FTC Forces GM and OnStar to Stop Selling Drivers' Data After Deceptive Enrollment Practices
The Federal Trade Commission has settled with General Motors and its OnStar connected-vehicle subsidiary over charges that the companies enrolled millions of customers in data collection programs through deceptive practices and then sold detailed driving behavior and location data to insurance companies and data brokers β often without customers' knowledge. The settlement imposes strict new restrictions on how GM can collect and monetize driver data going forward.
Background
The FTC's complaint, originally filed in January 2025, alleged that GM and OnStar used misleading enrollment flows to sign customers up for the Smart Driver program, which collected granular data on acceleration, braking, cornering, and location. Customers who enrolled β often through confusing in-vehicle prompts or dealer-initiated sign-ups β were not clearly informed that their driving data would be sold to third parties, including insurance companies that used the information to adjust premiums.
The complaint alleged that GM shared data with LexisNexis Risk Solutions and Verisk Analytics, two major data aggregators that supply information to auto insurers. Customers who had their data shared reported receiving unexpected premium increases or coverage denials based on driving behavior they did not know was being monitored. The FTC found that GM's enrollment process made it difficult for customers to understand what they were agreeing to and even harder to opt out once enrolled.
Key Developments
Under the settlement terms, GM and OnStar are prohibited from sharing customer location and driving behavior data with consumer reporting agencies or insurance companies without obtaining clear, affirmative consent from customers. The companies must also provide customers with a straightforward mechanism to access, correct, and delete their data. GM is required to implement a comprehensive data governance program with independent oversight and to submit compliance reports to the FTC for the next 20 years.
The settlement does not include a monetary penalty β a limitation that drew criticism from consumer advocates who argued the FTC's enforcement tools are insufficient to deter large corporations. The agency's authority to impose civil penalties in data privacy cases remains constrained by existing law, a gap that has prompted renewed calls in Congress for comprehensive federal privacy legislation. GM issued a statement saying it had already made changes to its data practices and would cooperate fully with the settlement's requirements.
The case follows a series of FTC actions targeting connected vehicle data practices. The agency has previously investigated Ford, Toyota, and several telematics companies over similar concerns about the collection and sale of driver data without adequate disclosure.
Why Americans Should Care
More than 16 million GM vehicles on US roads are equipped with OnStar connectivity, making this settlement directly relevant to drivers in every state. For consumers in states with active auto insurance markets β including California, Texas, Florida, and New York, which together account for nearly 40% of US auto insurance premiums β the revelation that driving data was being sold to insurers without clear consent has immediate financial implications. Drivers who experienced unexplained premium increases since 2023 may have been affected by data shared through OnStar's program. The settlement also has implications for state-level privacy legislation: California's Consumer Privacy Act and Virginia's Consumer Data Protection Act both include provisions covering connected vehicle data, and state attorneys general in both states have indicated they are reviewing the FTC's findings for potential parallel enforcement actions. For car buyers across the Midwest and South, where GM vehicles are particularly popular, the case raises fundamental questions about what data their vehicles collect and who has access to it.
Why It Matters
The GM-OnStar case represents a pivotal moment in the regulation of connected vehicle data, a market that is growing rapidly as cars become increasingly sophisticated data collection platforms. Modern vehicles can generate up to 25 gigabytes of data per hour, covering everything from location and speed to driver biometrics and in-cabin audio. The insurance industry's appetite for this data is substantial: telematics-based insurance programs, which adjust premiums based on driving behavior, are projected to cover 30% of US auto insurance policies by 2028. The FTC's action signals that the agency views the sale of this data without meaningful consent as a deceptive trade practice β a legal theory that could extend to other automakers and technology companies operating in the connected vehicle space. Internationally, the European Union's approach offers a contrast: the GDPR requires explicit, informed consent before any personal data can be processed for commercial purposes, a standard that would have prohibited GM's practices outright. The US lacks an equivalent federal standard, leaving consumers dependent on a patchwork of state laws and FTC enforcement actions.
What's Next
The FTC settlement must be approved by a federal court before taking effect. Consumer advocacy groups are urging Congress to pass comprehensive federal privacy legislation that would give the FTC explicit authority to impose civil penalties for data privacy violations. Several bipartisan bills are pending in the Senate Commerce Committee, including the American Privacy Rights Act, which would establish a national standard for data collection and consumer consent. GM's compliance with the settlement will be monitored by an independent auditor appointed by the FTC.
Sources: About Lawsuits; Federal Trade Commission; Global Policy Watch
:max_bytes(150000):strip_icc():focal(723x163:725x165)/Nedra-Talley-Ross-042626-2e79c51418cc43f59b1a9159d3f7adc3.jpg)
