The Federal Trade Commission (FTC) announced the formal finalization of a sweeping order this week, imposing stringent restrictions on General Motors (GM) and its subsidiary telematics service, OnStar, concerning the collection and distribution of highly sensitive consumer data. This decisive action, which formalizes a proposed settlement reached approximately a year prior, prohibits GM from sharing specific categories of detailed driver and location data with consumer reporting agencies (CRAs). More critically, the order establishes a mandatory requirement for the automaker to adopt a dramatically enhanced transparency framework and secure explicit, affirmative consent from consumers before engaging in any connected vehicle data collection activities.
This regulatory conclusion marks the culmination of an intensive two-year investigation cycle, which was initially triggered by explosive investigative reports detailing the opaque mechanisms through which modern vehicles were transformed into sophisticated, mobile data harvesting platforms. These reports, notably those published in early 2024, exposed how GM and OnStar systematically gathered granular data—including precise geolocation coordinates, detailed driving behaviors such as hard braking and rapid acceleration, and even seatbelt usage metrics—and subsequently monetized this sensitive information by selling it to third-party data brokers, including industry giants LexisNexis and Verisk.
The core controversy centered on GM’s Smart Driver program. Positioned as a free, value-added feature within GM’s ecosystem of connected car applications, the program tracked and scored driving behaviors. Unbeknownst to many drivers, the data scores generated by Smart Driver were being relayed to data brokers, who then integrated this behavioral profile into their broader consumer risk assessments. These dossiers were ultimately purchased by auto insurance providers, often resulting in unexpected and substantial increases in customer premiums, based on driving habits the owners were not aware were being evaluated for commercial purposes.
The gravity of the situation prompted a swift, though not immediate, response from GM. Citing widespread customer feedback and concerns regarding privacy, GM announced the discontinuation of the Smart Driver program across all its brands in April 2024. Simultaneously, the automaker confirmed it had retroactively unenrolled all existing customers from the program and formally terminated its data-sharing relationships with telematics partners like LexisNexis and Verisk. While these proactive steps addressed the immediate outflow of data, the FTC’s mandate ensures structural changes to prevent recurrence.
The FTC’s formal complaint centered on allegations of deceptive practices and a profound failure of disclosure. The agency contended that GM and OnStar utilized a confusing and misleading enrollment process when consumers signed up for the OnStar connected vehicle service and the subsequent Smart Driver feature. Specifically, the FTC alleged that the automaker obscured the crucial fact that the collected data was not merely used internally for driver feedback or diagnostic purposes, but was being actively collected and sold to external third parties for commercial risk assessment.
The New Standard: Explicit, Affirmative Consent
The finalized order introduces a fundamental paradigm shift in how automakers must handle consumer privacy, moving away from ambiguous, bundled consent models towards explicit, informed opt-in. Under the new mandate, GM is now required to secure explicit, affirmative consent from consumers before any collection, use, or sharing of connected vehicle data can commence.
GM has indicated that this critical process of obtaining consent is being integrated directly into the vehicle acquisition pipeline. When a consumer purchases a new or used GM vehicle, the OnStar system is immediately linked to the specific Vehicle Identification Number (VIN). At this critical juncture, typically at the dealership point of sale, the new owner is presented with a clear, unambiguous choice regarding their agreement—or refusal—to participate in data collection. This structural integration is designed to prevent passive enrollment or consent buried deep within lengthy, unread digital agreements.
Industry Implications and the Future of Telematics
The significance of the FTC’s action extends far beyond GM’s corporate boundaries. This settlement serves as a powerful regulatory beacon for the entire automotive industry, which has increasingly relied on vehicle telematics data as a cornerstone of future revenue models. The market for connected car data is projected to reach tens of billions of dollars globally by the end of the decade, encompassing everything from predictive maintenance to in-car advertising and, crucially, actuarial risk assessment.
For decades, the standard practice in the digital economy has been "notice and choice"—a model often criticized for placing the burden of opting out onto the consumer. By mandating explicit consent, the FTC is effectively imposing a standard analogous to European Union’s General Data Protection Regulation (GDPR) within the specific context of sensitive automotive data shared with CRAs under the purview of the Fair Credit Reporting Act (FCRA).
