The U.S. Federal Trade Commission (FTC) is seeking to prohibit General Motors (GM) from selling driver data to third parties as part of a settlement agreement following allegations the company sold the data without user permission.
The issue stems from GM encouraging customers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature through a “misleading enrollment process,” the agency said. The company claimed that these tools help users “assess their driving habits.”
However, GM did not “clearly disclose” that the collected information—including data related to speeding, instances of hard braking, and late-night driving—would be sold to third parties such as consumer reporting agencies, the FTC claims.
Agencies “used the sensitive information GM provided to compile credit reports on consumers, which were used by insurance companies to deny insurance and set rates,” it said.
The FTC pointed out that tracking or collecting geolocation data was an invasion of privacy because it reveals details such as daily routines or an extremely specific event such as visiting a medical facility.
Under the proposed settlement agreement, GM and OnStar are banned from disclosing geolocation and driver-behavior data to consumer reporting agencies for a period of five years.
Before collecting a customer’s vehicle data, the companies must secure “affirmative express consent” from users. Customers must be given the option to disable the collection of precise geolocation data. They also should be able to opt out of the collection of geolocation and driver behavior details.
In addition, “the companies must create a way for all U.S. consumers to request a copy of their data and seek its deletion.”
According to the FTC, this is the agency’s “first action related to connected vehicle data.”
“The FTC consent order includes new measures that go above and beyond existing law, while capturing steps we’ve already taken to establish choices for customer data collection and communications about how the information is used,” the company said.
“We’re also giving customers more transparency and control. We’ve expanded a GM privacy program to provide customers in all 50 states with options to access and delete their personal information.”
According to GM, it consolidated various U.S. privacy statements into a single, simpler statement in September 2024 to improve privacy protections.
Protecting Car Owners’ Data
According to the FTC, GM’s data collection-enrollment process for OnStar and Smart Driver was “confusing and misleading.”“In fact, some consumers were unaware that they had been signed up for the Smart Driver feature,” it said.
Many customers were not aware of GM selling data and complained to the company when they found out about it, the FTC said.
According to the report, a customer said: “When I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. Nothing. […] You guys are affecting our bottom line. I pay you, now you’re making me pay more to my insurance company.”
An investigation conducted by Wyden’s office found that three automakers—Honda, GM, and Hyundai—had shared data with Verisk Analytics, a data broker with clients in the insurance industry.
At the time, GM denied allegations of deceiving customers to sign up for a data-sharing program with Verisk. The partnership was canceled in March 2024, with the Smart Driver program shut down in June 2024, it said.
“Data was only shared with an insurer if a customer initiated a quote directly with their chosen carrier and provided a separate consent to that carrier,” GM said, adding that it does share “de-identified” data with some partners to assist with city infrastructure and making roads safer.
Tesla was ranked as the worst car brand for privacy, and the list included other companies such as Nissan, Cadillac, Chevrolet, Mercedes-Benz, Ford, and Lexus.
In September 2024, Sen. Jeff Merkley (D-Ore.) introduced the “Car Privacy Rights Act” aimed at protecting car owners’ data privacy from companies that collect such information.
“The bill also requires these entities to provide a clear option to opt-out of the data collection entirely, ensuring consumers are not locked into these predatory practices,” the statement said.
