Elena Scotti/FUSION

Your car insurance company may have a surprising way to spy on your odometer.

Earlier this month, Ryan Hurst tweeted a letter a friend had received from State Farm informing his friend that it was revoking his plan's "low annual mileage" rating because he'd driven too many miles. Driving more means a greater chance that an accident could happen and thus more expensive car insurance. State Farm included the person's odometer reading from March 14, 2016, explaining it had obtained the reading from a third party.

Advertisement

"Looks like oil change companies sell non-anonymized mileage data to insurance companies," Hurst wrote in his tweet. The friend, who didn't wish to talk to the media, later clarified that, by process of elimination, it seemed most likely that his car dealership had outed him to State Farm.

Another Twitter user chimed in saying he'd stopped taking his car to Valvoline after the details about the work done on the car at every visit showed up in a CarFax report. Valvoline did not respond to a request for comment.

Sevag Sarkissian, a State Farm spokesperson, confirmed that the company gets mileage information for cars it insures in a variety of ways: from customers directly, from telematics technologies if a customer has plugged a monitoring device into their car, and "sometimes through the use of a third party vendor."

Advertisement

"It is important to note that when it comes to mileage verification, it works both ways; meaning updated mileage from a customer can result in classifications moving from short to long, or long to short annual mileage," said Sarkissian by email.

Sarkissian said that State Farm informs customers this might happen, and that the following message is included in their policy:

Your auto insurance rates have been reduced through our low mileage rating. To ensure we've priced our insurance coverage accurately, we verify odometer readings through a third party provider. If we're unable to verify the information needed, we may follow up with you to provide your odometer reading information.

But what about the third party vendors, such as the dealerships and oil change companies, that record people's mileage? Do they inform their customers that they might sell information collected during a car's check-up? Is it in the fine print somewhere? If they're following privacy best practices, they should be disclosing to their customers that they're passing that data along to third parties.

If the information is linked to "a specific vehicle or consumer," it is personally identifiable information, says Jules Polonetsky, the head of the Future of Privacy Forum.

"As privacy 'futurists,' we predict that the scrutiny in the next years is likely to focus intensely on insurers," said Polonetsky by email. "Data like this may be surprising, but has long been collected by vendors to the insurance market. As insurers seek even more data that is accessible, data that can have real consequences for setting rates, exposing fraud or denying benefits, the attention to this regulated industry is going to become a focus of major debate."

It's another reminder of how hard it is to keep track of who is collecting information about you and what information might prove valuable enough to sell. In the meantime, the next time you take your car in for work, read the fine print on anything you sign (and feel free to send me a copy).