Drivers may be familiar with the “How’s my driving?” bumper stickers on commercial vehicles, encouraging a call to the listed phone number to report reckless driving. Automakers have recently implemented optional “rate my driving” apps in consumer vehicles that serve a similar purpose by collecting consumer data. However, this data is being sold to insurers without the knowledge or consent of drivers, raising significant privacy concerns.

In newer vehicles, internet-enabled apps like navigation and roadside assistance are common. Some drivers also choose to opt in to usage-based insurance, which collects data wirelessly from their vehicle and sets rates based on their driving habits. General Motors (GM) vehicles are equipped with OnStar Smart Driver, which some consumers have claimed tracked their driving without ever being turned on. Consumer Reports investigative journalist Derek Kravitz reported that BMW, Ford, Toyota and Honda, among others, have collected consumer driving data. This is typically done when drivers “click ‘agree’ on privacy forms when setting up their car’s infotainment system, unknowingly giving permission for their data to be collected and shared.” According to Kravitz, although many automakers claim they ask for drivers’ consent before sharing their data and only share it with “trusted partners,” nearly all of the car companies investigated refused to identify the parties with whom they have shared the data.

In July 2023, the California Privacy Protection Agency (“CPPA”) began investigating automakers’ data collection and use practices. CPPA Executive Director Ashkan Soltani noted that modern vehicles are “able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” On March 12, 2025, CPPA announced a decision requiring American Honda Motor Co. “to change its business practices and pay a $632,500 fine to resolve claims that the company violated …CCPA”. The question remains whether this minimal fine will be a deterrent, given Honda’s bottom line and the millions that can be made selling the data.

In June 2024, Texas Attorney General Ken Paxton began investigating several automakers over claims that drivers’ data had been collected and sold to analytics and risk management companies like LexisNexis Risk Solutions and Verisk Analytics. This data – referred to as “telematics” – may be used by insurers to set auto insurance rates. According to the lawsuit filed by AG Paxton on August 13, 2024, the telematics data allowed these companies to score drivers’ habits by analyzing “the date, start time, end time, vehicle speed, driver and passenger seatbelt status, and distance driven each time a customer drove their GM vehicle.” The lawsuit alleged that GM “profited handsomely” from selling drivers’ data to insurance companies, and “[a]t no point did General Motors inform customers that its practice was to sell any of their data, much less their Driving Data…”

Texas has also begun investigating Ford, Hyundai Motor America, Toyota Motor North America, and Fiat Chrysler Automobiles U.S. and filed a lawsuit against insurance company Allstate and its subsidiary Arity for allegedly violating the Texas Data Privacy and Security Act. According to AG Paxton, “…Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” which collected Americans’ personal data and “…sold [it] to insurance companies without their knowledge or consent in violation of the law.”

At the federal level, mounting concerns led Senator Edward J. Markey (D-Mass.) to urge the Federal Trade Commission (“FTC”) to investigate the privacy practices of auto manufacturers in February 2024. In January 2025, the FTC announced that it had concluded its investigation into GM “…over allegations they collected, used, and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent.” As a result of its findings, the FTC has banned General Motors LLC, General Motors Holdings LLC, and OnStar LLC – all of which are owned by General Motors Company – from “…disclosing consumers’ sensitive geolocation and driver behavior data to consumer reporting agencies” for the next five years.

As automakers and insurers face increasing scrutiny over their data collection, Lutzker & Lutzker will continue to monitor these developments as part of its privacy law practice.