The highly active Attorney General’s office of Texas is continuing its pursuit of big companies that deal in big data, announcing a suit against General Motors (GM) over alleged consumer privacy violations. The suit claims that GM collected driver data and sold it to insurance companies without the knowledge or consent of its customers from 2015 onward, in violation of state laws regulating data privacy and data brokers.
Texas AG’s suit tied to broader investigation of use of driver data
The GM suit dates back to a broader investigation of auto makers initiated in June of this year by the AG’s Consumer Protection Division. The investigation is specifically examining whether driver data collected by modern smart vehicles is being misused under the terms of a variety of state laws governing data privacy, biometric privacy and data broker handling of personal information. The investigation is also looking at potential violations of federal law in the area of consumer privacy, namely the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).
The suit potentially includes all GM vehicles manufactured since 2015, when the company began making systems that collect and analyze detailed driver data standard in their new products. At this point in time the company began telling customers that they were required to enroll in certain products, including OnStar Smart Driver, or security features of their vehicle would be disabled. What was not clearly disclosed was that enrollment in these products also implied consent to collection and sale of what the state calls “highly detailed” driver data. A statement by Attorney General Ken Paxton characterized these products as “intrusive technology” and in violation of state consumer privacy laws requiring clear disclosure and collection of consent to share or sell such data.
The consumer privacy suit includes about 1.5 million Texas drivers that were impacted over the previous nine years. At minimum, drivers of GM vehicles had a “Driver Score” generated about them that was based on their regular use of the vehicle. This score was sold to unspecified insurance companies. Information used in this score includes violations of the speed limit and other traffic laws, location data, and how often and how hard the brakes are used, this information often being recorded without the driver being aware.
Consumer privacy suits push forward at the state level
The suit, the first of its kind in Texas to be brought against an automotive manufacturer, illustrates a pattern of states taking it upon themselves to prosecute data and consumer privacy issues in the ongoing absence of a federal law addressing these issues.
US auto insurance costs have spiked 19.5% in roughly the past year, and insurers have said that a perception of riskier driving by many motorists has been a big part of that increase. In addition to potentially increasing rates and premiums, insurers may have used this driver data in decisions to reject applications for coverage or cancel policies.
Third-party data brokers such as LexisNexis Risk Solutions and Verisk Analytics, both named as recipients of the GM driver data, create profiles on individual drivers that over time can sprawl into the hundreds of pages. It is not clear exactly how much revenue GM made from selling off this sort of driver data, but the AG’s office characterized the company as “profiting handsomely” off of it.
Should the Texas AG’s office prevail it would be seeking civil fines and remedies for impacted drivers provided for by the Texas Deceptive Trade Practices Act, though the total amount is not yet clear. GM and the data brokers it sold to would also be ordered to destroy these driver profiles.
Under Paxton, Texas has been one of the most active states in terms of filing consumer privacy lawsuits and taking regulatory action. Since 2020 the state has sued Google for having an illegal monopoly on internet search and search-based advertising, and has reeled in a $1.4 billion settlement from Facebook over its use of biometric data in user image tagging. It is also at the head of a 10-state coalition attempting to force social media platforms to revamp their content moderation policies to remove political bias from them, and would allow anyone removed from a platform for political speech to sue the platform. And it is part of an ongoing national investigation into Instagram that seeks more information about potential harms done to underage users. The Texas Data Privacy and Security Act was updated on July 1 of this year and is now considered one of the strongest consumer privacy laws in the country pertaining to personal data, paired with a long-existing biometric information regulation that is second only to Illinois in its exacting requirements.