On August 13, the Texas Attorney General’s Office announced that it has filed a lawsuit against General Motors (GM), accusing the company of illegally collecting and selling the private driving data of more than 1.5 million Texas drivers. The Texas Attorney General’s Office alleges that GM engaged in false, deceptive, and misleading business practices in its handling of driver data, leading to the lawsuit under the Texas Deceptive Trade Practices-Consumer Protection Act (DTPA).
Facts
Texas Attorney General Ken Paxton stated that the lawsuit stemmed from an investigation conducted in June into several automakers regarding whether they had unlawfully collected and processed data generated during vehicle use. The investigation revealed that GM forced users to register in order to use their vehicle's in-car systems, making them unknowingly "agree" to GM collecting and selling their data. GM promoted its in-car systems and services as tools to enhance safety, entertainment, control, and convenience. However, GM's privacy policy did not fully disclose the actual practices of data collection, use, and sale. Consumers were misled during the car purchase process, thinking they had to register for the in-car systems and services to use their vehicles, when in reality, this process was designed to enroll them in GM's data collection program. GM also incentivized dealership employees with bonuses to encourage consumers to register for its products and services. If consumers attempted to decline registration, they were met with various "warning" messages, leading them to believe that refusing to register would disable their vehicle’s safety features.
Since 2015, GM has installed advanced in-car systems in its vehicles, which collect, record, analyze, and transmit specific data about vehicle usage, known as "driving data." This data includes vehicle location, driving routes, driving times, driving behavior (such as hard braking, rapid acceleration, speeding, nighttime driving, and seatbelt usage for both driver and passengers), and the distance of each trip. Through these systems, GM has collected data from over 14 million vehicles, involving more than 1.5 million Texas residents.
GM entered into agreements with several insurance companies and other businesses, selling driving data to third parties. At least two of these companies used the data to generate "driving scores" for drivers based on "risky driving factors" (like hard braking and rapid acceleration) and sold these scores, along with related data, to insurance companies. Regardless of whether users opted into such programs for potential premium discounts, insurance companies adjusted premiums based on the driving scores they obtained. In extreme cases, driving scores could even lead to coverage denial or significantly higher premiums.
Moreover, GM, through agreements with companies like Verisk Analytics Inc. and Jacobs Engineering Group Inc., not only sold the driving data of its own users but also attempted to acquire driving data from customers of other automakers through these companies to further expand its data sales business. The lawsuit claims that these agreements have brought GM significant profits, with the company earning at least millions of dollars in illicit revenue solely from selling this data to other companies.
Attorney General Paxton stated that GM used "intrusive" technology to engage in deceptive business practices, infringing on the privacy of Texas citizens and violating the law. The Attorney General’s Office intends to hold GM accountable for its unlawful actions.
Compliance Implications
Although GM is the first company to be sued in Texas, Hyundai-Kia Group is facing a similar lawsuit in California. Additionally, reports suggest that companies like Tesla and Ford have also linked data collection to certain optional vehicle features. These features may include various safe driving applications, and once these features are activated, the system automatically transmits driving data to data brokers, who then sell the data to interested third parties such as insurance companies.
The data privacy lawsuits against companies like GM serve as a reminder to automakers to strictly comply with privacy laws regarding data collection, use, and sharing to effectively mitigate data privacy risks. Companies must ensure transparency in the data collection and usage process, clearly informing consumers about the types of data being collected and their specific purposes. Additionally, data collection should adhere to the principles of legality and necessity, limiting it to what is required for service provision. When using technologies that involve monitoring and tracking, companies must obtain clear, informed consent from users in a lawful manner to avoid violating user privacy rights. Complying with relevant privacy regulations is not only essential to avoid regulatory penalties but also to protect customer privacy, maintain corporate reputation, and build a positive corporate image.
