1858
Mozilla review of 25 car brands finds they're "a privacy nightmare"
(foundation.mozilla.org)
This is a most excellent place for technology news and articles.
This is more based on authorization vs CC details. It's much safer for a company than holding onto credit card numbers. Creating a subscriptions generates an authorization code which is good for the account, not just a specific card number. Revoking that authorization is a separate call to the bank rather than just having a credit card replaced.
That authorization shouldn't be indefinite either though. After three years of no activity and a card expiring, OnStar was still able to make a charge to renew that trial subscription.
And looking around the web, there are a few stories from that 2016 time frame to indicate that it was a new-ish, or at least not well known, practice at the time.