The Federal Trade Commission (FTC) has finalized an order against General Motors, restricting how the automaker can share consumer data with third parties. The order, stemming from concerns over the collection and sale of driver information through GM’s OnStar service and Smart Driver program, mandates increased transparency and requires explicit consent for certain data collection practices. This action underscores growing regulatory scrutiny of connected car technology and consumer privacy.
FTC Cracks Down on GM Data Sharing Practices
The finalized order, approved Wednesday, concludes a case initiated nearly two years ago following a report in the New York Times detailing GM’s collection of precise geolocation and driving behavior data. This information was reportedly sold to data brokers like LexisNexis and Verisk, who then provided it to insurance companies, potentially impacting customer premiums. The FTC alleged that GM misled consumers about how their data would be used.
The Demise of Smart Driver
GM discontinued its Smart Driver program in April 2024, citing customer feedback. The program, offered as a free feature within GM’s connected car apps, tracked driving habits and seatbelt usage. GM stated it unenrolled all customers and ended its relationships with LexisNexis and Verisk at that time.
Key Provisions of the FTC Order
Under the terms of the agreement, GM is now prohibited from sharing certain types of consumer data with consumer reporting agencies. However, exceptions are in place for sharing location data with emergency responders and for internal research purposes. The company is also permitted to share anonymized or de-identified data with partners for initiatives like urban planning, as demonstrated by a previous collaboration with the University of Michigan.
A central component of the order is the requirement for explicit consent from consumers before collecting, using, or sharing connected vehicle data. This consent process will occur at the point of sale, when a new vehicle owner activates the OnStar system linked to the vehicle’s identification number (VIN). GM has confirmed it has already implemented procedures to comply with this mandate.
Additionally, GM must establish a system allowing U.S. consumers to request copies of their collected data and to seek its deletion. The company must also provide a means for users to disable the collection of precise geolocation data from their vehicles. GM asserts it has already met these requirements by expanding its privacy program and consolidating its U.S. privacy statements into a single, more accessible document.
The Broader Implications for Automotive Data Privacy
This case highlights the increasing value – and potential risks – associated with the vast amounts of telematics data generated by modern vehicles. Connected car services offer convenience and safety features, but also raise significant privacy concerns as they track where drivers go and how they drive. The FTC’s action signals a willingness to enforce stricter rules regarding the collection and use of this information.
The automotive industry is facing a growing wave of regulations aimed at protecting consumer privacy rights. Beyond the FTC, state-level laws, such as the California Consumer Privacy Act (CCPA), are also impacting how automakers handle personal data. This evolving legal landscape is forcing companies to re-evaluate their data practices and prioritize transparency and consent.
The focus on explicit consent is particularly noteworthy. Previously, many automakers relied on broad terms of service agreements that allowed for extensive data collection. The FTC’s order requires a more proactive and informed approach, ensuring consumers are aware of what data is being collected and have a clear choice about whether to share it. This shift could influence data collection practices across the entire automotive sector.
GM, in a statement, emphasized its commitment to customer privacy and trust as vehicle connectivity becomes more prevalent. The company stated it began overhauling its data collection and privacy policies in 2024 to address these concerns.
Looking ahead, the FTC will likely continue to monitor GM’s compliance with the order. The agency is also expected to pursue similar enforcement actions against other companies that engage in questionable data sharing practices. The long-term impact of this case will depend on how effectively the FTC enforces its new rules and whether Congress passes comprehensive federal data privacy legislation, which remains uncertain.
Correction: The previous article incorrectly stated GM would be required to obtain their explicit consent on any data collection. The requirement is for certain data.
