GM, OnStar Settle Privacy Issues

Who’s looking for some consumer privacy news? Because General Motors just agreed to an overhaul of how it collects and uses driver geo-location data, in a settlement that has almost all the hallmarks of a traditional privacy enforcement action. (Minus any monetary penalties, of course; this is still the Trump 2.0 era we’re talking about.)

The Federal Trade Commission announced the settlement with GM and its OnStar subsidiary today, almost one year after the FTC first filed a complaint against the two companies for using misleading enrollment processes to get consumers to sign up for OnStar’s connected vehicle service. The FTC said GM didn’t clearly disclose to customers that it collected their precise geolocation and driving behavior data, and then sold that information to third parties without customer consent.

Today’s settlement imposes a five-year ban on GM disclosing  geo-location and driver behavior data to “consumer reporting agencies,” such as data brokers who collect and re-sell personal data to determine auto insurance rates. It also requires GM and OnStar to implement numerous data privacy reforms, such as obtaining affirmative user consent before collecting or sharing data, allowing users to disable data collection, and giving them the right to see data collected about them and then have it deleted.

If all that sounds familiar, that’s because the remediation steps (affirmative consent, right to opt out of data collection, the right to be forgotten) are quite similar to what’s required under the EU General Data Protection Regulation. It’s yet another reminder that absent any national U.S. data privacy law, the principles of GDPR will keep seeping into U.S. privacy enforcement.

Anyway, for privacy and information security professionals, this is yet another chance to take a look at what practices led to GM and OnStar getting pulled over by regulators; and what steps you can take today to avoid a similar traffic stop in the future.

The Data Collection Practices in Question

As described in the original FTC complaint filed one year ago in the final days of the Biden Administration, GM’s troubles began in the late 2010s as it implemented OnStar with expanded data services. To activate those data services, customers had to accept OnStar’s terms of service, which included GM’s latest privacy statement.

That statement said OnStar “may” share data collected about consumers, but “did not present the collection, use, and sharing disclosures in a form that would allow a consumer to understand the invasiveness of the data collection and sharing the identities of the entities with which the data would in fact be shared, or the purposes for which the data would be used,” according to the FTC.

So, issue No. 1 for other privacy officers: Are you explaining your data collection practices and purposes in a way that allows consumers to understand what you’re collecting, why, and who else might see it?

More broadly, GM’s privacy statements did say consumers could decline to participate in OnStar’s data collection; but the FTC said those disclosures were imprecise and could be misleading. For example, the privacy statement did say, “some collection and sharing practices are tied to the products and services we offer. To stop the collection or sharing of some information, you may have to decline those products and services or be willing to accept limited functionality.” OK, but which sharing practices were tied to what products? How limited would the functionality be if someone declined? GM didn’t say, and the FTC didn’t like that.

Issue No. 2 for other privacy officers: When you present an opt-out choice to customers, are you clear and complete enough in disclosing what they won’t get by opting out of data collection?

The above two issues involve how GM collected information about its customers. The FTC complaint also faulted GM for how it shared that information with third parties.

For example, GM at first collected driver information — including details such as exact location every three seconds, speed, vehicle ID number, and the like — for internal purposes only. By the late 2010s, however, it was selling that telematics data to research firms, data brokers, and other third parties that wanted the bulk data. Eventually GM was collecting and sharing the data on 9 million vehicles.

Except, according to the FTC, OnStar’s terms of service and privacy statement didn’t inform consumers that their precise geolocation data would be sold to third parties, or those parties’ other business partners, or what any of those other businesses might do with the driver data. The fault here, the FTC said, was a failure to get consumers’ informed consent.

Issue No. 3 for other privacy officers, then: Are you providing a sufficiently fulsome disclosure of any data-sharing agreements you have, such as the names or types of those parties, their intended purposes with the data, and what might happen to the data if your sharing relationship ends?

Generic consent of the “we might share your data with people to do stuff” variety won’t be enough.

GM’s Data Privacy Reforms

As we noted above, the first settlement term is that GM can’t share driver data with any consumer reporting agency for five years. I’m more interested in the other improvements GM must make to its data privacy program for the next 20 years (a standard term for FTC privacy settlements). The most notable provisions…

First, affirmative user consent for all data collection or sharing, except for a few circumstances such as disclosing data to emergency responders in response to a lawfully issued subpoena. Notably, GM will need to collect affirmative user consent for each feature or service it offers; no blanket consent that covers all apps and services all at once.

Second, a data minimization requirement, where GM must “refrain from collecting more covered driver data than reasonably necessary to fulfill the specific purpose for which it was collected.” We often see this clause in FTC privacy settlements, but it’s vague. Privacy officers will need to tussle with First Line operating teams about exactly what data you do need, and I can imagine those conversations will not be fun.

Third, a data retention schedule, which must identify the categories of data collected; the purpose for collecting that data; and the specific timeframe for keeping that data, “limited to the shortest time necessary to fulfill the purpose for which the data was collected.” So again, expect some robust conversations with marketing, business analytics, or product development teams if you try this at home.

Fourth, a customer right to see data collected about them and the right to have it deleted. This is analogous to the data subject access request provisions of the GDPR and the California Consumer Privacy Act, as well as the right to be forgotten under the GDPR and other privacy laws. The FTC settlement says GM must provide “a simple, easily located means” for data requests (although it doesn’t specify how quickly a request must be fulfilled).

All in all, this FTC order is about putting consumer privacy first. That is, GM has to give consumers clear, readily exercisable control over their data; and GM has to constrain itself in the amount of data it collects and how long it keeps that information.

That’s hard to do in the modern era, when data is often the most valuable asset a company has. It requires a company to put customer interests ahead of its own, and that can be a tough pill to swallow for some firms out there. Then again, that’s what a culture of ethics and compliance is all about.