While I dislike how little practical enforcement there is against the pervasive surveillance by ad-tech companies, this is one of the things that GDPR works wonders against:
No sane company would want to participate in such a scheme in Europe. Both the seller and the buyers would be on the hook for massive GDPR fines, and unlike a tech company where the privacy violations might be contributing 50% of the revenue and which could thus easily consider a 4% of revenue fine once every few years a (small) cost of doing business, car companies can't afford that.
General Motors had a global revenue of $172 billion, net income $10B, and the data sales are only a small part of that.
The intermediate company that's buying the data and reselling it to car manufacturers could potentially try to get away with it, because their entire business model depends on it, so they have little to lose. Just make sure to keep no money in the company because once the DPAs learn of the business the company a) has no business model because they will prohibit continued buying/selling of the data b) is likely to be bankrupted by the fine that might well exceed their entire revenue (for smaller companies, the fine isn't capped to 4% of revenue, the limit is 20M EUR).
For the insurance companies that would be buying this data I'd imagine it's even worse.
And this sort of egregious thing is something I can see DPAs actually enforcing, because it'd be much more clear cut than tech companies using non-compliant consent banners.
Edit: And I forgot the most important thing - if they don't put it into their privacy policy they're even more screwed, and if they do put it there, a customer who finds it can get it enforced by sending an e-mail (or in Germany, letter, because some DPAs don't accept e-mail) rather than finding a lawyer willing to start a class action.
No sane company would want to participate in such a scheme in Europe. Both the seller and the buyers would be on the hook for massive GDPR fines, and unlike a tech company where the privacy violations might be contributing 50% of the revenue and which could thus easily consider a 4% of revenue fine once every few years a (small) cost of doing business, car companies can't afford that.
General Motors had a global revenue of $172 billion, net income $10B, and the data sales are only a small part of that.
The intermediate company that's buying the data and reselling it to car manufacturers could potentially try to get away with it, because their entire business model depends on it, so they have little to lose. Just make sure to keep no money in the company because once the DPAs learn of the business the company a) has no business model because they will prohibit continued buying/selling of the data b) is likely to be bankrupted by the fine that might well exceed their entire revenue (for smaller companies, the fine isn't capped to 4% of revenue, the limit is 20M EUR).
For the insurance companies that would be buying this data I'd imagine it's even worse.
And this sort of egregious thing is something I can see DPAs actually enforcing, because it'd be much more clear cut than tech companies using non-compliant consent banners.
Edit: And I forgot the most important thing - if they don't put it into their privacy policy they're even more screwed, and if they do put it there, a customer who finds it can get it enforced by sending an e-mail (or in Germany, letter, because some DPAs don't accept e-mail) rather than finding a lawyer willing to start a class action.