The US Federal Trade Commission (FTC) has finalized a settlement with General Motors and its OnStar division over allegations that the automaker deceptively collected and sold sensitive driving and geolocation data from millions of American consumers without proper notice or consent.
The enforcement action stems from a complaint initially announced in January 2025, in which the FTC alleged that General Motors (GM), General Motors Holdings, and OnStar LLC used a misleading onboarding process to enroll customers into its “Smart Driver” program, part of the OnStar connected vehicle service. According to the complaint, consumers were inadequately informed that opting into the feature would authorize the collection of precise geolocation and behavioral driving data, such as hard braking, late-night driving, and speed threshold crossings.
Crucially, the FTC found that this data was then shared with third parties, including data brokers and insurance companies, without obtaining consumers’ “affirmative express consent,” a clear, informed opt-in as defined under FTC rules.
OnStar, a wholly owned subsidiary of GM, operates as the company's telematics and connected services platform. It is embedded in millions of vehicles under the Chevrolet, Buick, GMC, and Cadillac brands. The Smart Driver program, designed to monitor and report on driving habits, was marketed as a tool for improving safety and vehicle performance, but the FTC concluded that it instead facilitated the covert monetization of consumers’ location and driving behavior.
These practices, the Commission noted, were particularly egregious given GM’s scale and reach, as the OnStar system is included by default in many GM vehicles and is widely marketed across the United States.
In a statement following the FTC’s final approval of the settlement, GM emphasized its commitment to customer privacy. “The Federal Trade Commission has formally approved the agreement reached last year with General Motors to address concerns. As vehicle connectivity becomes increasingly integral to the driving experience, GM remains committed to protecting customer privacy, maintaining trust, and ensuring customers have a clear understanding of our practices,” said Charlotte McCoy, Corporate Communications Manager for GM.
Settlement terms
Under the final order, GM faces a series of strict penalties and compliance requirements. Notably:
- GM is prohibited from disclosing geolocation or driver behavior data to credit or insurance entities acting as consumer reporting agencies for the next five years.
- GM must now obtain clear, affirmative opt-in consent before collecting, using, or sharing covered driver data, which includes precise location information and driving behavior metrics.
- The automaker is required to establish and publish data retention schedules, collect only what is necessary, and delete previously collected data unless explicitly consented to by the consumer post-July 2024.
- Users must be able to request copies of their data and ask for it to be deleted.
- A mechanism must be provided for disabling location tracking in vehicles equipped with the necessary technology.
- Consumers declining to enroll in OnStar must be allowed to disable all remote data collection from their vehicles.
- GM must instruct all third parties who previously received data to delete it and may not share data with them again until those parties confirm compliance.
The FTC’s decision described GM’s conduct as a betrayal of consumer trust, citing the misleading design of consent flows and lack of transparency. The Commission also introduced detailed definitions in the order for “affirmative express consent” and “clear and conspicuous disclosure,” signaling a broader effort to codify expectations for data practices in the automotive and IoT sectors.
Leave a Reply