Montana Attorney General Austin Knudsen has launched a new investigation into two major automotive manufacturers, Ford Motor Company and Stellantis N.V., over allegations that personal driving data may have been collected and sold to third parties without consumers fully understanding what was happening. For anyone following the growing fight over data privacy, connected vehicles, and insurance-related profiling, the announcement is another sign that state officials are beginning to treat vehicle data as a serious consumer protection issue rather than a buried terms-and-conditions matter.
According to the Montana Department of Justice, the investigation is being pursued under Montana’s Consumer Protection Act. The state says recent reporting raised concerns that driving data generated through connected vehicle systems may have been shared with outside entities, including data and insurance companies such as LexisNexis and Verisk Analytics. The Attorney General’s office issued Civil Investigative Demands to Ford and Stellantis and gave the companies one month to respond.
Why This Investigation Matters
Modern vehicles are no longer just machines with engines, tires, and steel. They are rolling software platforms. Many collect location information, driver behavior data, vehicle diagnostics, app-linked data, and other telematics information through built-in connected services. That data can be extremely valuable. It can be used for product development, customer support, safety features, subscription services, and roadside assistance. It can also be monetized.
That is where the legal and ethical questions begin. If a vehicle owner does not clearly understand what is being collected, how long it is retained, where it goes, and whether it is being licensed, sold, or shared with third parties, then the issue shifts from convenience to consent. State enforcers increasingly appear to be asking a direct question: did the consumer actually agree in any meaningful way, or was the data extraction hidden behind confusing enrollment flows and dense privacy language?
The Core Allegation
The Montana Attorney General’s announcement is framed around a straightforward but powerful theory. If vehicle owners were unaware that their driving data was being collected and sold to third parties without their consent, that practice may amount to a deceptive business practice and a violation of state law. The state is specifically demanding information about products, services, and platforms that collect driving data, personal information, and vehicle data for sale, licensing, or sharing with third-party recipients.
That focus is notable because it goes beyond the narrow question of whether data was collected. It goes to the entire commercialization chain. What was captured. How was it categorized. Who received it. For what purpose. Was it tied back to an individual driver or vehicle identification number. Was it used in underwriting, scoring, or insurance-related decision-making. Those are the kinds of details that can turn a privacy controversy into a consumer protection case with real legal exposure.
A Larger National Trend in Auto Privacy Enforcement
Montana’s move does not exist in a vacuum. It lands in the middle of a broader national reckoning over connected-car surveillance and the sale of sensitive driving data. Federal regulators have already taken action in the sector. In early 2025, the Federal Trade Commission announced action against General Motors and OnStar, alleging that they collected and sold drivers’ precise geolocation and driving behavior data without adequately notifying consumers and obtaining their consent. In January 2026, the FTC finalized that order.
That matters because it gives state investigators a roadmap. Once regulators show that driving data can be treated as a privacy and deception issue, other attorneys general have a blueprint for their own inquiries. The theory is simple enough for the public to understand. Drivers should not have to discover months later that a behavioral profile of their trips, braking habits, speed patterns, and nighttime driving history may have been feeding third-party scoring or insurance systems.
What Makes Vehicle Data So Sensitive
Some companies still behave as though telematics data is just another analytics stream. It is not. Vehicle data can reveal where a person lives, where they work, when they travel, whether they take regular medical visits, whether they attend religious services, what neighborhoods they drive through, and how they behave on the road. Even when a company claims the data is pseudonymized or operational in nature, the real-world sensitivity remains high.
In privacy terms, driving data sits close to the line between personal information and behavioral surveillance. When paired with account data, VIN-linked records, app credentials, or other persistent identifiers, it can become remarkably specific. When shared downstream with data brokers, consumer reporting agencies, or insurance analytics firms, the risks multiply. Suddenly, the question is no longer just whether the automaker knows how you drive. It becomes whether outside companies are building profiles from that information in ways that affect pricing, eligibility, or risk scoring.
The Consent Problem
One of the hardest issues in connected-device privacy is that consumers often do not experience “consent” as a real choice. They are buying a car, setting up a dashboard, activating remote services, or enrolling in a feature that sounds related to safety, maintenance, or convenience. They are not expecting to participate in an opaque data marketplace.
