�鶹��ý

Your customers’ information is valuable – to you and them. But, if you’re considering selling or sharing people’s information, you need to hit the brakes and consider what your customers understand about what information you are collecting from them and sharing with third parties. Because permission to collect information for your business purposes isn’t necessarily permission to sell that information. Consider today’s settlement with General Motors (GM) and OnStar, where the FTC says the companies sold information about drivers’ precise locations and driving habits without permission.

GM offers connected car products and services under the OnStar brand. For people who sign up, OnStar modules can perform many jobs, like sending information to first responders, offering hands-free voice assistance, and displaying real-time traffic and navigation data. OnStar modules can also collect information about driver behavior – like hard braking, high speeds, and late-night driving – and tie that information to the driver’s location and vehicle identification number.

That’s where they hit a pothole. According to the FTC, GM convinced customers to sign up for a program called “Smart Driver” by marketing it as a game-like program that would use driver behavior data to help people improve their driving. But what wasn’t clear was GM and OnStar also intended to sell the data they collected to third parties, including consumer reporting agencies. And, according to the FTC, sharing this information without people’s fully informed consent caused real harm. For example, the complaint alleges consumer reporting agencies compiled driver behavior data into reports that insurance companies relied on to deny or cancel coverage or raise premiums. People also lost privacy about day-to-day movements, including visits to sensitive locations. According to the complaint, by using and sharing data without permission, GM and OnStar deceived people and acted unfairly.

To resolve the complaint, GM and OnStar will be barred from disclosing driver data to consumer reporting agencies for five years. Additionally, the companies agreed not to collect more data than they need, and to limit collection, use, or disclosure of data without affirmative express consent. GM and OnStar also agreed to let people disable location collection, and make it simple for people to withdraw consent to data sharing. And GM agreed to allow consumers to request copies and deletion of their data. The proposed order will be published in the �鶹��ý Register for public comment.

Don’t put compliance on cruise control. Here are some takeaways for your business:

Get affirmative express consent before collecting or sharing data. Make sure you get permission before collecting someone’s personal data and confirm that permission covers every way you intend to use the information. If you want to share people’s information, confirm you have their permission to share – and you can demonstrate you have that permission – first.

Tell the whole truth about why you’re collecting data. People want to know why you need their information and what you’re using it for. Make sure you provide clear notice to your customers upfront about why you want their personal information and what you plan to do with it. If the data you’re collecting and sharing is precise geolocation tracking data and driver behavior data, that’s pretty sensitive data. Make sure your customers understand the scope of what they are sharing about themselves and how far that information might go before they decide whether to give permission or not.

Don’t collect or keep information unless you need it. If you need personal information for a particular purpose, make sure you get consent first, and don’t collect more information than you need or keep the information you collect longer than you need it. Remember: data you don’t have in the first place can’t be compromised.