FTC Finalizes Enforcement Action Against GM Over Driver Data Sharing
The Federal Trade Commission has officially finalized its enforcement order against General Motors and subsidiary OnStar, imposing significant restrictions on how the automaker collects, uses, and shares customer vehicle data. The landmark settlement concludes one of the most consequential privacy violations in the automotive industry and establishes new standards for connected vehicle data practices.
The Data Sharing Scandal
Nearly two years ago, investigative reporting revealed that General Motors’ OnStar “Smart Driver” program collected and sold detailed geolocation and driving behavior data to third parties, including data brokers LexisNexis and Verisk. These brokers then sold the information to insurance providers, which used the data to increase rates for some drivers—sometimes dramatically. One Chevy Bolt owner reported seeing his insurance rates spike by 21 percent based on data he never knew was being shared.
The Smart Driver program tracked driving behaviors including precise location, hard braking, acceleration, speed, and even seatbelt use. Customers were not adequately informed that their data would be collected and sold to third parties, with the FTC alleging that GM used a misleading enrollment process to obtain consent.
Terms of the Settlement
The finalized order imposes a five-year ban on GM from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies. The enforcement action lasts 20 years total and includes several key requirements:
- GM must obtain explicit written consent from consumers before collecting, using, or sharing connected vehicle data
- The company must provide consumers with a straightforward way to request copies of their data and seek its deletion
- Consumers gain the ability to disable the collection of precise geolocation data entirely
- GM must offer opt-out mechanisms for geolocation and driver behavior data collection, with limited exceptions
The consent process occurs at the dealership when a consumer purchases a vehicle. The FTC noted that GM may still share location data with emergency responders and use it internally for research and development.
GM’s Response and Actions
GM discontinued the Smart Driver program entirely in April 2024, before the settlement was finalized. The company unenrolled all customers and ended third-party relationships with LexisNexis and Verisk.
In a statement, GM said it “remains committed to protecting customer privacy, maintaining trust, and ensuring customers have a clear understanding of our practices”. The automaker also indicated it has begun overhauling its data collection policies, consolidating privacy statements and expanding programs that allow customers to access and delete personal information.
Broader Implications
The settlement represents the FTC’s characterization of GM’s conduct as an “egregious betrayal of consumers’ trust” and signals increased regulatory focus on automotive data practices. GM also faced separate enforcement actions from state attorneys general, including Texas and Nebraska. Notably, GM did not face a monetary penalty as part of the federal settlement.
The enforcement action underscores growing concerns about how connected vehicles—increasingly integral to modern driving experiences—handle consumer privacy and highlights the importance of transparency in the age of automotive connectivity.