Texas Attorney General Ken Paxton has opened an investigation into the alleged sale of drivers’ data by car manufacturers.

The Office of the Attorney General announced last week that it was looking into allegations that various car manufacturers have been collecting data from vehicles unbeknownst to their owners. The yielded data has then reportedly been shared with various third parties, like data broker LexisNexis Risk Solutions, which partner with car insurance companies.

Paxton explained in the news release that technological advances have enabled “manufacturers to collect millions of data points about the people driving” modern vehicles. However, if consumers are not adequately informed of this practice, it would constitute a violation of the Texas Deceptive Trade Practices Act (DTPA).

One example reported on by The New York Times is OnStar Smart Driver in General Motors vehicles. OnStar is the internet-based service in GM vehicles comprising the branded connected-car apps like MyChevrolet, MyBuick, MyGMC and MyCadillac, while Smart Driver is a gamified feature included in these apps that encourages better driving habits.

GM confirmed to NYT that it shares insights gathered from its driver-coaching feature enrollees — like hard braking, hard accelerating, speeding, and drive time — with data brokers including LexisNexis and Verisk. KiaMitsubishi, Hyundai, Honda, and Acura said the same.

Ford “does not transmit any connected vehicle data to either partner,” spokesman Alan Hall told NYT. However, he did note that the automaker will share driving habits directly with an insurance company if the vehicle owner gives explicit consent (via their car’s touch screen).

In defense of such practices, General Motors spokeswoman Malorie Lucich told NYT, “GM’s OnStar Smart Driver service is optional to customers,” claiming, “When a customer accepts the user terms and privacy statement (which are separately reviewed in the enrollment flow), they consent to sharing their data with third parties.”

But the NYT report and Paxton suggest that these companies are not entirely transparent with drivers about what they’re opting into when they enable features that rate driving behavior — or even when they’re opting into it.

“Recently, consumers have grown extremely concerned that their driving data is being reported to their insurance company without their knowledge or authorization,” Paxton explained.

“These reports of the invasive and unmitigated collection and sale of data without consumer consent are disturbing, and they merit a thorough investigation and appropriate enforcement.”

As explained by the OAG, DTPA exists to protect Texas consumers from “false, deceptive, or misleading” practices and grant them legal recourse to claim damages. Late last year, Paxton filed a lawsuit against Pfizer over its COVID-19 vaccine, claiming that the pharmaceutical giant had violated DTPA by misrepresenting its effectiveness against the virus, as covered in The Dallas Express.

By opening an investigation under DTPA, Paxton can investigate any fraudulent or invasive acts by the companies named in the allegations of data collection and sale. This includes both the car manufacturers and the third parties that allegedly purchased the drivers’ information.

They have been ordered to deliver any documents related to the collection and sale of data to OAG investigators. Car manufacturers are also asked to provide any disclosure agreements related to data collection and sale that may have been sent to customers.

In addition to this investigation, OAG launched an initiative last week that focuses on aggressively protecting data privacy rights to ensure that Texans’ personal data will be secure from any invasive companies.

“As many companies seek more and more ways to exploit data they collect about consumers, I am doubling down to protect privacy rights,” Paxton said.