The US Federal Trade Commission (FTC) is acting against General Motors (GM) and its subsidiary OnStar for illegally collecting and selling drivers’ geolocation and driving behaviour data from millions of vehicles. The automotive giant has been barred from sharing sensitive driver data for five years while also improving data handling transparency and giving users more control over their data.
Additionally, GM must obtain mandatory consumer consent before collecting or selling any data and delete any data retained unless consumers opt-in and choose to retain their data in the system. Customers are also provided with an easy way to access and delete their data, with a simple method to disable in-vehicle tracking and any other data collection in their vehicle.
The FTC has found multiple violations between GM and OnStar, which provides in-car services like navigation, communications, and remote diagnostics. According to the FTC, GM collects geolocation data every three seconds, in addition to driving data, such as braking patterns and speed, from millions of its vehicles around the US without obtaining express consent from the drivers.
This data was then sold to consumer reporting agencies like Verisk, Jacobs Engineering, and Lexis Nexis, whose reports subsequently influenced insurance rates and, in some cases, even led to outright denial of insurance coverage.

GM misled customers into believing that OnStar’s “Smart Driver” feature was a driving habit self-assessment tool instead of the data collection program it was. GM’s privacy statements were also found to be vague and inadequate when it came to informing users that their data was being collected and sold to third parties.
The automotive giant has been instructed to limit data collection to only what is deemed necessary for essential vehicle services and has to improve transparency with clear disclosures about the data collected and its usage.
No monetary fine has been announced at the time of writing, but the FTC has suggested civil penalties of up to $51,744 per violation. The two companies have 180 days to comply with these changes or face legal action and, most likely, heavy fines. GM has since issued a notice announcing that it has reached a settlement with the FTC and has discontinued its Smart Driver program.
GM isn’t the only company in hot water for selling customer data to jack up insurance premiums either. Texas Attorney General Ken Paxton is suing insurance giant Allstate and its subsidiary Arity for unlawfully collecting, using, and selling location data of Texan users via secret software embedded in mobile apps, such as Life360. According to Attorney General Paxton, the companies did not give users prior notice or obtain their consent before collecting and using said data, violating Texas’ new Data Privacy and Security Act (TDPSA).
In the News: Flaw in ChatGPT API sparks potential DDoS vulnerability