As society becomes technologically more advanced, so do our cars. Nowadays, car manufacturers are developing vehicles that connect to the Internet and mobile devices (e.g., cell phones), providing convenience and an intuitive driver experience.
Cars are becoming “smarter” as they connect with internet-enabled devices and features. We can spontaneously ask the car’s navigation system to find an alternative route to avoid heavy traffic based on its geolocation data or request to make a call to the doctor’s office by allowing the car to access the phone’s contact list.
The convenience of using personal data on the road can come in handy, but there is a risk that the car may be eavesdropping or spying on our data inside the cabin and passing the data to the car manufacturer and other third parties without our knowledge. This article will dive into recent U.S. enforcement and investigative trends on driver’s data and explore what laws are currently in place or are in the pipeline to protect driver’s data.
Driver’s data are sold to insurance companies to set rates
Driver’s data usually includes precise geolocation and driving behavior data (e.g., hard braking and acceleration), which can be gathered via your mobile phone when connected to the car and if certain app trackers are installed. Such data is desirable to car manufacturers and insurance companies, but irresponsible data practices can land them in hot water.
The Texas Attorney General (AG) sued Allstate and its subsidiary Arity for aggregating and selling access to a massive database of 45 million Americas’ driving behavioral and geolocation data that were obtained via Arity’s software development kit (SDK) embedded in driver’s mobile devices and by purchasing driving behavior data from other car manufacturers without the driver’s knowledge or consent, triggering the enforcement of the first data privacy action under the states’ Data Privacy and Security Act (TDPSA). Access to the database was available to third parties, such as car insurers, who used the data to raise insurance rates.
Texas is not letting car manufacturers off the hook. The AG has sent several notices of inquiry to Ford, Hyundai Motor America, Toyota Motor North America, and Fiat Chrysler Automobiles U.S., demanding information about their data collection and sharing practices involving consumer and driving behavior data. Notably, the AG issued a warning to Kia America after the company allegedly deceived consumers into enrolling in its insurance savings program but failed to inform them that their driver’s behavior data would be shared with third parties to determine insurance rates.
Another prominent case involved the Federal Trade Commission (FTC) proposing an order against General Motors (GM) and its subsidiary OnStar for non-compliance with the FTC Act. GM allegedly used deceptive enrollment practices to persuade consumers to sign up for its OnStar-connected vehicle service and the OnStar Smart Driver feature. However, the company failed to obtain consumer’s consent and disclose that their precise geolocation and driving behavior data would be collected and sold to third parties.
Specifically, consumer reporting agencies used such data to establish consumer credit reports and shared them with insurance companies to set rates. Both parties are prohibited from sharing any geolocation or driver behavior data with third parties for five years, must obtain consent before collecting connected driver’s behavior data, and must establish a mechanism to allow consumers to limit data collection and opt out of the collection of geolocation and driving behavior data.
Driving behavior data can be sensitive personal data since it is often associated with precise geolocation data, so it is paramount to comply with state consumer privacy protection laws and other applicable laws.
In-vehicle video footage and vehicle tracking can be driver’s data
Last year, California was on top of protecting driver data beyond behavior data and precise geolocation data. Footage of activities within a vehicle may constitute driver data, and this practice must be brought to the driver’s attention.
Effective January 1, 2024, car manufacturers and dealerships in California have an obligation to notify consumers that a vehicle is equipped with one or more in-vehicle cameras in the owner’s manual before selling or leasing a vehicle. They must also provide a separate disclosure form for consumers to sign, acknowledging the cameras. Footage from the cameras cannot be used for advertising purposes or shared with third parties without consent and can only be disclosed for service repairs. Additionally, manufacturers and dealerships must provide consumers with the means to withdraw their consent to recording.
California is also paying legislative attention to rental car companies. Effective January 1, 2025, California removed the sunset date of January 1, 2028, to indefinitely extend current laws that govern rental car companies’ activation of surveillance trackers in rental cars if not returned within a specific period. The new law shortened the time, from 72 to 24 hours, that a rental company must wait after the contracted or extended return date before activating surveillance trackers in the car, establishes conditions when it is permissible to access driving behavior data (in this context, data relating to the renter’s use of the rental vehicle) obtained from the technology, and sets out record retention requirements of 12 months after the activation of the technology.
More legislation about location data are on the way
Some bills broadly govern the use of consumer precise geolocation data, but they could still apply to driver’s behavior data involving location data. Practice due diligence to consider all applicable laws before collecting, processing, and disclosing location data.
- Oregon’s HB 3875 would apply the requirements of the state’s consumer privacy law to car manufacturers in how they process consumers’ driving behavior data, irrespective of the number of consumers served;
- Illinois SB 2121/HB3712 establishes prohibitions for a covered entity to collect or process individuals’ precise geolocation data, except for permissible purposes, and provides measures to be taken before processing location data;
- Kentucky HB 20 establishes prohibitions on the use of tracking devices, such as installing the device in a motor vehicle without the owner’s/lessee’s knowledge or consent and using the device to track the location of a motor vehicle without the owner’s/lessee’s knowledge or consent.
California’s AG announced the start of its investigative sweep into businesses’ collection, processing, and sales of consumers’ location data earlier this month. This initiative focuses on how businesses offer and allow consumers to exercise their right to limit use and stop selling and sharing of their geolocation data. So, now’s the time to reassess how you process consumers’ driver’s location data.
Notice and consent are crucial before you process driver’s data
Competent authorities are doubling down on their enforcement actions, and it’s high time to double-check if your data collection and processing practices are legal. The key to staying on the right side of the law is to clearly notify your consumers if their driver’s behavior data will be collected and shared with third parties and for what purpose, and obtain explicit consent from them, so they know exactly what they are consenting to and how their data will be used.
Also, all relevant data privacy protection laws concerning precise geolocation data and trackers should be considered since driver’s behavior data can encompass such sensitive data in its scope.
Privacy Intelligence, On Demand
Stay ahead of the curve with instant access to global laws, legal analyses, and ready-to-use templates—powered by Nymity Research.
Start your free trial
Your Privacy Program, Powered Up
Boost your knowledge and confidence with expert-led sessions covering the must-knows of building, scaling, and proving privacy compliance.
Watch the series
