The U.S. Federal Trade Commission has finalized an order with General Motors (GM) and its subsidiary, OnStar, settling charges that they collected and sold the location and driving data of millions of drivers without consent.
General Motors owns the GMC, Cadillac, Chevrolet, and Buick brands and produces over 6.1 million vehicles each year. OnStar, GM's subsidiary, provides digital in-car services such as navigation, communications, security, emergency services, and remote diagnostics.
As the FTC claimed in its January 2025 complaint, GM collected precise geolocation data and detailed driving behavior information from millions of vehicles (without customers' consent) every three seconds through OnStar's now-discontinued "Smart Driver" feature, which was marketed as a driving-habits self-assessment tool rather than a data-collection mechanism.
This data was then sold to third parties, including consumer reporting agencies, which then provided it to insurance companies, leading to higher insurance rates or denial of coverage.
The finalized order approved by the commission bans GM from sharing consumers' geolocation and driver behavior data with consumer reporting agencies for five years.
Also, for the full 20-year duration of the order, GM must obtain express consent from consumers before collecting their data, using or sharing their connected vehicle data, with exceptions for emergency services.
The company must allow U.S. consumers to request copies of their data and seek its deletion, provide vehicle owners the ability to disable precise geolocation data collection, and enable them to opt out of location and driving behavior data collection (with some limited exceptions).
"This fencing-in relief is appropriate given GM's egregious betrayal of consumers' trust," the FTC said on Wednesday.
"The Federal Trade Commission has formally approved the agreement reached last year with General Motors to address concerns," a GM spokesperson told BleepingComputer, noting that "it's important to note there is no monetary payment."
"As vehicle connectivity becomes increasingly integral to the driving experience, GM remains committed to protecting customer privacy, maintaining trust, and ensuring customers have a clear understanding of our practices."
One year ago, in January 2025, Texas Attorney General Ken Paxton also filed a lawsuit against car insurance firm Allstate for unlawfully collecting and selling driving data from over 45 million Americans.
The tracking activity was carried out by adding an SDK developed by Allstate subsidiary Arity to popular apps such as Life360, GasBuddy, Fuel Rewards, and Routely, without drivers' consent.
The lawsuit also involves several car makers, including Toyota, Lexus, Mazda, Chrysler, Jeep, Dodge, Fiat, Maserati, and Ram, who also allegedly collected and sold data directly to Allstate and Arity.
Update January 15, 10:19 EST: Added GM statement.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Comments
b1k3rdude - 2 months ago
Something positive coming from the US atm..
birdleygbi - 2 months ago
But they can still store it the next 5 years, then sell it all after the 5 years is up... or find some other loophole to profit off consumers data so they can continue to charge for their overpriced garbage vehicles to keep them investors happy and record profits coming in
nauip - 2 months ago
And it doesn't say anything about all the other driving metrics data they collect & sell.
JustinFlynn - 2 months ago
There was no monetary fine? They made a bunch of money off of it and get no actual punishment. Nice.
onlysideshow - 2 months ago
where is the like for these comments they are all correct