The Federal Trade Commission has finalized a landmark order against General Motors and its OnStar subsidiary, prohibiting the sale of driver location and behavior data to consumer reporting agencies for five years. The settlement follows findings that GM collected precise geolocation data every three seconds through its 'Smart Driver' feature without customer consent, then sold it to insurance companies, leading to higher premiums or coverage denials.
The Federal Trade Commission has finalized a sweeping order against General Motors and its OnStar subsidiary, banning the automaker from selling drivers' precise location and behavior data to consumer reporting agencies for five years. The settlement, announced Wednesday, addresses what the FTC called GM's "egregious betrayal of consumers' trust" through years of undisclosed data collection and monetization.
The Secret Data Collection Scheme
Between 2015 and 2024, GM collected detailed driving data from millions of vehicles through its OnStar Smart Driver feature. Marketed as a voluntary tool for drivers to assess their driving habits, the feature actually harvested precise geolocation information and driving behavior metrics every three seconds. This included data on speed, braking patterns, acceleration, and location history—often without customers' explicit knowledge that this information was being collected and sold.
The FTC's complaint revealed that GM sold this data to consumer reporting agencies, which then provided it to insurance companies. This practice led to tangible consequences for consumers: increased insurance premiums or outright denial of coverage based on driving patterns they never consented to share. The data collection affected vehicles across GM's portfolio, including Chevrolet, Buick, GMC, and Cadillac models.
The Settlement's Core Provisions
The FTC's order imposes strict limitations on GM's data practices for the next 20 years:
Five-Year Sales Ban: GM cannot share consumers' geolocation and driver behavior data with consumer reporting agencies until January 2031.
Express Consent Requirement: For the full 20-year duration, GM must obtain explicit consent before collecting, using, or sharing connected vehicle data. The only exception is for emergency services.
Consumer Data Rights: U.S. consumers gain the right to request copies of their data and seek its deletion. GM must provide vehicle owners the ability to disable precise geolocation collection and opt out of location and behavior data collection entirely, with limited exceptions.
Transparency Mandates: GM must clearly communicate how customer data is used and provide accessible privacy controls.
GM's Response and Privacy Program Expansion
In response to the settlement, GM stated that the FTC order "includes new measures that go above and beyond existing law, while capturing steps we've already taken to establish choices for customer data collection and communications about how the information is used." The company announced it has expanded its privacy program to provide customers in all 50 states with options to access and delete their personal information.
However, privacy advocates note that the settlement comes after years of practice that violated consumer expectations about data privacy in connected vehicles. The case highlights a growing tension in the automotive industry: as vehicles become increasingly connected and data-rich, manufacturers face pressure to monetize this information while navigating complex privacy regulations.
A Broader Pattern of Automotive Data Exploitation
The GM case is part of a larger trend of automotive companies collecting and selling driver data without adequate consent. In January 2025, Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its subsidiary Arity for unlawfully collecting and selling driving data from over 45 million Americans.
That case involved an SDK embedded in popular apps like Life360, GasBuddy, Fuel Rewards, and Routely that collected driving data without drivers' knowledge. The lawsuit also implicated multiple car manufacturers, including Toyota, Lexus, Mazda, Chrysler, Jeep, Dodge, Fiat, Maserati, and Ram, who allegedly collected and sold data directly to Allstate and Arity.
Practical Implications for Drivers and Automakers
For Consumers: The settlement provides concrete rights that didn't exist before. Drivers with GM vehicles should:
- Review their OnStar and connected vehicle privacy settings
- Exercise their new right to access and delete collected data
- Consider disabling precise location collection if privacy is a priority
- Monitor insurance quotes, as the data-sharing ban may affect pricing models
For Automakers: The case establishes important precedents:
- "Smart" features marketed as voluntary tools cannot be used as hidden data collection mechanisms
- Data monetization strategies must be transparent and consent-based
- Privacy controls must be granular and easily accessible, not buried in complex menus
- The FTC is willing to impose long-term restrictions (20 years) for serious violations
The Technology Behind the Collection
Modern connected vehicles generate vast amounts of data through telematics systems. OnStar's technology used cellular networks to transmit data every three seconds, creating detailed driving profiles. This data typically includes:
- GPS coordinates with timestamps
- Vehicle speed and acceleration patterns
- Hard braking events
- Cornering behavior
- Trip destinations and routes
This information, when aggregated and analyzed, can reveal sensitive patterns about a person's daily routine, workplace location, medical appointments, and personal habits.
Industry-Wide Privacy Challenges
The automotive industry faces unique privacy challenges. Unlike smartphones, where users can choose apps and services, vehicle data collection is often built into the car's core systems. Consumers have limited ability to opt out without losing functionality. The GM case demonstrates how "convenience" features can become surveillance tools.
Privacy regulations are evolving rapidly. The FTC's action follows similar enforcement in Europe under GDPR and emerging state laws in the U.S. Automakers must now navigate a complex patchwork of regulations while maintaining consumer trust.
Looking Ahead: What Changes for Consumers
The GM settlement represents a significant shift in how automotive data privacy is enforced. For the first time, a major automaker faces long-term restrictions on data sharing practices. This creates a template for future enforcement against other manufacturers.
Consumers should expect more transparency from automakers about data collection practices. The industry may move toward more granular privacy controls, allowing drivers to choose what data they share and with whom.
However, the settlement also raises questions about enforcement. Will other automakers face similar scrutiny? Will the five-year ban on data sales be sufficient to change industry practices? And how will insurance companies adjust their risk models without access to detailed driving data?
The automotive data privacy landscape is still evolving, but the GM settlement marks a clear turning point: the era of secret data collection and sale is ending, replaced by a new requirement for explicit consent and consumer control.
Additional Resources
- FTC Press Release on GM Settlement
- General Motors Privacy Policy
- OnStar Privacy Information
- FTC's Guide to Connected Car Privacy
- Texas AG Lawsuit Against Allstate/Arity
The GM case serves as a critical reminder: in the age of connected vehicles, data privacy is not just a feature—it's a fundamental right that requires explicit protection and enforcement.
Comments
Please log in or register to join the discussion