FTC proposes 5-year ban on GM selling sensitive driver info to data brokers

The Federal Trade Commission (FTC) on Thursday announced a proposed settlement agreement with General Motors and its OnStar subsidiary that requires the automaker to stop sharing millions of customers’ sensitive geolocation data with consumer reporting agencies, including data brokers, for five years. 

The agency also ordered the automaker to stop misleading customers about how it collects, uses and shares their data and to begin obtaining explicit affirmative consent before collecting the data.

Additionally, GM is required to begin offering consumers’ clear choices over how their data is shared, according to an FTC press release. The agency highlighted several examples of deceptive language and poor privacy consent mechanisms which pushed consumers into agreeing to have granular data sold to third parties without understanding their options or having fair choices.

The allegations stem from how GM shared precise geolocation and driving behavior data — which the agency noted is used to set insurance premiums — with third party data brokers without alerting consumers or receiving their affirmative consent for the practice. 

The car company was able to capture customers' precise geolocation every three seconds while they were driving, the complaint says, and did so for 9 million people.

It is unclear if the proposed settlement will stick since consent agreements do not become final until 30 days after their terms are published in the Federal Register. 

Republican Commissioners Andrew Ferguson and Melissa Holyoak abstained from voting and their positions are unknown. If President-elect Donald Trump appoints a third Republican to the commission who disagrees with the proposal, the settlement could be dropped.

GM told consumers the driving data they gathered from the OnStar Smart Driver program would be used for their’ “own assessment of their driving habits,” the complaint says. 

But, the complaint says, GM also used the technology to sell sensitive location and driving behavior data which led consumers to lose car insurance, have their insurance premiums unexpectedly spike and reveal the precise locations they drove to — including places of worship and health care facilities.

Data collected

The geolocation data GM sold consisted of latitude and longitude points which could reveal location to within approximately 4.5 inches, the FTC alleges.  Elevation, heading, current speed, a date and time stamp and a trip identifier that could be used to “tie multiple transmissions together to identify the entire route of a specific trip taken by a single vehicle” were also sold, the complaint says.

The precise geolocation data would then be linked to a specific Vehicle Identification Number (VIN), which allowed GM to tie trips together and obtain a complete picture of individual drivers’ habits, the FTC alleges.

This data was sold to a connected car data company and a consulting company, the complaint says, noting that at one point GM even sold the data company information about what radio stations drivers listened to.

In December 2016, GM began selling different categories of information to the data broker Verisk Analytics to create what was billed as a Telematics Data Exchange Program under which the automaker gave Verisk personally identifiable information (PII) from customers who enrolled in OnStar Smart Driver.

This PII provided included names, addresses, and persistent identifiers, which included the VIN, along with driving data such as trip ID, mileage, hard braking, acceleration and reports of when a driver traveled over 80 miles per hour.

Nearly three years later, GM entered into a similar contract with the data broker LexisNexis Risk Solutions, which included the same data plus time stamps and seat belt usage.

Verisk and LexisNexis sold the data to insurers. The companies used the driver behavior data they received from GM to put together consumer reports on GM customers who had enrolled in OnStar Smart Driver. They relied on the VINs to “associate driving events back to the individual consumer,” the complaint said.

The consumer reports compiled typically included six months’ worth of driving events, the complaint alleges. 

Many drivers only found out about the tracking when their insurance policies were cancelled or premiums were raised, the complaint says.

GM said in a statement that it discontinued its Smart Driver program last year and ended its third-party telematics relationships with LexisNexis and Verisk.

“The FTC consent order includes new measures that go above and beyond existing law, while capturing steps we’ve already taken to establish choices for customer data collection and communications about how the information is used,” the company said.

Misleading customers

GM misled consumers and pressured dealers to maximize the number of customers who signed up for the OnStar Smart Driver feature which fed the company the vast trove of driver data, the FTC said.

In a privacy policy dating to 2018 — which was allegedly not substantively updated on this point until 2024 — GM told customers that it might share their information with business partners, such as SiriusXM, in connection with their products and services; research institutes studying highway safety; dealers working on service maintenance; third parties for marketing services; and for a handful of other reasons.

But the privacy policy was woefully inadequate, the FTC alleges, noting that it “does not present the collection, use, and sharing disclosures in a form that would allow a consumer to understand the invasiveness of the data collection and sharing … [nor] the identities of the entities with which the data would in fact be shared, or the purposes for which the data would be used.”

Even after updating the relevant section of its privacy policy in September 2024 — after a series of New York Times reports revealed GM’s activities — the automaker still failed to tell customers that it sold their precise geolocation data to companies which in turn sold it to insurers, the FTC alleges.

Until 2023, the automaker also told consumers who didn’t consent to the data collection that they would have to “be willing to accept limited functionality,” the complaint said.

Consumers who tried to reject OnStar terms would see a message telling them their decision to decline “will result in deactivation of all services, including Automatic Crash Response, Emergency Services, and Vehicle Diagnostics,” according to the complaint, quoting GM’s language.

The options presented to consumers about whether to accept or decline OnStar Smart Driver were confusing and misleading, the complaint said. Some consumers signed up for the program without realizing they had done so, it said.

The consent screen offered consumers a “safety and diagnostics notification feature that is separate from and unrelated to the OnStar Smart Driver feature,” the complaint said.

But any customer who chose to participate in notifications also was forced to enroll in OnStar Smart Driver, according to the FTC.

“GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” FTC Chair Lina M. Khan said in a statement. “With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”

In addition to the ban on selling data for five years, the requirement to obtain affirmative consent for collecting it and the mandate that GM stop misleading consumers, the FTC's proposed order also requires GM to allow consumers to delete their data. The automaker must create a mechanism for consumers to request a copy of their data and ask for it to be erased, the FTC said.

GM also must give consumers the opportunity to limit data collection from their cars by allowing them to disable precise geolocation data collection and opt out of having driver behavior and location data collected, the agency said.  

"This decision and order says loud and clear to the entire automotive industry: adherence to strict privacy protection protocols is necessary to continue to do business with consumers,” said Andrea Amico, the founder of Privacy4Cars.

Correction: A previous version of this article presented the settlement as finalized. Consent agreements do not become final until 30 days after their terms are published in the Federal Register.