The U.S. Federal Trade Commission has finalized an order with General Motors (GM) and its subsidiary, OnStar, settling charges that they collected and sold the location and driving data of millions of drivers without consent.
General Motors owns the GMC, Cadillac, Chevrolet, and Buick brands and produces over 6.1 million vehicles each year. OnStar, GM’s subsidiary, provides digital in-car services such as navigation, communications, security, emergency services, and remote diagnostics.
As the FTC claimed in its January 2025 complaint, GM collected precise geolocation data and detailed driving behavior information from millions of vehicles (without customers’ consent) every three seconds through OnStar’s now-discontinued “Smart Driver” feature, which was marketed as a driving-habits self-assessment tool rather than a data-collection mechanism.
This data was then sold to third parties, including consumer reporting agencies, which then provided it to insurance companies, leading to higher insurance rates or denial of coverage.
The finalized order approved by the commission bans GM from sharing consumers’ geolocation and driver behavior data with consumer reporting agencies for five years.
Also, for the full 20-year duration of the order, GM must obtain express consent from consumers before collecting their data, using or sharing their connected vehicle data, with exceptions for emergency services.
The company must allow U.S. consumers to request copies of their data and seek its deletion, provide vehicle owners the ability to disable precise geolocation data collection, and enable them to opt out of location and driving behavior data collection (with some limited exceptions).
“This fencing-in relief is appropriate given GM’s egregious betrayal of consumers’ trust,” the FTC said on Wednesday.
“The Federal Trade Commission has formally approved the agreement reached last year with General Motors to address concerns,” a GM spokesperson told BleepingComputer, noting that “it’s important to note there is no monetary payment.”
“As vehicle connectivity becomes increasingly integral to the driving experience, GM remains committed to protecting customer privacy, maintaining trust, and ensuring customers have a clear understanding of our practices.”
One year ago, in January 2025, Texas Attorney General Ken Paxton also filed a lawsuit against car insurance firm Allstate for unlawfully collecting and selling driving data from over 45 million Americans.
The tracking activity was carried out by adding an SDK developed by Allstate subsidiary Arity to popular apps such as Life360, GasBuddy, Fuel Rewards, and Routely, without drivers’ consent.
The lawsuit also involves several car makers, including Toyota, Lexus, Mazda, Chrysler, Jeep, Dodge, Fiat, Maserati, and Ram, who also allegedly collected and sold data directly to Allstate and Arity.
Update January 15, 10:19 EST: Added GM statement.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
