The letter urges FTC Chair Khan to investigate automakers for disclosing millions of Americans’ driving data to data brokers without proper consumer consent. It highlights recent findings from investigative reports and oversight by Senator Wyden’s office, which uncovered that General Motors (GM), Honda, and Hyundai shared data with data broker Verisk Analytics. GM also shared data with other unnamed companies, while Honda and Hyundai shared data without properly informing consumers or obtaining consent. The letter accuses these companies of using deceptive practices to enroll consumers in data-sharing programs and misrepresenting the benefits of their programs. It calls for the FTC to hold the automakers and data brokers accountable for these practices and to investigate the broader issue of data sharing and its impact on consumers.
Dear Chair Khan:
We write to urge the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new details about the practice uncovered in a recent oversight investigation. If the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives responsible.
Recent investigative stories published by the New York Times have raised public awareness into automakers’ sharing of data from their customers’ internet-connected cars with data brokers for subsequent resale to insurance companies. Although General Motors (GM) has been the focus of much of the news coverage, it is not the only auto manufacturer to have shared driver data. Senator Wyden’s office conducted follow-up oversight into three auto manufacturers — GM, Honda, and Hyundai — that shared data with the data broker Verisk Analytics. Each of these three automakers confirmed their disclosure of drivers’ data to Verisk, such as acceleration and braking data. GM also confirmed that it disclosed customer location data to two other companies, which it refused to name.
Verisk essentially acts as a credit agency for drivers. One of the company’s products, which it shut down in April 2024 following New York Times’ reporting, scored drivers on their safe driving habits using data from internet-connected cars. Automakers shared drivers’ data with Verisk, which mined it to prepare Driving Behavior Data History Reports. Verisk sold these reports to auto insurance companies and also provided automakers with some of this information, including a driving score and safe driving suggestions, to provide to their customers. GM and Honda confirmed that they required consumers to enroll in a specific voluntary program, in which Verisk’s role was obscured, before sharing their data. Hyundai enrolled all consumers who activated their new car’s internet connection into the company’s driving score program, which included sharing their data with Verisk.
General Motors
GM failed to obtain informed consent from consumers before sharing their data, and used manipulative design techniques, known as dark patterns, to coerce consumers into enrolling in its Smart Driver program, according to information the company provided Senator Wyden’s office. The attached screenshots provided by GM show that the company combined the opt-in for its Smart Driver program with consent to receive important emails notifying the driver when their car’s theft alarm goes off, and to receive safety reports identifying vehicle problems and necessary repairs. The lengthy disclosures presented by GM before the opt-in did not disclose to consumers that as part of enrolling in Smart Driver, their driving data would be shared with data brokers and resold to insurance companies.
GM declined to confirm how many cars’ data it shared with data brokers — the New York Times reported 8 million vehicles — or the price it was paid. GM has publicly confirmed that between 2015 and 2024, it shared data from cars enrolled by drivers in the company’s Smart Driver program with Verisk and, between 2018 and 2024, with LexisNexis Risk Solutions.
In addition to sharing data on drivers enrolled in its Smart Driver program to Verisk, GM also confirmed to Senator Wyden’s staff that it shared location data on all drivers who activated the internet connection for their GM car, even if they did not enroll in Smart Driver. These disclosures of location data — to other, unnamed third parties — have been going on for years.
In a May 13, 2021 oversight call with Senator Wyden’s staff which has not previously been made public, GM officials confirmed that the company was providing bulk, de-identified location data from GM cars to an unnamed commercial partner, which GM officials would not identify and referred to as “Company A.” During that oversight call, GM confirmed it did not seek informed consent from consumers for sharing this data. Company officials told Senator Wyden’s staff that the only way consumers could opt out of the data sharing was by disabling the car’s internet connection entirely.
In a follow-up phone call three years later, on May 16, 2024, GM confirmed that it stopped sharing location data with Company A in May 2023. GM continues to refuse to identify this partner; however, Sky News reported in 2019 that GM provided an “in kind” investment of driver data to a British data broker named Wejo, alongside a cash investment in the company. Wejo shut down operations in May 2023, the same month and year that GM told Senator Wyden’s office that it stopped providing location data to its unnamed partner.
During that May 16, 2024, follow-up call, GM officials also revealed that the automaker is now sharing customer location data with a different company, which they also refused to identify.
