On August 13, 2024, the Texas Attorney General’s office sued General Motors LLC (GM) and OnStar LLC for allegedly deceiving customers into enrolling in services that collected and analyzed driver data to generate “Driving Scores” sold to the insurance industry. The lawsuit followed a probe announced in June into automakers’ data privacy practices.

The Texas AG’s continued focus on data privacy comes shortly after securing a $1.4 billion settlement with Meta over alleged unauthorized collection and use of personal biometric data, and a data broker registry sweep. With its active Data Privacy and Security Enforcement Division, Texas is a serious player in privacy enforcement.

What’s the complaint about?

Under its consumer protection law, Texas brought claims GM deceptively designed its sales flow and customer agreements to enroll over fourteen million car buyers in its driving data collection program since 2015.

GM equipped its vehicles with a system that collects and tracks driver data across thirty-six categories, such as “current speed,” “driver seatbelt latched,” and “hard brake occurs.” These data points were combined with data from GM and OnStar mobile apps to create customer risk profiles, which GM sold to insurance companies.

The complaint alleges that GM deceived customers into enrolling in data collection programs through misleading, confusing, and vague representations in its privacy policy, terms of service, and onboarding process. GM failed to inform customers that connected services were optional, and that declining them would cut off emergency response services. Its user terms and privacy statements didn’t inform customers about GM selling their data.

Texas did not sue GM for potential violations of its new data privacy law, possibly due to its mandatory 30-day right to cure period. Pursuing data privacy claims under deceptive practices laws reminds businesses of the expanding tools at enforcers’ disposal, which can be used to enforce privacy laws.

Takeaways

Texas’ active enforcement. Texas has positioned itself as a formidable privacy regulator with sizable settlements with Meta and Google, a data broker registry sweep, and a growing staff. It is actively enforcing comprehensive data privacy, biometrics, and consumer protection laws. The suit was filed two months after the AG’s probe into GM’s data sharing practices, indicating lack of cooperation between parties. We expect further action, so businesses should monitor the Lone Star regulators carefully. 

Legally significant decisions carry greater risk. GM’s data sharing directly affected customers’ insurance rates. Businesses collecting and sharing data involved in decisions affecting provision, denial, or cost in education, employment, financial services, government services, healthcare, housing, insurance, or legal services will be under scrutiny and must take greater care in assessing risk. This suit fits a nationwide trend around profiling and automated decision-making laws in states like California, Colorado, and Minnesota, which require new notice and opt-out obligations and impose greater potential liability for certain automated processing. 

Clear and conspicuous disclosure through accessible language is essential to avoid deceptive acts. Texas took issue with GM’s statements about using customer “information to develop, enhance, provide, service, maintain, and improve the safety, security, and quality of its products, programs, and services, and for product research and marketing.”  A win for Texas may raise the standard for clarity in privacy disclosure, requiring businesses to review their statements to provide abundantly clear notice about information sharing practices. Vague, overarching statements will no longer suffice, especially when selling data.

Handle potential violations early. Texas’ focus on drivers’ private data follows a high-profile news cycle earlier this year on car manufacturers’ privacy practices. Many automakers claimed to rectify issues raised by the press, but regulatory scrutiny continued. Negative press can create a feedback loop, emphasizing the need to address issues early in an investigation.

We expect regulatory scrutiny on automakers to expand to other industries. Businesses should review their privacy policies and user agreements to ensure adequate disclosure to consumers, especially if selling data for legally significant decisions.