FTC, Texas AG take action against surveillance, sale of drivers’ data

The Federal Trade Commission (FTC) has taken a significant step toward safeguarding consumer privacy by initiating a proposed action against General Motors (GM) and its subsidiary, OnStar, over allegations they improperly collected and shared sensitive data on millions of vehicle owners.

Several days earlier, Texas Attorney General (AG) Ken Paxton sued Allstate and its subsidiary, Arity, for “unlawfully collecting, using, and selling” more than 45 million Americans’ driving data “through secretly embedded software in mobile apps such as Life360.” The suit arose from an investigation that led Paxton to sue GM in August for allegedly “false, deceptive, and misleading business practices related to its unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent.” This is the first enforcement action filed by a state attorney general to enforce a comprehensive data privacy law.

Both the FTC and the Texas AG’s actions reflect growing concerns about privacy risks in the era of digitally connected vehicles. Indeed. In December 2024, a significant data breach at Volkswagen Group’s software subsidiary, Cariad, exposed sensitive information of approximately 800,000 electric vehicle owners. The compromised data included precise vehicle locations, contact details, and movement patterns. The breach affected fully electric models across Volkswagen, Audi, Seat, and Škoda brands, impacting vehicles not only in Germany, but throughout Europe and other regions.

The root cause of the breach was a misconfigured Amazon Web Services cloud storage system managed by Cariad which left the data accessible online for several months. A whistleblower discovered the vulnerability and reported it to German news outlet Der Spiegel and the Chaos Computer Club. The exposed data encompassed precise GPS coordinates, with location accuracy reaching within ten centimeters for Volkswagen and Seat vehicles, and up to ten kilometers for Audi and Škoda models.

Volkswagen has since addressed the security lapse, but the incident has raised significant concerns about the privacy and security of data collected by modern vehicles, highlighting the potential risks associated with extensive data collection and storage practices.

“Tracking and collecting geolocation data can be extremely privacy invasive, revealing some of the most intimate details about a person’s life, such as whether they visited a hospital or other medical facility, and expose their daily routines,” the FTC said in its action against GM. The proposed order aims to establish greater transparency and accountability to ensure consumers retain control over their personal data.

The federal regulator’s unprecedented move marks its first action addressing connected vehicle data and underscores its commitment to regulating the rapidly evolving landscape of vehicle technology and consumer rights. The move is a clear signal that the FTC intends to hold companies accountable for exploiting consumer data, setting a precedent for how connected vehicle data should be managed moving forward.

During a closed meeting, the Commission voted 3-0-2 to accept the proposed consent agreement for public comment. Commissioners Melissa Holyoak and Andrew N. Ferguson, President Donald Trump’s pick to head the FTC, were recorded as absent.

The FTC issues an administrative complaint when it has “reason to believe” the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.

According to the FTC’s complaint, Michigan-based GM misled customers through its OnStar connected vehicle service, specifically its OnStar Smart Driver feature. The automaker allegedly failed to adequately disclose that it collected precise geolocation and driving behavior data from its users, including information about hard braking, speeding, and nighttime driving.

The data was then sold to third parties, including consumer reporting agencies, without the consumers’ clear consent. These agencies used the information to create credit reports which insurers relied on to set insurance rates and, in some cases, deny coverage altogether.

The implications of such practices are vast. By tracking users’ precise geolocation -sometimes as frequently as every three seconds – GM could determine sensitive details about individuals, such as visits to hospitals or other private locations, effectively mapping out their routines. Biometric Update previously reported that cross-referenced anonymized disparate datasets can lead to de-anonymization and identification of individuals.

De-anonymization occurs when data that has been stripped of direct identifiers such as names or email addresses is combined with other datasets to re-identify individuals. This process relies on quasi-identifiers like location, gender, birth date, or device IDs, which, when cross-referenced with other information, can uniquely identify people. For example, a combination of birth date, gender, and ZIP code can be enough to pinpoint an individual, even in anonymized datasets.

This level of surveillance, combined with the sale of such data, raised alarm bells at the FTC. Chairman Lina M. Khan said, “GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds. With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”

FTC staff attorney Julia Solomon Ensor said, “GM convinced customers to sign up for a program called ‘Smart Driver’ by marketing it as a game-like program that would use driver behavior data to help people improve their driving. But what wasn’t clear was GM and OnStar also intended to sell the data they collected to third parties, including consumer reporting agencies. And, according to the FTC, sharing this information without people’s fully informed consent caused real harm.”

Ensor added that “people also lost privacy about day-to-day movements, including visits to sensitive locations. According to the complaint, by using and sharing data without permission, GM and OnStar deceived people and acted unfairly.”

The FTC complaint also highlights the deceptive enrollment process employed by GM. Consumers purchasing vehicles were often encouraged to sign up for OnStar, with the service promoted as a tool for emergencies and enhanced navigation.

However, many users were unknowingly enrolled in the Smart Driver feature, and the extent of data collection was not transparently communicated. Complaints poured in from consumers who discovered their driving habits were being shared with insurance companies, with one individual expressing frustration about the unexpected impact on their insurance rates.

Under the proposed settlement order, GM and OnStar are required to implement substantial changes to their data collection and sharing practices. For a period of five years, they are prohibited from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies. Additionally, the order mandates that the companies obtain explicit consumer consent before collecting connected vehicle data, with certain exceptions for emergencies.

The settlement also emphasizes consumer empowerment. GM and OnStar must develop mechanisms allowing individuals to request copies of their data, delete it, or opt-out of the collection of geolocation and driving behavior information altogether. If a vehicle is equipped with the necessary technology, consumers must be able to disable precise geolocation tracking.

The settlement is currently subject to a public comment period of 30 days following its publication in the Federal Register. During this time, the public can share feedback, which will influence the FTC’s decision on whether to finalize the order.

In the matter of Texas’ suit against Allstate, the state attorney general’s office said the company “collected trillions of miles worth of location data from over 45 million consumers nationwide and used the data to create the ‘world’s largest driving behavior database.’”

The suit alleges that “these actions violated the Texas Data Privacy and Security Act which created heightened protections for Texans’ sensitive data, including but not limited to precise geolocation information. The law requires clear notice and informed consent regarding how a company will use Texans’ sensitive data. Allstate never provided notice or obtained Texans’ consent to collect or sell their sensitive data.”

Allstate has denied the allegations, saying that Arity, its data analytics subsidiary, has been transparent and fully compliant with Texas laws and regulations.

Article Topics

anonymization  |  data privacy  |  data protection  |  FTC  |  location data  |  location tracker  |  monitoring  |  reidentification  |  surveillance  |  U.S. Government