On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.
The Texas AGO alleges that General Motors collected trip data from 14 million vehicles and 1.8 million people in Texas, including the date, start time, end time, vehicle speed, seatbelt status and driving distance of consumers that used the “OnStar” system offered by a General Motors subsidiary. According to the complaint, General Motors then partnered with numerous third parties to license or sell the data, including to automotive insurance companies making decisions on insurance premiums and coverage. The Texas AGO alleges that General Motors provided driver safety data for hundreds of thousands of consumers to nine different insurers.
The complaint challenges several aspects of General Motors’s driving-data program, alleging that the company
- misrepresented the OnStar system to consumers;
- misrepresented how data would be collected and used;
- used deceptive practices to convince customers to sign up for the OnStar system through which their data was shared;
- made deceptive and misleading statements in the company’s privacy disclosures; and
- enrolled some customers in the data-tracking features without their knowledge or consent.
The Texas AGO seeks civil penalties, restitution, injunctive relief, and attorneys’ fees and costs. Separately, several plaintiffs have filed class actions challenging General Motors’ use of driving data.
Based on the Texas AGO’s complaint, it appears that General Motors did make significant and, in some cases, broad disclosures about the potential uses of the data collected. As is often the case with companies that collect potentially sensitive data, General Motors may have been unaware at the time it began collecting the data of the full extent to which it would want to use the data in the future, necessitating broad disclosures to cover future, unknown uses. As a result, the dispute is likely to focus on whether those disclosures were materially misleading or deceptive because the disclosures lacked sufficient specificity.
Compounding the breadth of the disclosures, General Motors also allegedly included deceptive warnings when customers indicated they wanted the technology disabled, informing them that doing so would deactivate certain safety features.
This case is a reminder to companies that making broad privacy disclosures about a company’s potential use of consumer data can backfire if a later use of the data is deemed overly intrusive. Companies should carefully consider the potential uses for consumer data when making privacy disclosures and ensure consent processes for collecting the data are fair, transparent and as specific as possible. If new uses for the data arise that are not explicitly within the scope of consent, it may be necessary to obtain new consents to cover the additional uses for the data.