California has reached a $12.75 million settlement with General Motors over the company’s treatment of OnStar driving data. This case follows a similar settlement between the company and the Federal Trade Commission, finalized in January.
According to CalPrivacy’s press release, GM collected both contact information and geolocation and driving‑behavior data from OnStar users. The summary of facts from CalPrivacy aligns with the FTC’s description of GM’s OnStar program. According to the FTC’s complaint, OnStar users could decline to accept the OnStar terms and privacy policy, but if they did, the FTC alleged the enrollment process was confusing and did not clearly explain which features would work and which would not work.
Both California and the FTC allege that the OnStar data was sold to two data brokers: LexisNexis and Verisk. These entities, they argued, used the data for driver‑rating products marketed to auto insurers. This despite, according to CalPrivacy, the fact that this sharing was not disclosed in the GM privacy policy.
GM has settled with CalPrivacy, as it did with the FTC. It has agreed to pay $12.75, the largest CCPA penalty to-date (subject to court approval). There are many lessons about regulatory expectations that companies can learn from the settlement terms. These are helpful in the connected device space – and beyond:
- Assess how you will minimize data collection and retention: Regulators are concerned about the amount of information companies collect and retain. Here, in what CalPrivacy is stating is the first CCPA case about data minimization, GM agreed to delete previously-retained driving data (subject to limited exceptions) and to request that LexisNexis and Verisk delete the driving data they received from GM. For the next five years, GM has also agreed not sell driving data to consumer reporting agencies for 5 years.
- Evaluate your process for obtaining consent: Providing notice and getting consent within a car can be tricky. As part of the settlement, GM agreed to get affirmative, express consent before collecting and using driver data for purposes not related to the OnStar emergency services. It also agreed to get separate consent for each unrelated feature or service. Notices to OnStar customers should be “conspicuous” and easy to read, avoiding “technical or legal jargon.” The company also agreed to get the same level of consent to share the information with third parties -including LexisNexis and Verisk.
- Review your approach to offering consumers required opt-outs: Like notice and consent, addressing opt-outs with connected devices has its challenges. In this settlement, GM agreed to allow people, while in their cars, the ability to disable collection of precise location data with some exceptions. One of the exceptions is responding to consumer-initiated safety requests.
- Have privacy governance measures in place: Regulators are concerned that companies have organizational measures to address privacy compliance, something that was asked of GM in the settlement. Among other things, GM agreed to develop and maintain a privacy program that identifies and mitigates risks related to data collected through OnStar. It has also agreed to report its privacy assessments to regulators.
- Place limits on downstream use: Regulators have expressed worries about whether companies are using data for intended and disclosed purposes. Supporting this, in the settlement, GM agreed to restrictions on how it uses driving data.
Putting It Into Practice: While your company may not be a vehicle manufacturer, there are lessons to be learned from this settlement. Especially if your company has connected devices that gather personal information. Among the lessons are how regulators expect a company to address privacy requirements, like notice and choice, in an environment where disclosures may be difficult to make.