Honda
Between 2020 and 2024, Honda shared data from 97,000 cars with Verisk, which paid Honda $25,920, or 26 cents per car, and it did so without obtaining informed consent from consumers, according to information Honda provided Senator Wyden’s office. Consumers were not enrolled in this data sharing program automatically but had to enroll in an optional Driver Feedback program through the company’s mobile app, according to Honda. The attached screenshots, which Honda provided, show the use of dark patterns that obscured Honda’s disclosure of customer data to Verisk. On the enrollment screen, Honda asked consumers for consent for the company to track them so that it could determine the consumer’s driving score and their eligibility for insurance discounts. Users who provided consent were then prompted to accept the company’s lengthy legal terms, in which Honda stated that Verisk would receive the consumer’s data. However, Honda buried the disclosures about its business relationship with Verisk, which did not appear on the first page, and were not likely to be seen by many consumers.
Hyundai
Between 2018 and 2024, Hyundai shared data from 1.7 million vehicles with Verisk, which paid Hyundai $1,043,315.69, or 61 cents per car. Hyundai did not seek informed consent from consumers before sharing their data. Hyundai provided this information and other answers to questions posed by Senator Wyden’s office, as well as screenshots of the enrollment process, which are attached. Hyundai confirmed that, by default, the company shared data with Verisk from consumers who enabled internet connectivity, by automatically enrolling those drivers in its Driving Score program without telling them. Hyundai required drivers to click through a consent form to enable the internet connection for a new car, but the company did not disclose that it would also share consumers’ data with Verisk if they agreed. Once enrolled, drivers could disenroll from the program through the company’s website or app.
Deceptive Claims Implied Driving Data Would Only Lower Insurance Bills
Some automakers may have also deceived consumers by exclusively advertising these programs as a way to lower their insurance bills, without revealing that some insurers might charge some drivers more based on their telematics data. Honda described its program to consumers as a way to “get rewards for better driving” and that their information would be used to “determine your eligibility for insurance discounts.” Hyundai described its program as a way for consumers to “get rewarded for good driving habits” and that “Driving Score helps save you money.” But automakers could not guarantee that this data would only be used by insurance companies to provide discounts and that consumers would not pay more than if they had never enrolled in these programs. Moreover, Verisk officials confirmed to Senator Wyden’s office that the company’s contracts with automakers and insurers did not require that driver telematics data only be used to provide discounts.
Senator Wyden’s office spoke with a national expert at an insurance industry trade association, who confirmed that some insurance companies do in fact use driver data from telematics programs to raise premiums above the rate a consumer would have paid without telematics data. The insurance industry association expert also stated that only two states — Louisiana and Montana — currently prohibit the use of telematics data to raise insurance premiums, while California only permits telematics data to be used for mileage verification. Determining if insurance companies in fact used telematics data sold by Verisk to raise premiums, as opposed to using this data solely for discounts, would require a manual review of insurance industry filings to state insurance regulators, which are not easily searchable. However, Oregon’s state insurance regulator confirmed to Senator Wyden’s office that they are aware of insurers using telematics as a component in determining rates. They added that, in some cases, rates that incorporate telematics may result in higher premiums for consumers.
The problematic practices we have uncovered and documented in this letter are likely just the tip of the iceberg. We focused this recent oversight effort on automakers’ relationship with one specific data broker in order to determine if there is a problem that warrants further oversight by federal regulators. Verisk has publicly confirmed it sold driver data from three automakers, but the media has reported that other data brokers, like LexisNexis, are still selling driver data.
Companies should not be selling Americans’ data without their consent, period. But it is particularly insulting for automakers that are selling cars for tens of thousands of dollars to then squeeze out a few additional pennies of profit with consumers’ private data. The FTC has already taken action against data brokers that have committed unfair and deceptive acts or practices by selling location data obtained without consumers’ informed consent. Although two cases this year involved location data collected from smartphone apps, the same principle applies to location data collected from internet-connected cars. Moreover, given the potential harm to consumers from increased insurance prices, the same standard should apply to vehicle telematics data.
Accordingly, we urge the FTC to broadly investigate these auto industry practices. The FTC should hold accountable the automakers, which shared their customers’ data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner. Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers’ privacy.
Thank you for your attention to this important matter.