by auto manufacturers
Drivers were unaware that signing up for an app to enable them to use nav systems or emergency services, or things with game-like titles like “improve your driving score” were actually recording driving data that was, in turn, being sold to third parties including data brokers and insurance companies. We report continually about insurance rates setting record highs, which is usually explained away by pointing out that complicated modern vehicles cost more than ever to repair. Throw in increasingly wild weather events and it almost makes sense. But how many of us have seen rates explode because our cars have been ratting us out?
“For example, one consumer told a GM customer service representative that “[w]hen I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. Nothing. […] You guys are affecting our bottom line. I pay you, now you’re making me pay more to my insurance company,” reports The Verge.
Car owners need more control over their privacy
The FTC order allows for owners to obtain and delete information that has been collected, and allows for them to opt out. This is critical. Currently, some applications an owner may be accepting that include harvesting their data to sell to the highest (unnamed) bidder are tied to features they could reasonably be expected to use, like remote starting, vehicle functions, infotainment systems and service communications. As consumers, it’s time to start reading the fine print and quit relying on a sales rep to tell you what to do.
In the NYT piece, a driver was faced with a spiked insurance rate due to his “driving score” — something he had no idea was being recorded, let alone sold — to his insurance company. The practice is industry-wide, and Consumer Reports petitioned the FTC after the discoveries in the NYT. Texas sued General Motors in August 2024, stating, “General Motors used technology installed in most 2015 model year or newer GM vehicles to collect, record, analyze, and transmit highly detailed driving data about each time a driver used their vehicle. General Motors sold this information to several other companies, including to at least two companies for the purpose of generating ‘Driving Scores’ about GM’s customers and selling these scores to insurance companies.”
As the Mozilla report shows, it’s not just General Motors and its now-cancelled OnStar Smart Driver app; data collection by every manufacturer has become business as usual. It’s as the cracks start to show that car owners can finally find out the extent of the intrusion into their privacy. “VW has now been hit by a data protection nightmare. Location data from 800,000 electric vehicles [across Europe] and contact info from owners was accessible unprotected on the internet. And the company didn’t even know about it,” reported Der Spiegel earlier this month. The fact it personally impacted a politician no doubt added to the weight of the attention landing on the beleaguered German manufacturer. Mozilla said privacy issues are rampant in the automotive sector; massive breaches like this one are proving them right.
What does the FTC settlement mean?
Mark Whinton, an automotive forensic investigator, says the FTC settlement with GM is a game-changer. Well, it should be. “It should be huge, there’s a thirty-day window for public comment, and then the FTC will make its final ruling. But keep in mind what’s happening in that country in the next thirty days,” says Whinton. He’s right: we’re entering the most unstable time in recent memory when it comes to regulation. Consumers need this settlement to hold because it will affect all automakers who have spent billions on telematics for data collection — to sell. “This is going to be a massive kick in the head to them,” says Whinton.
If you have a newer vehicle, you likely have or were offered apps for it on your phone for things like remote start, and often, whole suites of offerings. “They have to make it look like it’s a benefit to you,” explains Whinton. “Things like ‘improve your driving score’ with green rings to ‘reward’ you, when in actuality, it’s storing your mileage, your speed, stops, starts, everything.” Consider what else is recorded: medical facilities you visit, where you shop, who you see, how often you hit a drive-thru. Imagine that information being sold to an entity that could target you with ads, like Ford’s recent creepy patent application that would allow your private conversations to determine ads you see, or turn you down for something like life insurance. Anyone who says, “if you have nothing to hide, you have nothing to fear” needs a slap upside the head.
Many of us are inured to pages of tiny print that constitute the terms and conditions for nearly everything in our lives. Whinton’s concern (beyond the fact so few of us actually read them) is the built-in defence wordings in too many of those pages. “There are some car companies I’ve investigated, and basically, if you get in and use the key to start it, you’ve accepted the terms and conditions.” It’s the same thing as checking that box when you visit a website, but nobody should be accepting these unclear (or non-existent) terms regarding privacy about their car so casually.
What’s next?
While Consumer Reports was pleased with this recent outcome, it was also explicit in requiring more of the federal agency. “Secretly collecting and sharing driver location data is a terrible practice that can cause real harm to unsuspecting consumers. We are encouraged that the FTC is taking action under existing consumer protection law to put a stop to it. But because of ambiguity in the law, the best way to avoid these types of abuses in the future is a strong and clear comprehensive privacy law that restricts unwanted data sharing by default.”
We don’t need the courts to remind you that using a nav system means where you go will be recorded and kept; we need them to ensure that information isn’t sold to be used against you without your knowledge. This ruling is against General Motors, but it has implications that are industry-wide.
Oh, and why only five years?
Sign up for our newsletter Blind-Spot Monitor and follow our social channels on X, Tiktok and LinkedIn to stay up to date on the latest automotive news, reviews, car culture, and vehicle shopping advice.