The Texas Attorney General’s office has already taken aim at Google and Meta, and it appears General Motors (GM) is the next company in its crosshairs. A consumer privacy lawsuit will test the boundaries of what the AG’s office calls “surveillance devices on wheels” as GM is being taken to task for surreptitiously collecting driver data and selling it to third parties.
The suit is the first of its kind in Texas, but is also a rare example of consumer privacy regulators in the US going after car companies over the data that modern “smart cars” collect. This particular suit applies to GM vehicles made from 2015 to present and is thought to impact about 1.5 million Texas drivers.
State Consumer Privacy Regulations Expand Focus in Absence of a Federal Solution
States still vary in their consumer privacy laws, but Texas recently bolstered its central data protection law (the Texas Data Privacy and Security Act) and has used it and several other biometric privacy and anti-competition laws to pursue some of the biggest players in the “big data” game under Attorney General Ken Paxton. One of the big trophies collected by this campaign is a $1.4 billion settlement from Meta, paid out due to its use of biometric information to identify and tag users in photos uploaded to Facebook.
All of this takes place as there is still no real federal-level data privacy bill in site, with some sort of contentious partisan issue always seeming to take center stage and push stop-and-start efforts back into a corner. It also takes place as data brokers continue to centralize information and look for new veins to tap, and vehicles have become a point of focus for them in recent years. The suit names LexisNexis Risk Solutions and Verisk Analytics as two of GM’s partners in the collection and use of driver data, with reams of it captured every day as motorists go about their regular business.
Use of Driver Data May be Scrutinized by Other States
The Texas AG made driver data a specific focus of a consumer privacy investigation into GM and the other major auto manufacturers, initiated in June. Thus far this is the first legal or regulatory action to come out of that investigation. But, given that essentially all car companies are collecting buckets of personal information from their drivers, it is likely that more legal action will be taken against other automakers (and in other states that have comparable privacy laws in place).
One of the central problems the Texas suit outlines is rampant misdirection and simple failure to disclose how much data is being collected and who it is being shared with. Since 2015, GM’s new vehicles have prompted buyers to sign up for various products (such as OnStar Smart Driver) that it says are necessary for vehicle security features to function. But it has not disclosed that these products also collect a wide variety of driver data that is then sold off to third parties, primarily insurance companies looking to profile drivers for the purposes of setting rates and making decisions about approving or denying coverage.
At the center of GM’s consumer privacy issues is a “Driver Score” that is generated from collected everyday driver data, a broad and detailed variety such as how fast the motorist goes and how hard and often they apply the brakes. It also reportedly includes location information. The suit claims that GM vehicle drivers were not sufficiently made aware that this scope of information was being collected on them and sold.
In addition to potentially violating several different Texas state laws, the AG’s investigation has also looked into the possibility that GM violated COPPA and HIPAA federal laws with its driver data collection.