The Federal Trade Commission has finalized a major enforcement order against General Motors and its OnStar subsidiary, prohibiting the company from sharing drivers’ geolocation and behavior data with consumer reporting agencies for five years and imposing strict new consent requirements for the next two decades.
The settlement, announced on January 14, 2026, resolves allegations that GM collected precise geolocation and driving behavior data from millions of connected vehicles and sold it to third parties without clear disclosure or affirmative consumer consent. The FTC charged that GM’s enrollment process for OnStar and its Smart Driver feature was misleading, failing to adequately inform drivers that their data would be shared with data brokers and ultimately used by insurance companies.
Details of the FTC Order
Under the 20-year order, GM must:
- Obtain affirmative express consent before collecting, using, or sharing connected vehicle data (with narrow exceptions for emergency services).
- Provide U.S. consumers a mechanism to request copies of their data and request deletion.
- Allow consumers to disable precise geolocation collection where technically feasible.
- Offer an opt-out for geolocation and driving behavior data collection.
Additionally, GM is banned for five years from disclosing geolocation or driver behavior data to consumer reporting agencies—a direct response to reports that such data was used to generate insurance risk scores.
Texas AG Leads Aggressive State-Level Enforcement
While the FTC action marks a significant federal milestone, Texas Attorney General Ken Paxton has been one of the most proactive state enforcers in addressing connected car data privacy issues.
In August 2024, Paxton sued General Motors and OnStar, alleging the companies illegally collected driving data from over 1.8 million Texas drivers and sold it to data brokers without consent. The lawsuit claims GM’s practices violated the Texas Deceptive Trade Practices Act by misleading consumers about how their data would be used.
Paxton’s office has broadened its scrutiny of the connected car ecosystem. In June 2024, Texas launched investigations into multiple automakers over secret collection and sale of driver data. By early 2025, those probes expanded to include Ford, Hyundai, Toyota, and Fiat Chrysler. In January 2025, Paxton filed the first-ever enforcement action under the Texas Data Privacy and Security Act against Allstate and its subsidiary Arity, accusing them of unlawfully collecting and selling location and movement data from over 45 million trips without proper consent.
Broader Context and Related Developments
The GM case gained national attention following 2024 reporting that revealed automakers were sharing detailed driving data with brokers such as LexisNexis and Verisk, which then packaged it into risk reports for insurers. Drivers subsequently reported unexpected premium increases based on data they never agreed to share.
Other states have followed Texas’s lead. Arkansas and Nebraska have filed similar lawsuits against GM, and consumer class actions have proliferated nationwide. The FTC’s order and ongoing state actions signal heightened regulatory scrutiny of connected vehicle data practices across the automotive and insurance industries.
For compliance professionals, these developments underscore the importance of transparent data collection practices, meaningful consent mechanisms, and robust data minimization strategies—especially as vehicles become increasingly connected and capable of generating sensitive personal information.
