Almost everyone has shopped online in the last decade. Even those who manage to resist the lure of two-day delivery probably have priced appliances or scouted sales on various websites before purchasing the items at a physical store. This means they have been bombarded with advertisements for those same products as they navigate news sites, social media and email. As an insurance and government affairs attorney, it is likely that I have seen every insurance advertisement marketed to people in the region (probably pinpointed to the nine-digit ZIP code).
Online advertisements are targeted because people are willing to let websites track their activity to better sell products. You have probably clicked the “accept all” button when a pop-up window informs you that the website uses cookies to enhance user experience. What is this enhanced user experience? It is better advertisements for products we just searched for or, based on our browsing history. The debate over the usage of customer data has erupted in recent years and has become unavoidable—just like certain advertisements for products on Instagram that are eerily similar to what you just looked for on Amazon. We know that we are being tracked—according to the ads I see, my profile tells companies that I read a lot about insurance, and I have been shopping for a new coat.
What happens when this theory is applied to insurance? Specifically, what privacy do people forfeit by allowing their insurance companies to track their driving under the promise of a more accurate automobile insurance rate? We have all seen the TV ads that promise someone who only drives one mile a day in a circle a discount rate of insurance. Some car makers are considering including such devices in vehicles, sparing drivers from making the decision and immediately saving them money on their insurance. Beyond many obvious questions, there is the legal conundrum this sets up—what do drivers give up by allowing their automobile insurers to track every trip they take?
Data, data, data
Insurers have used data for as long as they have offered insurance. Technology has enhanced the amount of data used to evaluate a risk. Anyone who has insured a teenage driver or has had an accident claim knows how factors such as age and driving history affect a person’s automobile insurance rates (especially if a teenage boy had an accident claim). Usage-based insurance adds data points to all the information already used to tailor premiums to the individual policyholder.
One of the most popular selling points for UBI has been the ability to track the miles driven—especially with so many commuters working remotely and often with their kids at home. Technology can track the miles driven and the time of day one drives, making it easy to promote potential discounts for people who may drive far less than they once did. Beyond miles driven and the time of day the driver is on the road, technology can track where people drive and how well they get there. Rapid acceleration, hard braking and hard cornering can be captured and incorporated into the driver’s insurance policy. In the process of gathering current data on an individual driver, the insurance company may develop a profile of every place the vehicle goes at what time of day and the route taken.
The right to privacy?
With the information collected by telematics, an insurance company suddenly knows more than your name, birthdate, credit score, and driving history. Carriers would have an easy opportunity to know where you go at any time of day with GPS coordinates to know your every stop and turn. While many people may shrug at that—after all, most drivers use a map application for directions that keeps track of where they park and nearby police cars—there are the basic data privacy concerns that have led states to require certain protections of personal information, and then there are the broader legal concerns.
The Fourth Amendment of the Bill of Rights guarantees Americans the right to privacy. This amendment requires law enforcement to obtain warrants to search people’s residences and other areas where they have the expectation of privacy. Generally, this expectation extends to one’s vehicle. During routine traffic stops, law enforcement officers may glance into the vehicle, but they cannot legally search it without a warrant. If they see something to suggest evidence of a crime in the vehicle, the officers can use that observation to request a warrant. However, the officers could just ask to search the vehicle and many people would agree to the request. By allowing the search of their vehicle, the drivers effectively waive their right to privacy.
This same right extends to the tracking of the vehicle’s movements. While cars drive on public roads in plain sight of other drivers, the U.S. Supreme Court has held that that does not eliminate the requirement that law enforcement obtain a warrant to place a GPS tracker on a car.[1] More broadly, the vehicle owners’ expectation of privacy extends to the exact tracking of their vehicles. At least, it does until the vehicle owners willingly use the technology to track their vehicles’ movements. Whether the technology comes pre-installed or the owners adds it themselves, the drivers know about the tracking or accepts vehicles with it installed.
These issues likely do not concern most people. They are law-abiding citizens who are good drivers with nothing to hide, and who only know how to get to work because of their preferred mapping application.
However, UBI has not been fully tested regarding how it provides data for incidents such as car accidents and broader crimes. A company obtaining and retaining so much data on drivers raises a number of issues regarding the privacy of drivers. When it comes to other technology, law enforcement has obtained warrants to demand companies cooperate with investigations. Who can assume that the same agencies will not soon see value in the driving data for their own investigations?
Customer … or product?
In a letter describing his company’s privacy policy, Apple CEO Tim Cook wrote: “When an online service is free, you’re not the customer, you’re the product.”[2] Most companies that provide free services online obsessively collect data on users to sell to advertisers, that can then make it easy for customers to buy stuff from the advertisers. The company running the website makes its money on the data collected on users rather than the users buying anything from it directly.
Even if insurers obsessively track driver data, people pay for their policies. In the present, this distinguishes auto insurance from such online services. Yet, the data that is collected has value to data analytics companies beyond setting insurance rates. For example, a national fast food chain may see the value in knowing every detail of how people in an area drive, to make its own decisions regarding new locations or advertising. A major data analytics firm had effectively confirmed that response when the CEO of a national insurance company said there was potential in selling customer data obtained from telematics.[3] The CEO even compared the selling of customer data to the same practice by a major technology company.
Recent privacy laws mandate disclosure of such practices, including online, and require online users to consent to the collection and sale of their data. They do not ban or greatly restrict such practices.
In the insurance industry, laws such as the New York cyber security requirements for financial services companies and the National Association of Insurance Commissioners’ insurance data-security model legislation, focus on the protection on nonpublic information. These laws focus on data such as birthdates, Social Security numbers, account numbers, security codes, and biometric records used in connection with personal identifiers.
Data collected from telematics in vehicles falls outside these definitions, although they still would fall under the requirements for proprietary business records. That allows companies to use their discretion when sharing the data with other companies—especially if consumers have consented to sharing such data.
What now?
Usage-based insurance is in its infancy. Like all other policies, the rates must be approved by state insurance departments. And, it remains to be seen how many drivers will be interested in such programs. While giving up certain privacies raises red flags, many people still click “accept all” when the inevitable disclosure about data tracking appears online. How many policyholders will do the same when it comes to insurance, especially with the lure of a better insurance rate?
For the time being, UBI may dangle the promise of lower rates for safe drivers, but someone has to pay more for the rates to make mathematical sense. Someone may get a better rate, but many drivers are likely better off being classified in broad groups and benefitting from rates being based on historical data.
This article originally appeared in the March 2021 issue of PIA Magazine.
[1] U.S. v. Jones, 565 US __ (2012)
[2] Gadgets360, 2014 (bit.ly/3bz3XrO)
[3] Insurance Journal, 2015 (bit.ly/3nBfych)
Clare Irvine, Esq.
Clare Irvine, Esq., graduated from Fordham University School of Law and Arizona State University.