Automakers are sharing “millions of Americans’ driving data” with data brokers without their consent, according to a letter sent by lawmakers to the Federal Trade Commission (FTC) that called for an investigation into the matter.
The company used to sell a product that rated drivers on their safe driving habits. Data were sourced from internet-connected cars, with automakers sharing the information with Verisk.
Verisk used these data to prepare driving behavior history reports that were sold to auto insurance firms. The company stopped selling the product after media outlets reported on the issue earlier this year.
“If the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives responsible,” the letter reads.
According to information GM provided to Wyden’s office, the company “failed to obtain informed consent from consumers before sharing their data, and used manipulative design techniques, known as dark patterns, to coerce consumers into enrolling in its Smart Driver program.”
The company did not disclose to customers that when they enroll in the Smart Driver program, “their driving data would be shared with data brokers and resold to insurance companies,” according to the letter.
Moreover, the car manufacturer shared the location data of all drivers who activated the internet in their vehicles, even when they had not enrolled in Smart Driver, the company told the senator’s office. This information was then distributed among other parties.
Meanwhile, Honda shared data from 97,000 cars with Verisk between 2020 and 2024. Honda was paid 26 cents per car, receiving $25,920. The company engaged in the practice “without obtaining informed consent from consumers.”
When customers signed up for Honda’s Driver Feedback program, they had to accept lengthy legal terms. While the company mentioned that the collected data would be sent to Verisk, this disclosure “did not appear on the first page“ and was ”not likely to be seen by many consumers,” the letter stated.
Hyundai sold the data from 1.7 million vehicles with Verisk between 2018 and 2024 for a total of $1.04 million.
When Hyundai customers wanted to enable internet connection in their cars, they had to click through a consent form. Like with other brands, Hyundai did not disclose that agreeing to the consent form and activating the internet would mean that their data would be shared with Verisk.
“The problematic practices we have uncovered and documented in this letter are likely just the tip of the iceberg,” the lawmakers wrote in the letter.
Company Responses
Responding to the letter, GM denied that it deceived customers into enrolling in the data-sharing program with Verisk. Data-sharing partnerships with Verisk and LexisNexis were canceled in March, and its data-sharing program called “Smart Driver” ended in June, GM stated.“Data was only shared with an insurer if a customer initiated a quote directly with their chosen carrier and provided a separate consent to that carrier,” the email reads.
The company said it does share “de-identified” data with partners to aid city infrastructure and make roads safer.
In a statement, Hyundai said the senators’ letter mischaracterizes its data policies and that it has safeguards to make sure customers agree to sharing driving information with insurers.
Customers, it said, had the option to connect driving scores to their insurers through Verisk for possible benefits such as good-driving discounts.
“It is important to note that Verisk was not authorized by Hyundai or the customer to share the Drive Score data with insurers until the customer affirmatively consented to this on an insurer’s website or app,” Hyundai said.
Honda also said that customers had to opt into the program with Verisk. Some customers with good driving scores were given the chance to agree to discount offers from insurers.
“Without that clear second opt-in by the customer, no identifiable consumer information was shared with any insurance company,” Honda said.
Data Compromise
A September 2023 report from the Mozilla Foundation also warned that several automakers collected personal data from consumers and sold or shared data with third parties. Most car owners were unaware about the amount of private data that was being collected and how it was used.Among the many pieces of information that are routinely left in car memory are phone books, call logs, passwords, biometrics, text messages, navigation history, home addresses, third-party apps, vehicle credentials, garage door codes, medical information, and financial details.
“We’re looking at a few components and some software, not the whole car, but it would be some of the key driver components of the vehicle that manage the software and manage the data around that car that would have to be made in an allied country,” Alan Estevez, undersecretary of Commerce for Industry and Security, said during a recent forum.
“A modern car has a lot of software in it. It’s taking lots of pictures. It has a drive system. It’s connected to your phone. It knows who you call. It knows where you go. It knows a lot about you.”