The Texas Attorney General’s Office has started an investigation into how Ford, Hyundai, Toyota, and Fiat Chrysler collect, share, and sell consumer data, expanding an earlier probe launched last year into how modern automakers are potentially using customer driving data.
We’ve addressed cars and privacy at some length on Malwarebytes Labs and came to the conclusion—with the help of many experts in the field—that modern cars simply aren’t very good at it. Many politicians in the US agree with that point of view, too, as US senators have asked the Federal Trade Commission (FTC) to investigate car makers’ privacy practices.
As part of the investigation in Texas, the state’s Attorney General’s Office sent letters—or “notices”—to four automakers earlier this month, demanding written responses under oath.
The Notice delivered to Hyundai discusses “covered data,” which is defined as any information or data about a vehicle manufactured, sold, or leased by you, regardless of whether deidentified or anonymized. And selling data is defined as sharing, disclosing, or transferring of personal data in exchange for monetary or other valuable consideration by you to a third party.
The Notices sent to the car manufacturers are not all exactly the same, but it is clear what the Attorney General’s Office is after:
- Methods of collection used.
- Which third parties received the data and if any restrictions were placed on how the recipients used the data.
- The number of affected customers.
- How consent was obtained from these customers.
In April of 2024, Texas Attorney General Ken Paxton sent “civil investigative demands” to Kia, General Motors, Subaru and Mitsubishi seeking details of their data collection and sharing practices.
And in August, Paxton sued General Motors for selling customer driving data to third parties.
Only recently we reported how the Attorney General also went after the buyers of data like insurance company Allstate and its subsidiary Arity. Arity acts as a data broker which sold insurers the information to set prices on insurance premiums. The car manufacturers involved in that complaint are Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram. But they were not named as defendants in the complaint.
Paxton did single out a few mobile apps and warned them that they were violating Texas’ data privacy law. Those apps are: GasBuddy, Life360, Miles, MyRadar, SiriusXM and Tapestri.
An Allstate spokesperson stated that Arity “helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations.”
But according to the press release from the Attorney General, Allstate and other insurers used what they alleged to be covertly obtained data to justify raising Texans’ insurance rates.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
