US Senators Markey and Wyden have now sent a a third letter to the FTC asking them to investigate car makers bad privacy practices. (Woohoo!) This since we first called out cars for being a privacy nightmare in 2023. The first letter was about car companies’ evasive answers to Senator Markey’s data privacy questions. The second letter pointed to car companies that share information with law enforcement without a warrant. Both letters called out some truly terrible behavior by car companies, but this third letter… is something else. The Senators revealed brand new information about the extent of car companies’ data-sharing, selling, and blatant deceptions to consumers in their plea to the FTC.
Here are some of the most shocking things we learned about Hyundai, GM, and Honda’s relationship with Verisk – a data broker that, until recently, was selling “driving scores” to insurance companies based on drivers’ actual driving habits often without drivers’ knowledge or consent.
Hyundai has been sharing drivers’ data with the data broker since 2018
Hyundai enrolled all drivers who activated their cars' internet connection to a data-sharing program that involved sharing their personal information with a data broker. Why all connected cars? Probably because your car has to connect to the internet to share its driving data. So basically, Hyundai says they shared drivers’ data whenever they had it, without drivers’ knowledge or consent.
Hyundai did not seek informed consent from consumers before sharing their data. [...] Hyundai confirmed that, by default, the company shared data with Verisk from consumers who enabled internet connectivity, by automatically enrolling those drivers in its Driving Score program without telling them.
Senator Wyden and Markey’s July 26 letter to the FTC
Really, Hyundai? So when you said in your letter to Senator Markey that you only shared drivers’ data if they “subscribed to Driving Score” what you really meant is all connected-car-drivers, since they were all automatically enrolled in your driving score program. That is some Olympic-level trickery. Hyundai admitted to sharing drivers’ data since 2018 and for practically nothing. Ouff.
Between 2018 and 2024, Hyundai shared data from 1.7 million vehicles with Verisk, which paid Hyundai $1,043,315.69, or 61 cents per car.
Senator Wyden and Markey’s July 26 letter to the FTC
Oh, and once Hyundai has that data, they hang on to it for a very long time, according to a previous letter from both Senators to the FTC – way longer than they need to retain it to provide you with any service.
Hyundai indicated that the company routinely collects and retains vehicle location data for up to 15 years.
Senator Wyden and Markey’s April 30 letter to the FTC
GM has been sharing location data with an “unnamed partner” since 2021
We know, thanks to investigative journalism by the New York Times, that GM tricked drivers into opting in to a program that allowed their data to be shared with a data broker. But it turns out, their tactics were even more manipulative than that. GM combined opting into their Smart Driver program with getting notifications that drivers needed.
The attached screenshots provided by GM show that the company combined the opt-in for its Smart Driver program with consent to receive important emails notifying the driver when their car’s theft alarm goes off, and to receive safety reports identifying vehicle problems and necessary repairs.
Senator Wyden and Markey’s July 26 letter to the FTC
So let’s get this straight. Even in the teenie tiny fine print before clicking “I accept” when setting up your new car, GM did not tell drivers that opting in to “OnStar Smart Driver” meant that their personal information and driving habits could be shared with a data broker. What they did say in bold bullet points, is that opting in means getting “theft alarm notifications” and “[s]ervice notifications from your dealer”. Want to be notified when your car is being stolen or needs repair? Click this little box, GM said, which also secretly meant drivers’ data would be shared.
But hang on because it gets worse. Even if, by some miracle, drivers did not opt in to the “Smart Driver program” GM still shared location data from connected cars.
In addition to sharing data on drivers enrolled in its Smart Driver program to Verisk, GM
also confirmed to Senator Wyden’s staff that it shared location data on all drivers who
activated the internet connection for their GM car, even if they did not enroll in Smart
Driver. These disclosures of location data — to other, unnamed third parties — have been
going on for years.
Senator Wyden and Markey’s July 26 letter to the FTC
In May of 2021, the letter says, GM confirmed that they shared “de-identified location data from GM cars to an unnamed commercial partner” without drivers’ knowledge or consent. In May of this year, GM says they’re now sharing location data with a different partner that they still refuse to name. We should point out that it can be very hard to truly de-identify location data when it shows everywhere you go and where you park your car at night.
Honda sold drivers’ data for just 26 cents
Oh, Honda. You sold out your drivers for the cost of a gumball?
Between 2020 and 2024, Honda shared data from 97,000 cars with Verisk, which paid
Honda $25,920, or 26 cents per car, and it did so without obtaining informed consent from consumers, according to information Honda provided Senator Wyden’s office.
Senator Wyden and Markey’s July 26 letter to the FTC
Honda reportedly only shared drivers’ data if they opted into a “Driver Feedback program” through the app. But, of course, they made it really difficult for drivers to see that opting in to the program meant that their information would be shared with a data broker by burying that information in the fine print.
Honda, like many car companies, also misled drivers implying the program would help drivers save money according to the letter. The truth is, there’s no guarantee that drivers’ rates would be lowered and driving data can (and has been) used to increase drivers’ insurance premiums.
Senators Markey and Wyden say these findings are likely the “tip of the iceberg”
Why are we suddenly getting all this information from these specific three car-makers? Well after we called cars the worst product category we’ve ever reviewed for privacy and pointed out that many car-makers privacy policies say they may share or sell drivers' data with third parties and insurance companies, that raised an eyebrow for Kashmir Hill at the New York Times. She investigated and exposed automakers’ relationship with data broker Verisk. That left GM, Hyundai, and Honda (who were named as having a relationship with the data broker in the piece) with some ‘splaining to do. So US Senators Wyden and Markey followed up with those companies directly. Their shocking answers inspired the Senators’ letter. That’s why the Senators suspect that these findings are just the tip of the iceberg. After all, there are sooo many more data brokers out there that claim to have driving data from cars.
While we’re mad as heck about the new information we learned from the Senators’ investigation, we’re really grateful to the Senators for pointing this out to the FTC and hopeful these findings will help push for better privacy protections for us all. The FTC already warned the auto industry that they intend to hold them to the same standard as other companies they’ve taken action against in the past, saying specifically that, “the collection, use, and disclosure of location can be an unfair practice”. Hmm, it sure does seem unfair in this case, so here’s hoping we have more updates from the FTC soon.
Hey! If you support our work holding car companies (and all companies) accountable for their bad privacy practices, please toss a donation our way to help us be the spark that lights a fire for change.
Jen Caltrider
During a rather unplanned stint working on my Master’s degree in Artificial Intelligence, I quickly discovered I’m much better at telling stories than writing code. This discovery led to an interesting career as a journalist covering technology at CNN. My true passion in life has always been to leave the world a little better than I found it. Which is why I created and lead Mozilla's *Privacy Not Included work to fight for better privacy for us all.
Zoë MacDonald
Zoë is a writer and digital strategist based in Toronto, Canada. Before her passion for digital rights led her to Mozilla and *Privacy Not Included, she wrote about cybersecurity and e-commerce. When she’s not being a privacy nerd at work, she’s side-eyeing smart devices at home.