The Federal Trade Commission has finalized a settlement order that bars General Motors from sharing drivers’ location and behavior data for five years and compels sweeping privacy changes that will shape how connected cars handle personal information for decades.
The order arrives after allegations that GM transmitted telematics from vehicles without clear consent, with some data flowing to consumer reporting agencies used by insurers. While the agreement carries no monetary penalty, it imposes long-term obligations and sets a prominent benchmark for the auto industry’s treatment of sensitive mobility data.
What the FTC settlement order requires from GM
For the next five years, GM is prohibited from selling or sharing “covered driver data” such as precise location and driving behavior with third parties. The order is designed to shut down opaque data pipelines that can expose granular insights about an individual’s routines, routes, and driving style.
In addition, GM must implement 20-year safeguards: it has to obtain affirmative express consent before sending vehicle data to consumer reporting agencies; provide straightforward tools for drivers to view, download, and delete data; and offer in-car and account-level controls to disable location sharing. These controls must be easy to find and use, not buried in menus or toggled on by default.
The order allows several limited exceptions. GM can share location data with emergency responders and in response to law enforcement or regulatory proceedings. It may also use information internally to improve safety, services, and technology, and share only deidentified data with third parties for those purposes, subject to strict safeguards.
Why the FTC acted against GM’s handling of driver data
Concern grew after reporting by The New York Times described how drivers enrolled in OnStar services, including Smart Driver, learned that detailed trip-by-trip data had been collected and furnished to consumer reporting agencies such as LexisNexis Risk Solutions. Some consumers said their insurance quotes rose after this data appeared in their reports, even though they did not believe they had clearly opted in.
The FTC concluded GM’s practices failed to secure meaningful consent and left drivers with little visibility into where their information was going. The five-year ban functions as “fencing-in” relief—a tool the agency uses in cases it views as serious breaches of consumer trust—while the 20-year obligations aim to make transparent, revocable consent and data minimization a permanent fixture of GM’s systems.
A signal to the auto industry on consent and data
The decision is a shot across the bow for connected car programs that rely on telemetry to power apps, safety features, and usage-based insurance. It tells automakers that consent cannot be implied by signing up for roadside assistance or infotainment—especially when the data includes precise locations and behavioral scores that can affect financial outcomes.
Independent research has underscored the scope of the problem. A 2023 “Privacy Not Included” review by the Mozilla Foundation found that 84% of car brands it evaluated shared or sold personal data, and over half said they could share information with government or law enforcement upon request. While brands vary in their practices, the overarching trend has been aggressive collection with limited consumer control.
Regulators have taken note beyond this case. The California Privacy Protection Agency has targeted connected vehicles for enforcement, and the FTC has pursued data brokers over sensitive location data. Together, these actions point to a stricter era in which mobility data is treated with the same care as health or financial records.
What GM drivers should do now to protect their data
Owners of connected GM vehicles should review their account settings in the OnStar app and privacy portal, verify whether any telematics or location sharing is active, and disable features they do not want. Under the FTC order, drivers will be able to request copies of their data and ask for deletion, and they should expect clearer consent screens before any sharing with consumer reporting agencies occurs.
Consumers can also check their files with major consumer reporting agencies, including LexisNexis Risk Solutions, to see if telematics data is present and dispute inaccuracies. If pursuing usage-based insurance, consider smartphone-based programs that require explicit enrollment and provide transparent scoring, rather than vehicle-default sharing.
GM’s position on the order and the automaker’s next steps
GM says it supports the agreement and emphasizes its commitment to privacy and transparency as vehicle connectivity expands. While the final order does not levy a fine, violating it could trigger significant civil penalties. The practical work now shifts to engineering: redesigning consent flows, building robust access and deletion pathways, and ensuring any research or safety analytics rely on rigorously deidentified data.
The bottom line is clear: the era of silently siphoning driver data is ending. Automakers that want the benefits of connected services will have to earn trust on the front end—and defend it with ongoing, verifiable privacy controls.