The Federal Trade Commission has banned General Motors and OnStar from sharing precise location and driving data with consumer reporting agencies for five years, following a settlement that reveals how the automaker collected and sold detailed telematics data without clear customer consent.
The Federal Trade Commission has finalized a 20-year consent order against General Motors and its OnStar subsidiary, prohibiting the sharing of drivers' precise location and behavior data with consumer reporting agencies for five years. The order, finalized on January 14, 2026, follows a proposed settlement reached a year earlier and stems from revelations that GM transformed connected vehicles into surveillance devices by collecting and selling detailed driver data without transparently informing customers.
The Smart Driver Program: Safety Pitch vs. Data Harvesting
GM's Smart Driver feature was marketed as a free safety application within GM's connected car ecosystem, designed to encourage safer driving habits. However, the FTC's complaint, first disclosed in January 2025, reveals a more troubling reality. According to the agency, GM systematically collected extensive telematics data including precise GPS coordinates, hard braking events, acceleration patterns, speed metrics, and even seatbelt usage. This data was then sold to third-party data brokers such as LexisNexis and Verisk, who in turn sold it to insurance companies that used it to influence customer premiums.
The New York Times investigation in 2024 exposed how this data pipeline operated. Drivers who enrolled in Smart Driver, often without fully understanding the scope of data collection, found their driving behaviors being monetized and shared across a network of data brokers and insurers. The program was framed as a voluntary safety feature, but the FTC alleges GM steered customers toward enrollment while minimizing disclosures about data collection practices and third-party sharing.
Regulatory Action and Compliance Requirements
The FTC's consent order establishes several critical compliance mandates for GM:
Data Sharing Restrictions: GM is prohibited from sharing precise location data and driving behavior data with consumer reporting agencies for five years. This directly targets the data pipeline that fed insurance companies through brokers like LexisNexis and Verisk.
Consent Requirements: The order mandates that GM must obtain explicit, informed consent from drivers before collecting or sharing covered data in the future. This represents a significant shift from the previous model where data collection was often bundled with other services.
Consumer Rights: GM must provide consumers with a straightforward method to request copies of their data, request deletion of their data, and completely disable the collection of precise geolocation data. These rights must be clearly communicated and easily accessible.
Transparency Mandates: The company has been required to consolidate its sprawling US privacy notices into a single, comprehensible document. This addresses previous criticisms that privacy information was fragmented across multiple documents and services.
Permitted Uses: The order does allow GM to share location data with emergency responders and use data internally for research and development. The company confirmed it may also share anonymized data with select partners for traffic analysis and road safety projects, provided this doesn't involve precise location tracking for consumer reporting purposes.
Timeline and Implementation
The consent order took effect immediately upon finalization on January 14, 2026. The five-year prohibition on sharing data with consumer reporting agencies began at that time. GM must implement all consent and data access mechanisms within a reasonable timeframe, which the FTC typically expects within 90 days for such settlements.
The 20-year duration of the overall consent order is notable. It means GM will remain under FTC oversight for two decades, with potential penalties for violations. This extended period reflects the FTC's view that data privacy in connected vehicles requires long-term monitoring rather than a one-time fix.
GM's Response and Actions Taken
GM has already taken significant steps in response to the investigation. The company shut down the Smart Driver program across all brands in April 2024, citing customer backlash. At that time, GM unenrolled all users and severed the third-party telematics deals that fed data to LexisNexis and Verisk.
In a statement following the settlement, GM emphasized that "respecting our customers' privacy and earning their trust is deeply important to us." The company noted that Smart Driver was created to promote safer driving behavior but was discontinued due to customer feedback. GM argued that the FTC order "goes above and beyond existing law" and largely codifies changes the company says it has already implemented.
Broader Implications for the Automotive Industry
This settlement represents more than a single company's compliance issue—it serves as a warning shot to the entire automotive industry. As carmakers increasingly seek to monetize connected vehicle data, regulators are signaling that transparency and consent are non-negotiable.
The case highlights several industry-wide challenges:
Data Monetization vs. Privacy: Automakers face pressure to generate revenue from connected services, but this settlement establishes clear boundaries. Companies must distinguish between legitimate safety features and data-harvesting schemes.
Consent Complexity: The requirement for explicit, informed consent creates implementation challenges. Automakers will need to redesign how they present data collection options to customers, moving beyond dense legal documents to clear, accessible explanations.
Third-Party Data Sharing: The prohibition on sharing with consumer reporting agencies specifically targets a common industry practice. Automakers will need to audit their data sharing partnerships and ensure compliance with new restrictions.
Long-term Compliance: The 20-year order means automakers must build privacy protections into their systems from the ground up, rather than treating them as add-on features.
Technical and Operational Changes Required
GM and other automakers will need to implement several technical and operational changes:
Data Collection Systems: Connected car platforms must be redesigned to support granular consent controls. This includes the ability to selectively disable specific data types (like precise location) while keeping others active.
Data Access Portals: Companies must create user-friendly interfaces for consumers to access, download, and delete their data. This requires robust backend systems to manage data requests across potentially millions of vehicles.
Third-Party Integration Management: Automakers need to establish clear data sharing agreements that comply with consent requirements. This includes technical controls to prevent unauthorized data transmission.
Audit and Compliance Monitoring: Given the 20-year order duration, companies must implement ongoing monitoring systems to detect and prevent violations.
Consumer Impact and Rights
For drivers, this settlement establishes important protections:
Right to Know: Consumers have the right to understand exactly what data is being collected from their vehicles.
Right to Control: Drivers can choose to disable specific data collection features, particularly precise location tracking.
Right to Access: Consumers can request copies of all data collected about them.
Right to Delete: Drivers can request deletion of their data, subject to legal retention requirements.
Right to Transparency: Privacy information must be presented clearly and accessibly, not buried in complex legal documents.
Looking Ahead: Industry-Wide Compliance
The FTC's action against GM signals a new era of automotive data privacy regulation. As vehicles become increasingly connected and autonomous, the amount of data generated will only grow. Regulators are establishing clear boundaries now, before the industry fully matures.
Other automakers should take note. The practices that GM engaged in—collecting detailed driving data without clear consent and sharing it with third parties—are likely common across the industry. The FTC's 20-year order against GM creates a precedent that will likely be applied to other companies found violating similar principles.
For the automotive industry, the message is clear: data collection for safety and convenience is acceptable, but data harvesting for undisclosed commercial purposes is not. The era of treating connected cars as surveillance devices is coming to an end, replaced by a regulatory framework that prioritizes consumer privacy and informed consent.
The settlement also highlights the evolving role of data brokers in the automotive ecosystem. Companies like LexisNexis and Verisk have built business models around collecting and selling driving data, but this FTC action may force them to reconsider their data sources and collection methods.
Ultimately, this case represents a significant step toward establishing digital privacy rights in the automotive space. As vehicles continue to evolve into sophisticated computing platforms, the regulatory framework established here will serve as a foundation for future privacy protections in an increasingly connected transportation ecosystem.
Comments
Please log in or register to join the discussion