Iowa has joined a growing list of states drawing a hard line against automakers that collect and sell driver data without meaningful consent. On March 2026, Iowa Attorney General Brenna Bird filed a lawsuit in Polk County District Court against General Motors LLC and its connected services subsidiary OnStar LLC, alleging the companies engaged in deceptive business practices that violated the Iowa Consumer Fraud Act. The suit follows similar actions in Texas and Arkansas, and lands just days after Ford Motor Company settled its own connected-vehicle privacy case with California regulators. Together, these enforcement actions paint a clear picture: state privacy enforcers across the political spectrum are treating vehicle data as a serious consumer rights issue, and they are not waiting for Congress to act.
GM’s Data Privacy Violation According to Iowa
According to the Iowa AG’s complaint, General Motors has been installing telematics systems in its vehicles since 2015 that tracked a wide array of driver behavior data, including speed, seatbelt usage, driving habits, and location. That data was then sold to third-party data brokers, who turned around and sold it to insurance companies. Those insurers allegedly used the information to raise premiums, deny coverage, or cancel policies entirely, all without drivers ever knowing their vehicle was feeding a data pipeline that would be used against them at renewal time.
The specific program at issue is GM’s Smart Driver, part of the OnStar connected services platform. Attorney General Bird’s complaint alleges that GM deceived consumers at the point of purchase by misrepresenting what OnStar enrollment actually involved. Customers were led to believe connected services were necessary for basic safety features, never being told that clicking through the onboarding process meant agreeing to have their driving data monetized.
“Iowans deserve to know who is collecting, using, and selling their data and why,” Bird said in a public statement. “GM was not honest with Iowans who were spending hard-earned money to buy a dependable vehicle, and they did it to make more money. That is wrong, and our office is holding them accountable.”
The lawsuit seeks restitution for affected Iowa drivers, civil penalties, and a court order blocking GM and OnStar from continuing the alleged practices in the state. Iowa is also asking the court to require GM to destroy any remaining personal data collected through the program.
GM’s response has been brief. A company spokesperson said the automaker is “reviewing the complaint” and is “committed to protecting consumers’ privacy,” adding that the lawsuit concerns the Smart Driver program, which GM discontinued in 2024.
That discontinuation, however, did not resolve the underlying legal exposure. The Federal Trade Commission had already been building a case. In 2025 the FTC released a draft complaint against GM for alleged federal violations tied to OnStar Smart Driver. In January 2026, the FTC finalized a consent order imposing a five-year ban on GM disclosing customers’ geolocation and driver behavior data to consumer reporting agencies. Iowa AG Bird filed her state lawsuit shortly after that federal order landed.
Texas Got Here First: The 2024 GM Lawsuit That Started the Wave
Iowa’s action follows closely in the footsteps of Texas, which became one of the first states to sue GM over the same data practices back in August 2024. Then-Attorney General Ken Paxton filed suit in Montgomery County District Court, alleging that General Motors had collected the private data of more than 1.8 million Texas drivers and sold it to insurers without their knowledge or consent, in violation of Texas consumer protection law.
The Texas complaint alleged that GM tracked 36 categories of driving data from vehicles equipped with OnStar and its associated apps, including current speed, hard braking events, distance driven, and seatbelt status for both driver and passengers. That data was sold to companies including LexisNexis Risk Solutions and Verisk Analytics, which used it to generate individual “Driving Scores.” Insurers with licenses to that data could then use the scores to justify rate increases, coverage changes, or outright policy cancellations.
Paxton described the scheme in stark terms: “Millions of American drivers wanted to buy a car, not a comprehensive surveillance system that unlawfully records information about every drive they take and sells their data to any company willing to pay for it.”
The Texas complaint also alleged that GM profited significantly from the arrangement, earning lump-sum payments, royalty payments tied to telematics exchange licenses, and annual guaranteed payments tied to the volume of newly sold vehicles whose data entered the pipeline. It was, according to the complaint, a meaningful revenue stream, not an incidental side effect of connected services.