Expert legal analysis suggests that the FTC specifically targeted the data flow to LexisNexis and Verisk because once driving behavior metrics—like speeding frequency or braking intensity—are compiled into a score used to assess financial risk (i.e., insurance eligibility or pricing), they function similarly to credit reports. The moment this information is categorized and distributed by a CRA, it is subject to the stringent disclosure and dispute requirements of the FCRA. The FTC’s ruling leverages existing consumer protection statutes to regulate emerging technology, filling the void left by the slow progress of comprehensive federal data privacy legislation in the United States.
This ruling sends a chilling message to other major Original Equipment Manufacturers (OEMs), including Ford, Stellantis, and Tesla, all of whom collect vast quantities of similar granular driving and location data. These companies must now critically evaluate their own data monetization strategies. If they are currently sharing non-anonymized, individual driver data with brokers that feed the insurance or financial industries, they are now exposed to similar regulatory scrutiny and potential enforcement actions. The GM settlement dictates the new baseline for acceptable practices.
Exceptions, Anonymization, and Public Interest
While the order institutes a strict ban on sharing specific consumer data with CRAs, the FTC acknowledged several necessary exceptions vital for safety and public good. GM remains authorized to share location data with emergency first responders, such as in the event of a crash or stolen vehicle recovery, which are foundational safety features of the OnStar service.
Furthermore, GM retains the ability to utilize data for internal research and development purposes. Crucially, the order allows the sharing of de-identified or anonymized data with select partners, provided this data cannot be reasonably associated with specific drivers or vehicles. This allowance recognizes the significant societal benefits derived from aggregated telematics data. For instance, GM confirmed sharing such anonymized data with academic partners, such as the University of Michigan, where it has been leveraged for sophisticated urban planning studies, including optimizing traffic signal timing and improving overall road safety infrastructure.
The distinction between identifiable and de-identified data is paramount. In the context of vehicle telematics, true de-identification requires robust measures to prevent re-identification, a task that becomes increasingly difficult when dealing with high-frequency, precise location data. Regulatory bodies and privacy advocates will continue to monitor how effectively automakers implement anonymization protocols to ensure compliance with the spirit of the order, not just the letter.
Operational Overhaul and Consumer Access Rights
Beyond consent and data sharing bans, the FTC order mandates substantial improvements in consumer control and transparency. GM is required to establish clear, accessible mechanisms for all U.S. consumers to request a copy of the data collected about them, and perhaps most importantly, to seek its permanent deletion. Furthermore, consumers must be granted an easily accessible means to disable the collection of precise geolocation data from their vehicles entirely.
GM maintains that it has already moved to comply with these stringent mandates. The automaker began a comprehensive overhaul of its privacy policies and programs in 2024, aiming to simplify the convoluted legal language that historically plagued technology agreements. This effort included consolidating numerous disparate U.S. privacy statements into a single, more streamlined document, alongside expanding the operational privacy program that facilitates customer requests for data access and erasure.
In an official statement following the finalization of the order, GM affirmed its commitment: “The Federal Trade Commission has formally approved the agreement reached last year with General Motors to address concerns. As vehicle connectivity becomes increasingly integral to the driving experience, GM remains committed to protecting customer privacy, maintaining trust, and ensuring customers have a clear understanding of our practices.”
The Road Ahead: Trust and Technological Solutions
The fallout from the Smart Driver program and the subsequent FTC intervention underscores a fundamental crisis of trust between consumers and connected vehicle manufacturers. When sophisticated technology operates under the hood, extracting valuable personal data without clear consent, the perception of surveillance can severely undermine the adoption of beneficial features.
For the automotive industry, this settlement is not merely a legal hurdle but an economic restructuring event. OEMs must now invest heavily in Privacy-Enhancing Technologies (PETs) and decentralized data management systems that prioritize consumer control. Implementing consent management systems at the dealership level—the point where the legal relationship is forged—presents technological and logistical challenges, requiring sales staff training and seamless digital integration. However, this friction is necessary to ensure the transaction is grounded in transparency.
Looking forward, the trend is clear: regulators are no longer willing to accept vague privacy disclosures in exchange for access to high-value personal data. This FTC order establishes a crucial precedent: when consumer reporting agencies utilize behavioral data derived from connected products to assess risk, the data collection practices must meet the highest standards of transparency and explicit consent. This action signals the beginning of a sustained regulatory focus on the vast, untapped, and potentially exploitative data streams emanating from the 21st-century vehicle, forcing automakers to recalibrate their revenue strategies from data harvesting toward value-added services built on consumer confidence and privacy by design. The era of silent automotive data extraction has definitively ended.