FTC Draws a Hard Line on Connected Car Data in GM & OnStar Settlement

Key Takeaways

• Connected Car Data Crossed a Line: The FTC found that GM and OnStar collected and sold precise location and driving behavior data without clearly telling consumers what was happening or securing affirmative consent.
• Misleading Sign-Ups Were Central: Regulators took issue with how drivers were enrolled into OnStar and the Smart Driver feature, saying the process failed to adequately explain data collection and downstream sharing.
• Data Sharing Freeze with Credit Agencies: GM is barred for five years from sharing geolocation and driver behavior data with consumer reporting agencies, reflecting the FTC’s concern about how sensitive this data can be used.
• Twenty Years of Consumer Control: For the life of the order, GM must give consumers meaningful transparency, access, opt-outs, and the ability to limit or disable location tracking where technology allows.

Deep Dive

The Federal Trade Commission has finalized a far-reaching settlement with General Motors and its connected-vehicle subsidiary OnStar, closing a case that puts the fast-growing connected car economy squarely in the regulator’s sights.

At the heart of the FTC’s action is how GM handled precise geolocation and driving behavior data generated by millions of vehicles. According to the Commission, consumers were not adequately told what data was being collected, how it would be used, or that it could be sold to third parties. In some cases, the FTC said, consumers were enrolled through a misleading sign-up process that failed to secure meaningful consent.

The final order sharply curtails how GM can collect, use, and share connected-vehicle data going forward and locks in compliance obligations that will last for decades.

The FTC first laid out its allegations in January 2025, accusing GM of failing to clearly disclose that the Smart Driver feature collected sensitive location and driving data and that this information could be sold to third parties. The agency also said GM did not obtain affirmative express consent before doing so.

In finalizing the order, the Commission framed the conduct as a serious breakdown of trust, noting that location and driving behavior data can reveal highly sensitive details about consumers’ lives.

What GM Must Do Now

The settlement goes well beyond a one-time penalty or disclosure fix. For the next 20 years, GM must obtain affirmative express consent before collecting, using, or sharing connected-vehicle data, including when sharing with consumer reporting agencies. Narrow exceptions apply, such as providing location data to emergency first responders.

GM must also give U.S. consumers the ability to request a copy of their data and ask for its deletion. Where the vehicle technology allows, drivers must be able to disable the collection of precise geolocation data. Consumers must also be offered clear opt-out options for the collection of geolocation and driving behavior data, again with limited exceptions.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.