The Texas case hit a procedural complication in 2025 when a bankruptcy court ordered the state to strike certain allegations, ruling that GM’s 2009 bankruptcy sale order protected the new company from successor liability claims tied to practices predating the reorganization. That ruling narrowed the Texas case but did not end it, and it has no direct bearing on the Iowa litigation, which focuses on conduct that postdates the bankruptcy period.
Arkansas Joined In: A 2025 Action with Similar Allegations
Arkansas Attorney General Tim Griffin filed his own lawsuit against General Motors and OnStar on February 26, 2025, making Arkansas one of the most recent states before Iowa to pursue the matter in court. The Arkansas complaint relied on the state’s Deceptive Trade Practices Act and made largely parallel allegations: that GM used misleading techniques to enroll customers in its telematics program, collected detailed driving data without informed consent, and sold that data to insurers in ways that financially harmed consumers.
The Arkansas complaint went further than some others in documenting the sheer volume of disclosures GM presented to customers, noting that the company buries its data practices inside a 29-page user terms document and an 18-page privacy statement, with additional cross-references to the terms and privacy statements of third-party OnStar service partners. The AG argued that this approach effectively obscured the real nature of the data sale program while technically providing disclosure.
The Arkansas action also alleged GM failed to uphold its own stated commitments under the Consumer Privacy Protection Principles of the Alliance for Automotive Innovation, an industry group whose members GM belongs to. Those principles call for clear, meaningful, and prominent disclosure of data collection and sharing practices. The complaint argued GM’s onboarding process fell well short of that standard.
California Takes a Different Angle: Ford Settles Over Opt-Out Friction
While Iowa, Texas, and Arkansas have targeted GM over what amounts to covert data monetization, California’s privacy enforcement arm, the California Privacy Protection Agency known as CalPrivacy, took a distinct but equally instructive approach when it went after Ford Motor Company.
On March 5, 2026, just days before Iowa’s GM lawsuit drew national attention, CalPrivacy announced that its Board had approved a Stipulated Final Order requiring Ford to pay a $375,703 fine and overhaul its consumer opt-out process. The investigation was part of a broader CalPrivacy sweep of connected vehicle manufacturers examining compliance with the California Consumer Privacy Act.
Ford’s violation was deceptively simple. Under the CCPA, consumers have a right to opt out of the sale and sharing of their personal information, and businesses are prohibited from requiring identity verification before honoring that request. Ford had built an online privacy rights form that allowed California consumers to submit opt-out requests. The problem arose after submission. Ford required consumers to confirm their email address before it would process the request. Any request submitted without completing that email verification step was simply not acted upon.
The agency found this constituted “unnecessary friction” in the opt-out process, a violation of CCPA regulations. Between July 2023 and March 2024, the period covered by the investigation, Ford improperly ignored opt-out requests that failed the verification step. As part of the settlement, Ford was required to go back and process all of those previously ignored requests retroactively, pay the fine, audit the tracking technologies deployed on its website, and commit to honoring opt-out preference signals including the Global Privacy Control.
Notably, Ford neither admitted nor denied the factual findings, which is standard in CalPrivacy settlements. The agency’s investigation also noted that Ford appeared not to have intended to create an illegal verification barrier, suggesting the violation arose from misconfigured compliance tooling rather than deliberate policy. CalPrivacy made clear that intent is irrelevant. The practice itself was the violation.
The Ford case was CalPrivacy’s second enforcement action from its connected vehicle sweep. The first targeted American Honda Motor Company, which was required to pay a $632,500 fine for its own CCPA violations. A third-party privacy compliance attorney noted publicly that the Ford case reemphasizes a point businesses frequently get wrong: the CCPA treats opt-outs differently from other consumer rights requests. Deletion and data access requests may require identity verification. Opt-outs may not.
Two Very Different Theories of Privacy Harm, One Common Thread
What makes this cluster of enforcement actions worth examining together is that they represent two distinct legal theories operating in the same industry at the same time.
The GM lawsuits in Iowa, Texas, and Arkansas are fundamentally about covert data monetization. In those cases, the allegation is that automakers built a system designed to collect intimate behavioral data from drivers and sell it to third parties for profit, while actively obscuring or misrepresenting what consumers were agreeing to when they enrolled in connected services. The harm to consumers was real and financial: higher insurance premiums, denied coverage, or canceled policies based on data they did not know they had provided.
