The Federal Trade Commission has approved a final order restricting General Motors and its OnStar telematics unit from sharing certain connected-vehicle data with consumer reporting agencies and requiring explicit, opt-in consent from drivers before collecting, using, or disclosing their information. The order caps a high-profile case that put the auto industry’s data practices under a microscope and signals a tougher federal stance on how carmakers monetize driving and location data.
What the settlement requires of GM and OnStar data use
Under the order, GM is barred from funneling specified consumer data derived from its connected vehicles to entities that compile consumer reports, and it must obtain clear, affirmative consent before any collection, use, or sharing of connected-vehicle information. GM must also give U.S. customers a straightforward way to access and delete their data, and provide a control to disable precise geolocation collection from their vehicles.
- What the settlement requires of GM and OnStar data use
- How we got here: the probe into GM’s OnStar data
- Why it matters for insurance and telematics
- Exceptions and de-identification under the FTC order
- The regulatory landscape for auto data is tightening
- What drivers can do now to manage connected-car data
Crucially, the consent process has to happen in plain language at the point of activation, typically at the dealership when a vehicle’s VIN is linked to an OnStar account. That’s a notable shift from the opaque, bundled enrollments that regulators say left many drivers unaware of how their data could travel downstream.
How we got here: the probe into GM’s OnStar data
The case gained momentum after reporting revealed that GM’s OnStar Smart Driver feature collected detailed metrics — such as hard braking, rapid acceleration, speed patterns, time of day, and seat belt usage — and routed that information to third-party data brokers, including LexisNexis and Verisk. Insurers could then incorporate those datasets into pricing decisions, affecting premiums for some drivers without their full understanding of the pipeline.
GM ended the Smart Driver program in 2024, unenrolled participants, and said it cut ties with the two data brokers named in the probe. The company also began consolidating its U.S. privacy disclosures, expanding self-service tools for data access and deletion, and revisiting consent flows. In a statement, GM emphasized that connectivity is central to modern vehicles and reiterated its commitment to transparency and customer trust.
Why it matters for insurance and telematics
The decision targets a key branch of the telematics ecosystem: the conversion of raw driving and location signals into inputs for consumer reports used by insurers and other financial institutions. When automakers channel vehicle-sourced data into those systems, they can trigger obligations under the Fair Credit Reporting Act and invite scrutiny under the FTC Act. The order will likely force a reset in how automakers, data brokers, and insurers strike data-sharing partnerships, favoring explicit, auditable consent over implied participation.
This is not happening in a vacuum. Independent research has repeatedly flagged auto privacy as a weak spot. The Mozilla Foundation’s “Privacy Not Included” review of car brands found widespread collection practices and reported that a large majority of manufacturers share or sell personal data, with many allowing law enforcement access without a court order. Against that backdrop, the FTC’s action narrows the lanes for monetizing in-car data without clear permission.
Exceptions and de-identification under the FTC order
The order allows limited exceptions. GM can share precise location data with emergency responders and use vehicle data for its own research and development. The company says it may share de-identified datasets with select partners for projects like road safety and urban planning — a practice that has included collaborations with academic institutions such as the University of Michigan.
But de-identification isn’t a free pass. Regulators increasingly expect rigorous techniques that prevent re-linking to individuals or vehicles, along with governance to keep datasets from drifting back toward identifiability. Expect stronger documentation, technical safeguards, and third-party oversight to become standard in automaker data programs.
The regulatory landscape for auto data is tightening
The case aligns with a broader enforcement pattern. The FTC has pursued companies across sectors for undisclosed sharing of sensitive information, while state regulators are stepping up too. The California Privacy Protection Agency has already launched an enforcement sweep focused on connected vehicle data, and multiple state privacy laws classify precise geolocation as sensitive information that typically requires opt-in consent.
For automakers, the message is clear: dark patterns and vague disclosures are liabilities, not growth hacks. For data brokers and insurers, the pipeline from on-road telemetry to underwriting models now carries greater legal risk unless consent is unambiguous and traceable.
What drivers can do now to manage connected-car data
Owners of GM vehicles should review their OnStar account settings, toggle off precise location if they do not want it collected, and submit data access or deletion requests if desired. At purchase or service visits, scrutinize any consent screens or dealership paperwork tied to connected services. Small choices — a checkbox, a tap, an enrollment in a “driver score” feature — can have meaningful consequences for where your data goes and who uses it.
The settlement closes a contentious chapter for GM, but it is likely the opening move in a larger rewrite of connected-car data rules. Consent is becoming the currency of the road — and every player in the auto-data economy will need to earn it.