If key disclosures were buried, bundled, or framed in ways that made the commercial use of driving data difficult to understand, regulators are increasingly willing to call that deceptive. The FTC’s prior action in the GM matter turned heavily on this issue. That makes consent architecture a central risk point for any automaker operating connected services. A checkbox, app click, or feature enrollment flow is not likely to protect a company if the consumer never meaningfully understood that their data could later be sold or shared in ways that affect insurance outcomes or other third-party uses.
Why Ford and Stellantis Are Under Scrutiny
The Montana announcement identifies Ford and Stellantis as the targets of the current inquiry. The state has not yet published a final enforcement complaint, and an investigation is not a final adjudication. Still, the signal is clear. State officials are looking closely at whether connected-car ecosystems have crossed the line from product functionality into undisclosed consumer data monetization.
For Ford and Stellantis, the legal risk is not only about what their platforms may have technically enabled. It is also about governance. What did internal teams know about downstream recipients. What contractual controls existed. What was disclosed to users. How were privacy choices presented. Did the companies audit vendor use. Did they distinguish between operational sharing and commercial sale. Those questions often determine whether a privacy matter remains a public relations problem or becomes a formal enforcement action.
The Insurance Angle
One reason these stories resonate so strongly is that they connect personal data to a real economic consequence. Consumers may tolerate a surprising amount of data collection until they believe it affects what they pay. Once driving behavior data enters the insurance ecosystem, the stakes become immediate. A driver may reasonably ask whether higher premiums, lower discounts, or adverse insurance assumptions were influenced by information they never knowingly agreed to share.
That concern has helped transform connected-vehicle privacy from a niche compliance issue into a mainstream consumer issue. It is one thing to say a car company gathers diagnostics or service data. It is another to suggest that a person’s driving profile may travel to entities that participate in insurance analytics or risk assessment. That possibility creates exactly the kind of consumer harm narrative that state AG offices understand well.
What Companies Should Be Doing Right Now
This investigation should be read as a warning shot far beyond Ford and Stellantis. Any company operating connected products, particularly in transportation, mobility, or insurance-adjacent ecosystems, should assume that opaque data practices are becoming harder to defend. Privacy policies alone will not be enough. Companies need clear data maps, consumer-facing disclosures that people can actually understand, defensible consent records, purpose limitations, vendor oversight, retention rules, and a hard look at whether data “sharing” is in substance a sale.
They should also revisit whether their interfaces create dark-pattern risk. If a user can easily activate a feature but cannot easily understand the downstream commercial uses of their data, that is a problem. If a company presents a connected-service enrollment flow as a safety or convenience enhancement but underplays the monetization component, that is a larger problem. In the current enforcement climate, those design choices can become evidence.
What Comes Next
The immediate next step is the response period. According to Montana’s announcement, Ford and Stellantis have one month to answer the Civil Investigative Demands. That means the near-term story is less about final liability and more about document production, internal review, and regulatory positioning. The companies will likely have to account for what data they collect, how they process it, what disclosures they provide, and which outside recipients have access to it.
Whether this ends in a settlement, a quiet closure, or a larger enforcement action will depend on what the investigation uncovers. But the broader direction is hard to miss. State enforcers are no longer content to treat car companies as traditional manufacturers when those companies are also operating always-on data ecosystems. If an automaker functions like a data company, regulators are increasingly inclined to regulate it like one.
The Bigger Takeaway
Attorney General Knudsen’s investigation is part of a larger shift in American privacy enforcement. The issue is no longer confined to websites, ad tech, and mobile apps. It now extends to the dashboard, the vehicle account, the connected service platform, and the data broker pipelines that sit behind them.
That is why this announcement matters. It is not just about two car companies in one state. It is about the future of consent in connected environments. It is about whether consumers truly control the information generated by the products they use every day. And it is about whether companies that profit from invisible data flows can still rely on disclosure models that few people read and even fewer fully understand.
For automakers, the compliance message is plain. Be clear. Be specific. Be honest about data flows. And if driving data is being turned into a commercial asset, do not assume consumers, regulators, or courts will treat that as business as usual.