The Ford case in California is about procedural rights interference. California did not allege that Ford sold driver data covertly or used deceptive enrollment tactics. The violation was narrower: Ford made it harder than the law permits for consumers to exercise a right they already had. The harm was the denial of a statutory right, not a tangible financial injury attributable to insurance decisions.
Both theories are legally significant. The GM cases, if successful, could establish that consumer protection statutes without comprehensive data privacy codes can still reach systematic data monetization practices that are deliberately obscured from consumers at the point of enrollment. The Ford case establishes that even technically compliant data collection practices can generate serious liability if the company’s opt-out infrastructure creates friction that the law specifically prohibits.
What These Cases Mean for Every Connected Vehicle Owner
The average new vehicle sold in the United States today is equipped with systems capable of generating and transmitting telematics data on virtually every aspect of how, when, and where it is driven. Most consumers who purchase connected vehicles have little practical understanding of what data their car collects, who it is shared with, or how it may be used by third parties including insurance companies.
The enforcement actions described in this article suggest that state regulators are increasingly willing to step into that information gap. A few key takeaways for consumers and businesses are worth highlighting:
- Your car may be feeding your insurance company data without your knowledge. If you drive a GM vehicle manufactured after 2015 and enrolled in OnStar or Smart Driver at any point, your driving data may have been shared with insurers. If you believe this data contributed to a rate increase or coverage action, you may be eligible for restitution under the Iowa, Texas, or Arkansas lawsuits depending on your state of residence.
- Opt-out rights are meaningless if the opt-out process is broken. The Ford case demonstrates that technically providing a privacy rights form does not satisfy the law if the process for actually exercising those rights is obstructed. California consumers who submitted Ford opt-out requests between July 2023 and March 2024 and had them ignored are entitled to retroactive processing under the settlement terms.
- Lengthy privacy disclosures are not informed consent. Both the Iowa and Arkansas complaints specifically criticize GM for burying its data practices in lengthy, cross-referenced disclosure documents that no reasonable consumer reads in full during a vehicle purchase. Courts and regulators are increasingly skeptical of the argument that checkbox consent buried in 29-page terms satisfies meaningful disclosure obligations.
- The FTC and state AGs are coordinating. Iowa’s lawsuit came directly on the heels of the FTC’s January 2026 consent order against GM, and the timing was not accidental. State attorneys general are leveraging federal enforcement as a foundation for parallel state actions, allowing them to seek consumer restitution and civil penalties that federal orders may not include.
- This is not a partisan issue. Iowa’s Brenna Bird is a Republican. Texas’s Ken Paxton is a Republican. California’s CalPrivacy is a state agency created under Democratic leadership. All of them are pursuing the auto industry on privacy grounds. Vehicle data privacy enforcement has emerged as one of the few genuinely bipartisan consumer protection priorities at the state level.
A Pattern That Will Keep Growing
The connected vehicle privacy enforcement wave shows no sign of slowing. CalPrivacy has explicitly described its connected vehicle sweep as ongoing, with additional manufacturers under investigation. The FTC’s January 2026 order against GM came with a strong signal that the agency views connected vehicle data practices as a systemic industry problem, not an isolated one. And state attorneys general who have secured high-profile settlements in the tech sector, including Texas’s landmark $1.4 billion settlement with Meta over biometric data collection, have demonstrated both the political appetite and the legal infrastructure to pursue these cases aggressively.
For automakers, the message emerging from courts and regulators in 2025 and 2026 is that the connected vehicle data monetization model, as it was practiced during the peak OnStar Smart Driver era, is no longer viable without meaningful transparency and genuine consumer consent. The question is whether the industry will get ahead of that reality voluntarily or wait to be dragged there through successive enforcement actions in every state that has a consumer protection statute and an attorney general looking to make a point.
Iowa’s lawsuit against GM is the latest chapter in that story. It will not be the last.
To avoid future and expensive privacy lawsuits use Captain Compliance’s software.
