FTC's GM Data-Sharing Settlement: What It Means for Your Vehicle [2025]

Last January, the Federal Trade Commission proposed something that seemed almost quaint in 2024: a rule saying companies shouldn't secretly sell your car's location data to insurance companies without asking first. This week, that rule became official. General Motors can no longer collect your GPS coordinates through On Star and sell them to data brokers who pass them along to insurers that might jack up your rates, as highlighted in TechCrunch's report.

Here's what actually happened, why it took a year to finalize, and what this means for the millions of drivers with connected vehicles.

TL; DR

The Settlement: The FTC finalized an order banning GM from sharing geolocation and driving behavior data with third parties like Lexis Nexis and Verisk without explicit consent, as detailed in WSBTV's coverage.
The History: GM's Smart Driver program collected precise location data and driving metrics that insurers used to adjust rates—sometimes without drivers knowing.
The Changes: GM must now obtain written consent at purchase, allow data deletion requests, and disable location tracking on demand.
The Exceptions: Location sharing is still allowed for emergencies, de-identified research, and internal safety improvements.
The Broader Impact: This settlement signals the FTC's aggressive new stance on automotive data privacy, likely triggering similar investigations into other connected car platforms, as discussed in Retail Consumer Products Law.

How GM's Data Collection Actually Worked

Understanding the GM settlement requires understanding what GM was actually doing with your car data. This wasn't some abstract privacy violation—it was a concrete system that collected specific information about how you drove and sold it to specific companies that used it to adjust your insurance premiums.

GM's On Star service has been around since 1996, originally designed for emergency services. You press a button, speak to a human, they call 911 or roadside assistance. Simple. But over the decades, On Star evolved into something more invasive: a data collection platform embedded in every connected GM vehicle.

The Smart Driver program was the real culprit. Launched quietly, it ran silently in the background of GM's mobile app. Every time you drove, it tracked your location with GPS precision—down to exact coordinates and timestamps. It rated your driving behavior against various metrics: acceleration smoothness, braking patterns, seatbelt compliance, speeding frequency. The app would give you a score, usually presented as a game-like feature to encourage safe driving.

The problem wasn't the ratings themselves. The problem was what happened next.

GM sold access to this data to data brokers. Specifically, to Lexis Nexis and Verisk, two of the largest data aggregation companies in America. These brokers then packaged the information and sold it to insurance companies. An insurer would buy aggregated location and driving behavior data, crossmatch it with their own customer databases, and suddenly they had detailed movement patterns and driving metrics for millions of drivers, as explained in Insurance Nerds.

Insurers then used this data to adjust rates. A driver with erratic acceleration patterns? Higher risk. Someone who sped frequently in certain neighborhoods? Actuarial nightmare. Someone whose location data showed they drove mostly in congested urban areas? That affects risk calculation. The data broker ecosystem turned your daily commute into a commodity.

The truly problematic part: most drivers didn't know this was happening. The On Star terms of service were dense, buried, and technically disclosed data sharing. But the disclosure was hidden in dense legal language that few people actually read. The mobile app didn't prominently announce that your precise location was being sold. There was no opt-in moment. No clear choice. Just a checkbox in a thirty-page legal document.

This is where the FTC's investigation began. A New York Times investigation in 2024 exposed the whole system in detail—showing exactly which companies were buying the data, how it was being used, and how it affected insurance rates. The public backlash was immediate. Privacy advocates called it the automotive equivalent of secretly recording someone's movements. Consumer groups noted that low-income drivers in urban areas were being tracked most intensively, as noted in Gibson Dunn's webcast.

GM's response came in April 2024: discontinue the Smart Driver program entirely, unenroll all existing customers, and end relationships with Lexis Nexis and Verisk. That was the settlement proposal. January 2025 was just the FTC making it official and enforceable.

The Proposed Settlement Takes Shape

When the FTC first announced the proposed order in January 2024, it represented something philosophically important: a regulatory agency explicitly saying that selling precise location data without clear consent is a deceptive practice under Section 5 of the FTC Act.

Let's be precise about what that means. The FTC doesn't ban companies from collecting data or even selling it. What the FTC was saying is that you can't sell geolocation data in a deceptive manner. Deception, in FTC terms, means making claims or implications about data practices that aren't accurate, or failing to disclose material facts that a reasonable consumer would want to know.

GM's Smart Driver program crossed that line because the data sharing wasn't prominent, the consent wasn't explicit, and the downstream use—insurance rate adjustment—wasn't clearly explained to drivers.

The proposed order required several specific remedies. First, GM had to stop sharing location and driving behavior data with third parties, full stop. No more selling to data brokers. No more batching up location information for insurers. Second, any future data collection would require affirmative, explicit consent. Not a default opt-in buried in terms of service, but a clear yes-or-no choice at the point of service.

Third, the order required transparency improvements. GM would have to consolidate its privacy policies into a single, understandable document. No more scattering data practices across seventeen different legal texts. Consumers should be able to open one file and understand exactly what GM collects, how long it keeps it, and who it shares it with.

Fourth, GM had to establish a data access and deletion mechanism. Any driver could request a copy of their personal data collected through On Star. Any driver could request deletion of that data. Any driver could disable precise geolocation collection from their vehicle, period.

The one-year gap between the proposed order and finalization wasn't unusual. FTC orders go through public comment periods. Companies can request changes. Legal teams on both sides negotiate language to ensure the order is enforceable and doesn't create weird loopholes. In this case, the year also allowed GM to demonstrate compliance with the new requirements before the order became final and legally binding, as reported by Wiley Law.

What Changed in the Finalized Order

The finalized order that took effect in January 2025 is substantively similar to what was proposed, but with some important clarifications about what GM can and cannot do with vehicle data.

