By Mark Sanborn
Senior Product and Regulatory Counsel
In recent months, the FTC has brought targeted regulatory actions regarding the collection, use, and sharing of sensitive consumer “geolocation” data. Dealers must understand why this is in the FTC’s crosshairs, and underscores the importance for dealers to scrutinize their own data practices, especially as they increasingly rely on digital platforms and third-party vendors to capture consumer information.
“Geolocation” data refers to information that can pinpoint where a consumer is at a point in time.
In particular, there are three cases: (a) GM, (b) Gravy Analytics and Venntel, and (c) Mobilewalla, that serve as cautionary tales for dealers who gather or make representations about geolocation data.
GM
The allegations against GM focus on its OnStar connected vehicle services, where the company reportedly collected and shared precise geolocation and driving behavior data without obtaining consumers’ explicit consent. This data was allegedly sold to third parties for various purposes, including transportation planning and advertising analytics, without adequately informing consumers. The FTC alleges that such practices not only compromise consumer privacy but also expose them to financial harm, as seen in the sharing of driving behavior data with consumer reporting agencies, which could lead to increased insurance premiums or denial of coverage.
Gravy Analytics and Venntel
Similarly, Gravy Analytics and Venntel have been accused of collecting and selling detailed geolocation data without direct consumer consent. This data, tied to unique identifiers, was used to create audience segments based on sensitive personal characteristics, such as health conditions and political beliefs. The companies allegedly failed to verify consumer consent, relying instead on data suppliers’ assurances, which often proved misleading or inadequate. According to the FTC this alleged lack of transparency and consent verification poses significant privacy risks and potential harm to consumers.
Mobilewalla
Mobilewalla’s case further illustrates the dangers of improper data collection and usage. The company allegedly collected precise location data without consumer knowledge or consent, using it to create audience segments based on sensitive attributes like medical conditions and political activities. Mobilewalla’s practices of acquiring data from real-time bidding exchanges and data brokers, and retaining consumer data indefinitely were cited by the FTC as increasing the risks of data misuse and privacy violations. These actions, according to the FTC, risked causing substantial harm to consumers, including emotional distress and risks of discrimination.
The FTC
It is important to point out that like recent data security cases brought by the FTC, the FTC has pursued these sensitive data cases under its Section 5 authority, which targets unfair and deceptive practices. There is no specific federal law that defines “sensitive information” or that explicitly requires consent before processing such information. Those definitions and requirements are typically seen in state privacy laws. However, these actions underscore the FTC’s aggressive posture relating to consent for collecting and processing consumers’ sensitive information, even when specific statutory requirements do not apply.
What Should Dealers Do?
For dealers, these cases emphasize the critical need to evaluate their data practices, particularly when dealing with sensitive consumer information. Dealers must ensure that they obtain clear and informed consent from consumers before collecting or sharing their data. This includes being transparent about the purposes of data collection and the entities with whom the data will be shared. Additionally, dealers should regularly review their privacy policies and data handling practices to ensure compliance with regulatory standards and to protect consumer trust.
Moreover, dealers should be cautious when partnering with third-party vendors for data services. It is essential to conduct thorough due diligence to ensure that these vendors adhere to strict data privacy standards and that any data shared is done so with the consumer’s informed consent. By taking proactive steps to safeguard consumer data, dealers can mitigate the risks of regulatory scrutiny and potential legal challenges.
The recent regulatory actions against GM, Gravy Analytics and Venntel, and Mobilewalla serve as a stark reminder of the importance of data privacy and consumer protection. Automobile dealers must prioritize these issues in their operations, ensuring that they handle sensitive consumer data responsibly and transparently.
ComplyAuto provides dealers with a comprehensive suite of compliance solutions designed to help them meet their regulatory obligations. As the industry-leading privacy and Safeguards Rule compliance tool, ComplyAuto Privacy offers dealers customizable configurations and options to manage consumer disclosures and consent in accordance with federal and state privacy requirements.