CONTACT

your car is probably spying on you

Manufacturers are turning vehicles into data collection platforms from which they expect to make billions. If you own a newer vehicle, these invasive spying programs could harm you, but exercising your rights under California’s Consumer Privacy Act may protect you.

your vehicle’s spying may cost you.

In March 2024, the New York Times (NYT) ran several stories on data collection programs that caused massive increases in insurance costs.

On March 11, 2024, the NYT reported that a Washington senior’s insurance rates had jumped by 21 percent after his insurance company reviewed data about his driving behavior, including his speed, braking and acceleration, that his Chevy Bolt had been, unbeknownst to him, collecting and reporting. Apparently the senior had not been in any accidents or collisions; his rates increased solely because of his vehicle’s spying.

On March 14, 2024, the NYT reported that a Florida man’s insurance premiums had doubled. According to the article, at least one insruance company refused to insure him at all. The article explains that, once again, data reported by the man’s vehicle was to blame. This consumer has filed suit, alleging that the data had been collected and shared without his consent.

One of the data analytics companies purportedly behind these programs, LexisNexis, provides an Orwellian nightmare of an explanation of what it does with vehicle data.

If you live in California, the Consumer Privacy Act, discussed at the end of this post, may help you take back control of your personal information. If you live in another state or country, your may want to inquire about your local laws.

manufacturers make billions from spying on you.

In September 2016, McKinsey & Company, a multinational strategy and management consulting firm, published a report on the anticiapted value of the market for data collected from vehicle spying programs, projecting a $450-750 billion market by 2030.

In late 2023, some valuations had cooled slightly. Emergen Research, for example, projected a market for data collected from vehicle spying programs of just under $87 billion by 2028 that would soar to just under $320 billion by 3032.

In other words, the vehicle data market is emerging right now. Worth tens of billions of dollars today, it will be worth hundreds of billions of dollars in just a few years.

vehicle spying programs should WORRY you.

Mozilla Foundation recently published an analysis of 25 manufacturers’ privacy policies, calling them the “worst product category” and a “privacy nightmare”.

[C]ar companies have so many more data-collecting opportunities than other products and apps we use — more than even smart devices in our homes or the cell phones we take wherever we go. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app (which provides a gateway to information on your phone), and can gather even more information about you from third party sources like Sirius XM or Google Maps. It’s a mess. The ways that car companies collect and share your data are so vast and complicated that we wrote an entire piece on how that works. The gist is: they can collect super intimate information about you — from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car — in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.

Mozilla found that 84% of the companies sell the personal data that they collect by spying on you.

Whereas data about vehicle speed, braking and accelration that the NYT reported had caused rate hikes and policy denials, much of the data is worryingly unrelated to driving.

Nissan earned its second-to-last spot for collecting some of the creepiest categories of data we have ever seen. It’s worth reading the review in full, but you should know it includes your “sexual activity.” Not to be out done, Kia also mentions they can collect information about your “sex life” in their privacy policy. Oh, and six car companies say they can collect your “genetic information” or “genetic characteristics.” Yes, reading car privacy policies is a scary endeavor.

Some of the manufacturers even state that they collect “olfactory data”.

Somewhere plans to collect your DNA and smell you are far enough along that legal teams thought they needed to include it in a privacy policy. Yikes.

The worst is yet to come.

Bottom line, manufacturers are casting a wide net and invading the most intimate details of your life to increase the value of the vehicle data market.

We were warned in 2016.

Around 5 years later, consumers started seeing the consequences of vehicle spying programs as rate hikes were triggered by data sharing.

But the spying programs reach so far beyond collection of data about speed, braking and acceleration that the consequences for consumers are hard to imagine. How are manufacturers planning to profit from data about your sexuality, intelligence, DNA, or smell?

under california law, you have a right to control your personal information.

This is not the future that we were promised, but California law can help you to retake some control.

California’s Consumer Privacy Act gives California consumers the right to (1) know what data is collected, (2) know what data is sold or disclosed, (3) know to whom their data is sold or disclosed, (4) veto the sale of their personal personal data, (5) receive copies of their personal data, and (6) force businesses to delete their personal data.

There are some exceptions, such as when the personal data must be collected and maintained by the business to comply with another law.

