A data-collection lawsuit against General Motors Co. may be a harbinger of things to come as connected vehicles meet greater legal scrutiny from regulators, experts told Automotive Dive.
General Motors is confronting a lawsuit over claims it unlawfully collected and sold the private driving data of 1.5 million people in Texas to third parties, who purportedly used the information to score driver behavior and sold it to insurers to manipulate consumers’ insurance rates.
The automaker allegedly did not inform customers it would sell their data or disclose it had contracts allowing third-party companies to resell driving scores to insurers, per the lawsuit. In a statement, GM said it shares the desire to protect consumers’ privacy and that it is reviewing the complaint, Legal Dive reported.
Texas Attorney General Ken Paxton said the state will hold GM accountable for its “egregious business practices.” The news comes about two months after Paxton announced his office was investigating multiple automakers over the allegations, which stemmed from a March report by The New York Times.
“Companies are using invasive technology to violate the rights of our citizens in unthinkable ways,” Paxton said in an Aug. 13 press release. “Millions of American drivers wanted to buy a car, not a comprehensive surveillance system that unlawfully records information about every drive they take and sells their data to any company willing to pay for it.”
The case against GM comes as a Federal Trade Commission investigation and global privacy regulations on connected vehicles also ramp up, highlighting the complex web of rules automakers must consider as they develop the next generation of products.
FTC crack down adds to uncertainty
In May, the Federal Trade Commission said it will take action against companies that unlawfully collect and use connected car data, such as biometric, telematic and geolocation information. The agency settled a case in 2019 against DealerBuilt, which provides software and data services to car dealers, alleging poor data security practices that exposed the personal information of millions of consumers.
The FTC also amended the safeguards rule in 2021 and 2023 to strengthen consumer data protections for non-banking financial institutions like car dealers and mandate additional data breach reporting for such organizations, a spokesperson said in an email.
However, federal officials may have significantly less power to regulate connected car data privacy after the U.S. Supreme Court in June ended “Chevron deference,” a longstanding legal doctrine that deferred to a federal agency’s interpretation of the legislation when the law was ambiguous.
Legal experts are still unsure how the sweeping ruling will affect policymaking, especially when it comes to specific regulations, said Melissa Ventrone, an attorney who leads the cybersecurity, data protection and privacy practice at law firm Clark Hill.
“I don't think any of us can really see what the future looks like,” Ventrone said.
The court decision, however, probably won’t affect the FTC’s ability to take action against the automotive industry, an FTC official said in an email, noting that most of the agency’s lawsuits are not related to statutory authority.
Reducing legal risk
In addition to federal action, OEMs and suppliers must contend with unique consumer data privacy laws in 20 U.S. states, the European Union and other markets, making compliance difficult.
Ravi Puvvala, general manager of the strategic business unit at the Center for Automotive Research, said regulations in the EU “are a lot more stringent” than in the U.S. and that many policies developed in Europe eventually “trickle down to us” but still lag behind.
Data privacy concerns rules, guidelines and personal choices about who can access data and how much, according to the National Cybersecurity Alliance. Experts say that greater disclosure can help automakers reduce their legal risk.
“From a privacy perspective, it will be incumbent upon OEMs and other stakeholders in the automotive industry to inform users about data collection practices, potential risks, and how to protect vehicle data,” said Samuel Goldstick, a data privacy and cybersecurity attorney at law firm Foley & Lardner, in an email. “Users should be given clear, easy-to-understand privacy policies and instructions on how to adjust data collection settings or how to opt-out completely (where appropriate) – or otherwise risk potential exposure to class action claims and/or regulatory scrutiny.”
As a result, automotive executives “really need to be joined at the hip” with their in-house and outside counsel during product development, said Rocco Grillo, managing director and head of the global cyber risk and incident response services practice at consultancy Alvarez & Marsal.