Plaintiff's Buick Collected Customer's PII Without Consent: Privacy Class Action
For “many years,” General Motors, OnStar and LexisNexis Risk Solutions have been collecting location, vehicle and personally identifiable information (PII) from OnStar-equipped vehicles and selling “vast amounts” of that data to third parties, alleged a privacy class action Friday (docket 2:24-cv-02978) in U.S. District Court for Central California in Los Angeles.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Christopher Valencia, of South Gate, California, owner of a 2017 Buick Encore with OnStar Technology, alleges the defendants collect car-related fuel efficiency, tire pressure and engine performance information, plus “sensitive PII,” such as GPS locations, frequently used routes, information on an individual’s driving style, acceleration and braking patterns, phone contacts, music preferences and call logs, the complaint said.
The complaint referenced a 2023 Mozilla Foundation report that called modern cars “a privacy nightmare,” saying they “shifted their focus from selling cars to selling data.” No other product collects as much information about individuals than their cars, including “what you do, where you go, what you say, and even how you move your body,” said the report.
Cars’ data collection has drawn regulatory attention from the California Privacy Protection Agency and Sen. Ed Markey, D-Mass., as a member of the Senate Commerce, Science and Transportation Committee. Markey urged the FTC to investigate the data privacy practices of auto manufacturers, the complaint said. In a letter to FTC Chair Lina Khan, Markey said car makers “are collecting large amounts of data on drivers, passengers and even people outside the vehicle, with little to no oversight."
Valencia's complaint cited a February New York Times article on recent data acquisition practices of carmakers GM, Honda, Kia and Hyundai, which have begun offering optional features in their connected car apps that rate people’s driving. Drivers who turn on the features in the apps “may not realize that, if they turn on these features, the car companies then give information about how they drive to data brokers like LexisNexis,” it said.
Such data is collected and offered for sale by the defendants to third parties, without class members’ consent, “whether or not any particular features are turned on, and in violation of statutory and common law principles,” the complaint said. In the Times article, a GM customer was reported to have seen his insurance rate jump by 21%, though he had never been responsible for an accident. That GM customer later found out LexisNexis had compiled a 258-page report covering each one of his and his wife’s driving trips over the previous six months and that eight insurance companies requested his information, the complaint noted.
Though GM selected LexisNexis as its preferred insurance data partner in 2019 – and LexisNexis touted its seamless integration in insurers’ usage-based insurance programs – GM announced March 20 it was ending its relationship with LexisNexis and another data broker, said the complaint. A Detroit Free Press article said the severing of ties occurred after the filing of a March 13 lawsuit that alleged the same defendants violated privacy and consumer protection laws. A GM spokesperson was quoted as saying the company was no longer sharing customer data with LexisNexis or Verisk because “trust is a priority for us” and that the carmaker was evaluating processes and policies.
GM’s statement “was silent” about data transmitted by GM to LexisNexis before March 20, or about PII collected outside the OnStar Smart Driver application, the complaint said. That suggests “that such data continues to be collected, remains in LexisNexis’ possession and continues to be sold to insurers,” the complaint said.
The complaint noted that while GM’s 2017 privacy policy provided that location, direction, camera images, voice commands and other PII would be shared only with GM customers’ consent; the 2018 policy stated that such information could be shared without customers’ consent when they elected to receive certain services, the complaint said.
Valencia and class members suffered actual injury from having their PII collected from their vehicles and sold to third parties, the complaint said. Injuries include damage to and diminution of their PII, violation of their privacy rights and the likelihood of future theft of their PII, it said. The plaintiff and class “overpaid” for their vehicles as a result of not knowing their vehicles would collect and transmit “highly intimate details of their movements” to the defendants, who would share them with third parties, it said.
Valencia claims violations of California's Consumer Information Privacy and Comprehensive Computer Data Access and Fraud acts and its Unfair Competition Law; it also asserts a claim of intrusion upon seclusion. Valencia seeks an order enjoining defendants from continuing to collect his and class members’ vehicle and personal information; a mandatory injunction requiring defendants to delete all location and vehicle data unlawfully collected; awards of actual, nominal, consequential and punitive damages; attorneys’ fees and costs; and pre- and post-judgment interest. GM and LexisNexis didn't comment Monday.