We regularly hear stories about companies that are selling your sensitive personal information — including your location data — to the highest bidder. The latest culprit appears to be General Motors.
The Federal Trade Commission alleges that GM and OnStar — GM’s subscription-based in-vehicle safety and security system — collected, used, and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their consent.
On Thursday, the agency issued a proposed order to ban the company from selling such data to consumer reporting agencies for five years.
In its complaint, the FTC alleged that GM used a “misleading enrollment process” to get consumers to sign up for OnStar. Some users reported being unaware that they signed up for OnStar’s Smart Driver feature, which promised to use driving data to help drivers improve their vehicle’s performance and encourage safer driving.
“GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” FTC Chair Lina M. Khan said in a statement.
This is the latest issue to beset the carmaking giant in recent weeks. Last month, GM pulled the plug on funding its autonomous vehicle unit Cruise, a company into which GM has invested more than $10 billion.
Thursday’s settlement with the FTC follows an investigation by The New York Times’ Kashmir Hill, who found GM had been collecting details about its customers’ driving habits — including every instance of hard braking, late-night driving, and speeding — and selling the records to insurance companies and third-party data brokers. The result was that drivers began seeing higher insurance premiums, but couldn’t figure out why.
The potential misuse of customers’ data goes beyond increased insurance premiums. A person’s geolocation data can reveal the most intimate details of a person’s life, including where they live and work, and whether they visited a medical facility or place of worship. In the wrong hands, location data poses a serious danger to, for example, abortion seekers across the country.
As part of the FTC’s proposed order — if approved by a court — GM and OnStar will be banned from disclosing data to consumer reporting agencies, and would also need to obtain affirmative express consent from consumers before collecting any vehicle data in the future. The automaker would also need to allow customers to obtain and delete their data, as well as limit the data collection from their vehicles.
GM said in a statement that the FTC’s consent order captures “steps we’ve already taken to establish choices for customer data collection and communication about how the information is used.” The automaker said that last year it ended its Smart Driver program, unenrolled customers, and stopped selling telematics data to analytics companies LexisNexis and Verisk.
“In September, we consolidated many of our U.S. privacy statements into a single, simpler statement as part of our broader work to keep raising the bar on privacy,” reads GM’s statement. The company also noted that it has expanded its privacy program to provide customers in all 50 states with options to access and delete their personal information.
The FTC’s order will be subject to a 30-day public comment period before a final ruling goes into effect.
TechCrunch has reached out to the FTC for additional information and will update if we hear back.
This article has been updated with additional context from GM.
