Buy a New Car? It’s Probably Spying on You
New cars are saturated with technology that collects user data.[1] They’re built with video cameras, microphones, seat weight sensors, apps, and more.[2] Through this technology, car companies collect large swaths of data, which is then sold or shared with third parties.[3] According to these car companies’ terms of service, they collect everything from a driver’s location, driving patterns, biometrics, health diagnosis, immigration status, and even a driver’s sex life.[4] Car companies claim that they do not collect or sell user data without consent, however, many drivers may not realize they have given permission.[5] Consent is obtained in a variety of ways.[6] Consent agreements can be included in contracts for roadside assistance, such as OnStar.[7] Other drivers may have signed up at the dealership when they bought the car.[8] Even more unknowingly give consent when they download apps for their cars to remote unlock them or track their location.[9] The worst claim consent is given simply upon entering the car.[10] This consent is not obvious to consumers.[11] It is often buried in lengthy terms of services, and the provisions aren’t clear on which third parties their data is being shared with.[12] Some only list SiriusXM as an example, which may mislead drivers into a false sense of security about who’s seeing their data.[13] Most companies sell this data to the large data brokers LexisNexis and Verisk.[14] On top of that, half of car manufacturers say they would share driver data with law enforcement or the government without a court order.[15]
This type of data collection has already negatively affected consumers in numerous ways. It has resulted in higher insurance prices, stalking, and the leak of sensitive data.[16] Driving telematics, including driver speed, braking patterns, location, and more, are collected and sold to data brokers, who then sell the information to insurance companies.[17] As a result, many drivers have seen their insurance prices skyrocket.[18] Car companies make good money off the practice, with G.M. making in the “low millions.”[19]
Numerous domestic violence survivors have said their abuser stalked them through location data collected by their car.[20] When some survivors attempted to stop the car companies from sharing the data, the companies refused, claiming it was out of their hands because the abuser was still on the title, even though the survivors had restraining orders against their abuser.[21]
Finally, sensitive data must be especially safeguarded even when third parties do not have direct access through apps. Location data shows numerous details of a person’s life, including their address, their friends and family, their doctor, their workplace, among other sensitive data.[22] Although this data is supposed to stay anonymous, it only requires four location data points to re-identify 95% of people.[23] For instance, this information could be used to identify women who have used abortion clinics.[24]
A new class action was filed against G.M., LexisNexis, and OnStar for collecting and sharing driver data.[25] The plaintiff makes claims under the Fair Credit Reporting Act 15 U.S.C. § 1681 et seg. (“FCRA”), Deceptive and Unfair Trade Practices Act, and Florida common law invasion of privacy.[26] The plaintiff, Romeo Chicco, bought a Cadillac in 2021.[27] When he tried to obtain new insurance in 2023, Chicco was denied by multiple insurance companies on the basis of a LexisNexis report.[28] The report included 258 driving “events” which included “trip details that show the start date, end date, start time, end time, acceleration events, hard brake events, high-speed events, distance, and VIN.”[29] According to the complaint, the plaintiff never signed up for nor consented to his data being collected and shared.[30] When he tried to find out when he allegedly consented to this data sharing, LexisNexis, Onstar, and GM were unable to tell him.[31] The plaintiff argues these reports are an inaccurate representation of drivers because driving patterns are taken out of context and, therefore, LexisNexis “failed to maintain procedures to maintain maximum possible accuracy” under the FCRA.[32] The plaintiff further claims the company’s privacy practices are unfair, deceptive, and misleading to consumers.[33]
Hopefully, if the class action succeeds, it will limit these companies’ problematic practices, but how long before manufacturers in other industries follow in the car manufacturers footsteps and start spying on us? These practices are a harsh reminder that the US lacks federal data privacy protection.[34] Consumers need a federal privacy law to limit what data is collected to what is necessary to run the technology. The law should also set strict data deletion requirements and limit what type of information can be sold. It’s far past time for federal data privacy laws, but in the meantime, check to see if your car is spying on you.
Footnotes