The California Consumer Protection Agency has summarized these exceptions:

In some instances, a business may deny your request to delete, correct, know, opt-out of sale/sharing, or limit:

Delete: Common reasons why businesses may deny your request to delete your personal information include:

  • The information was not collected directly from you. Businesses are required to delete personal information they have collected from you, and in some instances, personal information that was collected about you from other sources. However, even if a business denies your request to delete, if they sell or share your personal information, they must inform you of your right to opt-out of the sale or sharing of your personal information.
  • The business cannot verify your identity to complete your request.
  • The information falls within certain exceptions provided for in the law, which include:
    • The business needs your information to complete your transaction, provide a reasonably anticipated product or service, for certain warranty and product recall purposes, or for certain business security practices.
    • The business needs your information for certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided.
    • To comply with legal obligations, exercise legal claims or rights, or defend legal claims.
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other type of information exempt from the CCPA.

Correct: Common reasons why businesses may deny your request to correct your personal information include:

  • The business has determined that, based on the totality of the circumstances (e.g. documentation, nature of the personal information, etc.), the information is more likely than not accurate.
  • The business cannot verify your identity to complete your request.
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

Know: Common reasons why businesses may deny your request to know your personal information include:

  • The business cannot verify your identity to complete your request.
  • The business has already provided personal information to you more than twice in a 12-month period, or the request is manifestly unfounded or excessive.
  • Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information.
  • Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims.
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

Opt-out of sale or sharing of personal information: Common reasons why businesses may deny your request to opt-out of the sale or sharing of your personal information include:

  • The business does not sell or share personal information. For example, a business’s disclosure of personal information at your direction, is not considered a sale of personal information.
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other type of information exempt from the CCPA.
  • The business believes the request is fraudulent and provides an explanation as to why the request is fraudulent.

Limit use and disclosure of sensitive personal information: Common reasons why businesses may deny your request to limit the use and disclosure of your sensitive personal information include:

  • The business is only using or disclosing your sensitive personal information for purposes that are allowed by the statute, which include:
    • Performing services or providing goods that you reasonably expect.
    • Preventing security incidents, resisting deceptive, fraudulent, or illegal activities, and ensuring the physical safety of natural persons.
    • Performing services on behalf of the business, like maintaining or service accounts, providing customer service, verifying customer information, providing storage, etc.
    • Short-term, transient use of the information, including for nonpersonalized advertising, subject to certain requirements.
    • Verifying, maintaining, or improving the quality or safety of a product, service, or device.
    • Comply with legal obligations, exercise legal claims or rights, or defend legal claims.
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other type of information exempt from the CCPA.
  • The business believes the request is fraudulent and provides an explanation as to why the request is fraudulent.

California Attorney General Rob Bonita’s webpage provides a very detailed FAQ on California’s Consumer Privacy Act, including explanation of how you can authorize someone else, like a consumer rights firm, to learn what personal information is being cllected about you, delete the personal information that has been collected, opt-out of the sharing of your personal information, see and correct inaccurate personal information, and/or limit the disclosure of your sensitive personal information.

Our AG has also linked to explanatory and instructive materials produced by Consumer Action, a non-profit consumer advocacy group.

Crucially, under the Consumer Privacy Act, exercising your rights may not be permanent. California Civil Code section 1798.135 only extends some protections for a year; after 12 months, a business may seek authorization, which could be buried in terms of service or a click-through agreement, after 12 months. Exercising your privacy rights may need to become an annual exercise, like Spring cleaning.

Although groups like Consumer Action have done an excellent job of producing explanatory materials and instructions for exercising your rights, asserting your rights can still be intimidating. If you need help, you may wish to contact a trusted consumer rights attorney for assistance.

Remember, California’s Consumer Privacy Act prohibits retaliation. A business cannot treat you differently after you exercise your rights.

california consumer protections are only effective if exercised.

Although the California Consumer Privacy Act empowers consumers, it also makes it their burden to act. Businesses are permitted to collect and sell data as they like unless and until consumers take action.

However, if consumers act, change is possible.

Violations of California’s Consumer Privacy Act protections may be prosecuted by California’s Attorney General, but the fine for any violation cannot exceed $7,500.

Generally, the Consumer Privacy Act only applies to businesses with at least $25 million in annual revenue. A $7,500 fine is trivial, particularly if the business is pursuing its share of hundreds of billions of dollars of earnings derived from data sharing. For public enforcement to be effective, many consumers might need to report violations, increasing the total fine that a company might face until the cost of pursuing hundreds of billions of dollars isn’t worth the risk. This feels far-fetched.

Alternatively, either California’s attorney general or a consumer might be able to pursue public injunctive relief, a binding court order to change business practices in the future, under California’s Unfair Competition Law. However, as the Unfair Competition Law does little to provide for financial recovery by the consumer, consumers may not have much incentive to pursue an action under the Unfair Competition Law unless they are entitled to damages under other statues, like California’s Song-Bevelry Consumer Warranty Act or Consumers Legal Remedies Act.

In the end, it’s up to you to exercise your rights to prevent vehicle spying from running amok.