From the NYT article:
"the trip details had been provided by General Motors -- the manufacturer of the Chevy Bolt. LexisNexis analyzed that driving data to create a risk score "for insurers to use as one factor of many to create more personalized insurance coverage," according to a LexisNexis spokesman, Dean Carney.
Upon Mr. Dahl's request, LexisNexis sent him a 258-page "consumer disclosure report," which it must provide per the Fair Credit Reporting Act. What it contained stunned him: more than 130 pages detailing each time he or his wife had driven the Bolt over the previous six months. It included the dates of 640 trips, their start and end times, the distance driven and an accounting of any speeding, hard braking or sharp accelerations. The only thing it didn't have is where they had driven the car. On a Thursday morning in June for example, the car had been driven 7.33 miles in 18 minutes; there had been two rapid accelerations and two incidents of hard braking. "
From Subaru's privacy policy which we all agree to when we get in the car, which is somehow legal:
"3. HOW WE COLLECT INFORMATION
Connected Vehicle Services
We collect Personal Information and Non-Personal Information automatically from Connected Vehicles. This Information includes vehicle and service-related information, including but not limited to VIN and vehicle description; vehicle maintenance information; mechanical condition or incidents involving the vehicle such as crash severity sensor data; time, LOCATION and speed of vehicle; a Vehicle Occupant’s search content; your personal identification number (“PIN”); and information about calls related to the Services or your account, such as the date, time and duration of the call, the identity and phone number of the caller, and contents of or notes about the call. In addition, your vehicle may be equipped with one or more sensing or diagnostic modules capable of automatically retrieving, recording, transmitting, or storing certain vehicle data, including but not limited to trouble codes, tire pressure, battery voltage, coolant temperature, and service requirements. We may collect and retain data from any such modules in your vehicle.
Subaru may disclose and share Personal Information and Non-Personal Information in accordance with the practices described in this Privacy Policy. The categories of entities to whom we disclose Personal Information (including in the last 12 months) include the following:
...
API Providers and Data Providers
“API Provider” means a third party licensor of software that we include in, or use with, the Services, including an API or SDK, that provides a specialized function or service to us and that requires the transmission of Personal Information and/or Non-Personal Information to the API Provider.
“Data Provider” means a third party provider of data aggregation products and services. We may disclose Personal Information and Non-Personal Information to API Providers and Data Providers and, in some cases, API Providers and Data Providers may use Personal Information and Non-Personal Information for their own benefit. In such cases, their privacy policies will apply to their use of such Information."
https://www.subaru.com/support/privacy-policies.html
So, it would be completely legal for them to collect and share/sell the data whether we want them to or not. And some third party can determine whether I drive safe or not, probably algorithmically, despite not having an at-fault crash or ticket in my life.