Data is the crude oil of our digital age, the key raw commodity mined, refined, and eventually monetized by the world’s biggest and most profitable corporations. To put it another way: if information is power and money is power, information is money. This might explain why carmakers are reportedly selling drivers’ data through third-party data brokers to insurance companies. The practice has now drawn the scrutiny of both Congress and the FTC (Federal Trade Commission).
A New York Times report from March of this year outlined how car companies are harvesting and selling car owners’ data. Central to the process are third-party data brokerages like Lexis Nexis and Verisk. According to the Times, these companies buy driver data to create risk reports which are then sold to insurance companies. The data collected includes information like duration, distance, and times of travel, instances of rapid acceleration, hard braking, and speeding, basically everything minus location data.
Modern cars offer all manner of “connected” capabilities, from Wi-Fi hotspots and navigation to satellite radio and virtual assistants. The conduit for collecting driver data is though internet connected systems like GM’s OnStar Smart Driver which provided users a driving score (accessed through GM’s suite of apps that include MyCadillac, MyChevrolet, etc.) and was pitched by the company as a way of encouraging safe driving habits. Other companies have features or apps that likewise collect driving data to provide “Driver Feedback” or a “Driver’s Score.”
According to the Times, permission to send this data to third parties is contained in terms of service agreements with language providing for the collection of “usage-based insurance providers.” Carmakers then monetized this data, selling it to companies like Lexis Nexis who in turn sell it to insurance companies.
The practice has caught the attention of consumer advocates, Congresspeople, and federal regulators. Last November, Sen. Ed Markey of Massachusetts wrote a letter to 14 carmakers warning them against playing fast and loose with customer driving data. In the letter, Markey notes that Mozilla researchers could not decipher “minimum standards for the security of customer data” amongst the user agreements of 25 major carmakers. Both Sen. Markey and Sen. Ron Wyden of Oregon have recommended the FTC formally investigate the data collection practices of carmakers.
The FTC, for its part, issued a blog post* in May of this year admonishing carmakers against the “surreptitious disclosure of sensitive information.” The post cites recent instances where the FTC has cracked down on the collection and sale of geolocation data. The post cautions that “firms do not have a free license to monetize people’s information beyond purposes needed to provide their requested product or service…”
Following the flurry of questions, GM has dramatically shifted course. The company says it has cut ties with third-party data brokers Lexis Nexis and Verisk (in March), discontinued the OnStar Smart Driver program, and hired a new Chief Trust and Privacy Officer Alisa Bergman as of late April.