OnStar’s New Privacy Policy

September 21st, 2011 § Leave a Comment

OnStar recently updated their privacy policy. The new policy

  • allows OnStar to continue collecting information from its links even after a customer cancels service, unless the customer specifically requests OnStar not to; and
  • removes language that said that OnStar would not share customer data with third-party marketers without explicit customer consent.

Changes to privacy polices aren’t usually notable. But I think there are some interesting things going on here.

First, although it has been claimed that the new policy allows OnStar to share anonymized information, including GPS (speed and location) information, that does not appear to be a recent addition. The current privacy policy already allows OnStar to “share or sell any anonymized data (including location, speed, and safety belt usage) with third parties for any purpose.” That conflicts to some extent with the language claiming that OnStar would not sell information to third-party marketers without consent, so perhaps the removal of that language allows OnStar to share the data with marketers. On the other hand, that limiting language does not appear in the actual policy, only in the summary information at the top of the “Our Privacy Practices” page. Because it’s unclear what the old policy allowed, it’s hard to tell what the new policy added.

Second, the change highlights how much people read into privacy policies. For example, CNET suggests that language allowing OnStar to transfer data in the event that part of its business is spun off (so that the new business has the data) could be read as indicating plans to spin off part of the business. I’m not even sure if that language was new (I can’t find a copy of the 2010 policy to compare it to).

Finally, GPS data is really sensitive, and people are justifiably worried about tracking—in the literal sense. Thus, any policy change that seems to allow greater use of that information, even if intended to clarify existing practice, is going to set off alarms.

Personally, I think the biggest area of concern in OnStar’s privacy policy is that it doesn’t really define how data is “anonymized.” There are at least two possibilities. “Anonymizing” could mean removing traditional personal information (name, address, VIN, etc.) from GPS data, but leaving other information intact, such as the information needed to track a vehicle’s movements from place to place. That wouldn’t be much protection, because if you can watch a car go to a house and park there overnight every night, you have a pretty good idea who that car belongs to. The better approach would be to “anonymize” the data so that not only is the car not directly associated with a person, but so that any individual car’s movements cannot be tracked. Thus, I don’t think is true, as has been suggested, that it is impossible to anonymize GPS data. But it has to be done right, and the new privacy policy doesn’t indicate whether OnStar will do it right.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

»

What’s this?

You are currently reading OnStar’s New Privacy Policy at Graves Concerns.

meta

Follow

Get every new post delivered to your Inbox.