The Federal Trade Commission announced it has reached a proposed settlement with General Motors and its subsidiary OnStar, prohibiting the automaker from disclosing consumers’ geolocation and driving behavior data to consumer reporting agencies for the next five years.
This action marks the FTC’s first case involving connected vehicle data.
According to the FTC’s complaint, GM misled consumers during the enrollment process for its OnStar connected vehicle service and OnStar Smart Driver feature. The automaker allegedly failed to clearly disclose that it collected precise geolocation and driver behavior data and sold it to third parties, including consumer reporting agencies, without the consumer's consent. This data was reportedly used to determine insurance rates, sometimes leading to unexpected premium increases for drivers.
“GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said FTC Chair Lina M. Khan. “With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”
GM has long positioned OnStar as a service offering emergency assistance, hands-free voice support and real-time traffic and navigation. However, the company has significantly increased its data collection, tracking users' precise locations every three seconds in some cases.
The FTC said geolocation tracking can reveal sensitive personal details, such as visits to medical facilities or daily routines, raising serious privacy concerns.
The FTC’s complaint also noted that many consumers were unaware they had been enrolled in the OnStar Smart Driver feature or that their data was being shared with third parties. Some consumers only discovered the practice after noticing changes in their insurance premiums.
One customer expressed frustration to GM, telling a customer service representative, “When I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. […] You guys are affecting our bottom line.”
Under the proposed settlement, GM and OnStar must:
• Obtain consumer consent before collecting data: Companies must acquire explicit consent before gathering connected vehicle data, except in emergency situations.
• Provide consumers with access to their data: Consumers must be able to request copies of their collected data and delete it if desired.
• Offer opt-out options: Customers must have the ability to disable precise geolocation tracking and driver behavior monitoring where technologically possible.
The FTC’s proposed order is currently open for a 30-day public comment period before the agency decides whether to finalize the settlement. If GM or OnStar violate the order, they could face civil penalties of up to $51,744 per infraction.
The FTC encourages consumers to stay informed about data privacy issues and report any fraudulent or deceptive practices at ReportFraud.ftc.gov.
