Connected cars can be a rich source of driver data for both automakers and insurers. Voluntary usage-based auto insurance programs, also known as telematics, are often described as a win for both auto insurers and drivers alike.

For customers who permit driving data to be collected by insurers via a smart device, telematics offers discounted auto premiums for safe driving. And for insurers, telematics-based insurance policies obtain driver behaviour details from an app a driver installs on their phone or a dongle plugged into a vehicle’s onboard diagnostics port.

However, many drivers are reluctant to participate in these programs due to privacy concerns.

A recent New York Times article notes some automakers are sending data from their internet-connected vehicles directly to insurers (or to insurers via data brokers), allegedly without the knowledge or consent of drivers. Insurers are increasingly entering into arrangements with automakers to obtain this data.

 

Driver data

Many insurers believe such information is not personal and can be freely traded. Several, particularly those headquartered in the U.S., base this position on U.S. privacy laws, which generally take a narrow, prescriptive approach to what constitutes personal information.

For example, consumer-oriented privacy laws in U.S. states don’t specifically capture the types of vehicle data in which insurance providers are interested — such as vehicle history, brake data, speed and hard accelerations — so it’s not defined as ‘personal.’

Canada takes a broader contextual approach, and driver behaviour data would likely be considered personal information by privacy regulators.

It matters what information is being shared; personal information requires a person’s consent to be used by insurers. Many insurers and automakers believe language embedded in agreements and privacy policies gives them such consent and argue that drivers can opt out of any sharing of their information.

However, the sensitive nature of the information suggests the only legally acceptable form of consent may be an opt-in. These forms of consent traditionally have low uptake rates, making them unpopular with insurers and automakers.

 

Legal lessons

Absent opt-in consent, however, automakers and insurers may still be collecting, using and disclosing this information in violation of Canadian private-sector privacy laws. Invalid consent and unauthorized uses are increasingly becoming the focus of consumer complaints and class actions.

It is not enough for insurers to push consent obligations onto automakers, requiring them (or their dealers) to obtain valid consent from consumers.

If an automaker doesn’t collect appropriate consent, the insurer risks being unable to use the entire data set they’ve obtained — and the carrier may be ordered to destroy it. Some privacy regulators have hinted services or products developed using unlawfully obtained personal information may also be ordered destroyed. This creates significant risk for insurers, which may be using the data to develop or train artificial intelligence models.

In all cases, consent must be meaningful, and the use of the information must be reasonable. Details about the proposed use of the information must be provided and include a discussion of risks to individuals (for instance, that their insurance rates could increase). Unreasonable use, as determined by a privacy regulator, will invalidate any consent provided.

The New York Times notes that automakers have been scrutinized by the U.S. Federal Trade Commission (FTC) and other regulators regarding their processing of personal information via various connected services.

The FTC expressed concern about over-collection and secondary uses of sensitive data, such as granular geolocation and biometric information. The regulator notes using sensitive data for automated decision-making can also be unlawful. Further, secret disclosure of sensitive data can be an unfair practice.

 

Impacts in Canada

Those issues are addressed directly under Canadian privacy laws and insurers risk investigations and enforcement actions. Notably, in Quebec, the privacy regulator can levy monetary penalties ($25 million or 4% of worldwide turnover for the preceding year) and fines ($10 million or 2% of worldwide turnover for the preceding year). There is also a private right of action.

Canadian regulators are likely to closely monitor this area. They tend to follow developments in the U.S. and Europe and make investigations concurrently (often jointly) with their foreign counterparts.

There is also increasing class action activity in the United States. General Motors, for example, faces more than a dozen lawsuits for allegedly sharing personal information with insurers without the insured’s knowledge or consent. These U.S. class actions traditionally prompt copycat actions in Canada, both at common law and under privacy statutes.

To date, no insurers have been targeted in such lawsuits, in part because of the way U.S. laws are structured. However, Canadian privacy laws are more flexible; it is likely only a matter of time before an insurer is directly named in a similar action or investigation.

Insurers should pay close attention to Canadian developments in this area and make sure they are aware of the uniquely Canadian requirements and risks of entering data-sharing agreements.

Auto insurance is among the most regulated classes of insurance in Canada. Provincial regulators in Ontario and Alberta have taken meaningful steps to promote customer fairness and transparency — notably via the take-all-comers rule — when procuring, amending and terminating automobile insurance policies.

 

Kirsten Thompson is a partner and national lead of the privacy and cybersecurity group at Dentons. This story is excerpted from one that appeared in the February-March print edition of Canadian Underwriter. Feature image by iStock/Just_Super