Just as car manufacturers in the 1960s seemingly forgot about safety considerations in their rush to bring new models to market, insurers may be in danger of forgetting about the ethics of data gathering in their eagerness to benefit from InsurTech innovations.
With telematics companies already gathering huge amounts of data, the likelihood is that they are only going to collect more. Management consulting firm McKinsey & Company predicts that car data will be monetised to such an extent by 2030 that it could yield between $450bn and $750bn in revenues.
Such data volume raises obvious concerns about privacy, since the data collected not only reveals how a motorist drives, but also how he or she behaves. That is, of course, why insurers are so interested in gathering it and analysing it.
But insurers are not alone in this. Law enforcement, consumer products companies, advertising agencies and many others want the data for their own analysis too.
“There’s an ethical dilemma, but not just with telematics,” says John Kramer, vice president for North
America for The Floow, an InsurTech company that collects and analyses driver data for large insurers, original equipment manufacturers (OEMs) and big fleet managers. “It’s anything related to location-based services.”
While insurers clearly don’t own the data – the policyholder does – they have access to it and can easily provide a pathway to others. As a result, permission for using telematics data and safeguarding it becomes an ethical burden.
InsurTech companies aren’t out of the woods, either. While the onus of permissions is on their customers – insurers – they too have a responsibility to protect against data breaches. “As stewards of the data, we’re held to that same standard [as our customers are],” Kramer notes.
Game changer
What may ultimately force discipline on insurers and InsurTech firms, as well as other companies, is the EU’s incoming General Data Protection Regulation (GDPR), which will require corporations to better protect people’s privacy or face stiff penalties.
“GDPR is a game changer,” asserts Ann Cavoukian, distinguished expert-in-residence at the Privacy by Design Centre of Excellence at Ryerson University in Toronto. “Companies understandably are freaking out.”
Still, the incentive for using telematics doesn’t just lie with insurers, but policyholders themselves, who potentially stand to save money. Lots of money.
There are other advantages, too, such as increased safety, because driver weaknesses are exposed.
“Everyone has a tendency to go to this dark place,” says The Floow’s Kramer. “But how we use this data is to save lives. We can help protect the world. And in the process of trying to protect society, we are helping insurers make money.”
Good drivers have always complained that they unfairly subsidise bad ones. Telematics can help liberate those good drivers. Insurers are now exploring real time underwriting, using data and analytics to adjust premiums every time a driver gets behind the wheel.
Drivers enrolling in Floow’s “Floow Coach” product are able to see the data from their trips and receive a safety score that influences the insurance discount they could get.
The company can also home in on the worst drivers. Floow creates a programme for each of those drivers, calls and coaches them, and walks them through the steps to becoming better drivers, setting goals and establishing accountability.
Not only has the programme reduced the severity of accidents, claims Kramer, but it has resulted in 16.5 percent fewer accidents altogether.
Floow doesn’t record data of someone breaking the law, however. For example, it doesn’t tag people
going over the speed limit, Kramer says. When speed is measured, it is contextual – as in, for example, how risky is the road a person is driving on? And what speed are they driving on it?
Floow does measure phone usage, though. Why? Because such telematics record distraction data, “and that’s a risk event”, Kramer says.
Compliance and benefits
For several years now, law enforcement agencies have, at times, used subpoenas and warrants to get location information collected by the likes of satellite radio and telematics company SiriusXM and General Motor’s OnStar service.
Insurers are not immune and have also received subpoenas for telematics data. They get the data from their suppliers and comply with the request.
Kramer says that while Floow has not experienced this yet, like other telematics companies it would have to accommodate its customers (i.e. insurers), and also comply.
In addition to saving money, however, drivers can also derive additional benefits from the data that telematics companies are collecting on them.
Consider, for example, the benefits that Otonomo, a San Francisco-based telematics company which describes itself as “a marketplace for car-connected data”, can provide. Otonomo’s customers are
OEMs, namely big automakers. But new clients are coming. “We’re in discussions with insurance companies for user-based insurance,” says Otonomo’s chief marketing officer Lisa Joy Posner.
She thinks Otonomo will partner with InsurTech companies and then work with big insurers. Why?
Because Otonomo deals with three kinds of data – mobility, behavioural and diagnostic. Mobility data tracks what is happening to the car; behavioural information measures how far a driver lets fuel levels fall or how hard he or she presses down on the accelerator, for example; and diagnostic metrics record how often the windshield wipers are on or how full the battery charge is.
Armed with this data, Otonomo can then offer the driver real-time coupons for services he or she may need – like an oil change, or a service call for a fuel truck if there’s only quarter of a tank of petrol in the car.
To provide those services, however, Otonomo needs the motorist’s permission. The customer owns the data, Posner asserts, “but chooses to share it in return for applications and services”.
Opt-in, opt-out
What critics don’t like about the permission system is that it is often “opt-in, opt-out”, where privacy isn’t the default, opting in is.
“What I don’t see is a lot of insurers asking themselves these questions,” says Duncan Minty, who writes a blog on insurance ethics and provides consulting services to insurers on ethical matters. “It’s a gold rush. Let’s use as much as we can.”
Ryerson’s Cavoukian points out that drivers have to actively opt out, which they rarely do because the legalese and verbiage surrounding terms and conditions just make it more convenient to accept.
But the GDPR could change the paradigm. Cavoukian created the “privacy by design” guidelines in the late 1990s, which became an international standard in 2010. Now the principle has been incorporated in Article XXV of the GDPR.
With privacy by design “you automatically get privacy”, she explains. In other words, privacy is the default – opting in is not.
GDPR’s influence will not end there, however. Under the rules, law enforcement agencies would have to get a warrant to request telematics and other private data and not just a subpoena. “Insurance companies shouldn’t be providing material without a warrant,” Cavoukian says.
She points out that it is difficult to predict what will happen in the US, though she believes companies will start adopting the GDPR standard on their own. “If you don’t have a strong foundation of security, you don’t have privacy,” she explains.
A lack of standards for telematics data may lead to more vigilance, too. Some companies collect such data every second, but others may do so every 30 seconds. “I don’t see standardisation in the short term,” says Kramer.
This lack of standardisation means insurers and InsurTech firms will hopefully default to a position of caution. Telematics conservatism could also be the result under GDPR too. But insurers under GDPR will have to up their game on data protection, Cavoukian believes.
Under the law, there are data controllers – the insurers themselves – and data processors, which are the InsurTech firms. The data controllers are ultimately responsible for their data processors.
“They have to lay down the law,” she says of data controllers. “The law with data processors is, they’ll have to elevate the data protections insurers expect of them.”
This article was first published in the Spring 2018 issue of Insider Quarterly