The core prohibition remains intact: GM cannot collect precise geolocation data from connected vehicles and sell or share that data with third parties without explicit, informed consent. This applies to On Star and any successor telematics service. It applies globally to all GM brands (Chevrolet, GMC, Cadillac, Buick).

But the order does carve out specific exceptions. GM can share location data with emergency first responders. If your vehicle sends an automatic crash notification to On Star, and the dispatcher needs your exact coordinates to send help, that's still allowed. That's the original On Star use case, and it makes sense.

GM can also share de-identified data for research purposes. Here's where the distinction matters: de-identified data means data that's been processed to remove any connection to specific drivers or vehicles. If GM anonymizes location data—stripping out VIN numbers, not associating it with specific drivers, aggregating it geographically—then it can share that with research partners. GM has used this mechanism to share data with the University of Michigan for urban planning research. The university can see general patterns about traffic flow and congestion without knowing whose car created that data.

GM can collect location data for internal research and development. This was important for the automaker because understanding real-world driving patterns helps improve vehicle systems. How do drivers actually use GPS navigation? What terrain challenges cause problems? What weather conditions affect sensor performance? That kind of internal research doesn't require selling to third parties.

The explicit consent requirement is now ironclad. When a consumer buys a GM vehicle or activates On Star, there's a clear, separate disclosure about data collection practices. The customer makes an affirmative choice about whether to allow collection of precise geolocation data. This happens at the dealership or through the mobile app. It's documented. It's not buried in a footnote.

GM has also implemented a data subject access mechanism. Any U. S. consumer can request a copy of all personal data collected through their On Star account. GM must provide this within a reasonable timeframe. That same consumer can request deletion of all their data. GM must honor that request. And critically, any consumer can disable the collection of precise geolocation data directly from their vehicle settings or through the On Star app.

What's interesting about these requirements is they're not revolutionary in the regulatory sense. Similar rules already exist in California under the Consumer Privacy Act. Similar provisions exist in European GDPR. But for automotive data specifically, this was the first time the FTC codified these requirements in an enforceable order against a major automaker, as noted by Insurance Nerds.

Why It Took a Year to Finalize

One reasonable question: why did finalization take twelve months? The answer involves bureaucratic process, but also some legitimate complexity.

FTC orders don't just appear. They go through notice-and-comment rulemaking. The agency publishes a proposed order. Interested parties—including GM, privacy advocates, industry groups, and the general public—can submit comments. The FTC reviews all comments and decides whether to modify the order based on feedback. Only after that process completes does the order become final.

In GM's case, the company likely pushed back on some provisions. The data broker notification requirements, for instance. When you tell a company to stop selling data to third parties, those third parties lose revenue. They might lobby GM to find loopholes. The FTC had to ensure the order was airtight—that GM couldn't technically comply while finding roundabout ways to continue the practice.

There was also the practical matter of compliance verification. The FTC wanted to ensure GM could actually implement the required changes. Could the company really obtain explicit consent at the dealership scale? Could they actually honor data deletion requests within reasonable timeframes? Could they actually disable location tracking on vehicles already in the field? These aren't trivial engineering challenges.

GM also needed time to update its privacy infrastructure. The company consolidated multiple privacy statements into a single unified policy. That sounds simple but requires coordinating across dozens of teams—On Star operations, legal, communications, technical infrastructure, customer service training. Dealerships had to be retrained on the new consent process. The backend systems had to be updated to process data deletion requests.

The FTC also likely wanted to see real-world compliance before finalizing. GM discontinued Smart Driver in April 2024, but that was just the start. The company needed to actually delete data that had been collected. It needed to unwind relationships with data brokers—ensuring those brokers deleted data they'd purchased from GM. It needed to verify that former Smart Driver data was being purged from Lexis Nexis and Verisk systems.

From a procedural standpoint, there was also the matter of finalizing related investigations. The FTC didn't just investigate GM. The agency also began looking at On Star's data practices specifically, and likely at other automakers' telematics services. The GM order sets a precedent. Other manufacturers probably received similar orders or warnings. The FTC wanted the GM order finalized before those other cases moved forward, as detailed in WSBTV's report.

The Broader Automotive Data Privacy Landscape

The GM settlement is important not because it punishes GM specifically, but because it signals the FTC's regulatory priorities for the automotive industry broadly.

Connected vehicles are everywhere now. Most new cars sold in the U. S. have cellular connectivity and telematics services. That connectivity enables useful features—emergency calling, remote diagnostics, vehicle location if stolen. But it also enables data collection at a scale and precision that traditional consumer privacy regulation didn't anticipate.

Your car generates data continuously. Location coordinates, speed, acceleration, braking patterns, steering angle, door open/close events, seatbelt status, fuel consumption, maintenance diagnostics. If the vehicle has cameras, it generates video. If it has microphones, it generates audio. This is all technically "vehicle data," and carmakers have been operating in a gray zone about what they can do with it.

The traditional consumer privacy frameworks—the Privacy Act, the Fair Credit Reporting Act, COPPA—were written for an era of paper records and computer databases. They don't cleanly map onto connected vehicles. A car isn't a "website." It's not clear whether vehicle data falls under credit reporting rules. There's regulatory ambiguity, and companies exploit regulatory ambiguity.

The FTC's approach with GM is to fill that gap. The agency is using its authority under Section 5 of the FTC Act—which prohibits deceptive practices—to establish standards for automotive data. If a company collects precise location data and sells it to third parties in ways consumers don't clearly understand, that's deceptive. That's prohibited.

This creates a de facto automotive privacy standard even before Congress passes comprehensive federal privacy legislation. And it signals to other automakers what the FTC expects. Ford, Honda, Toyota, BMW, Volkswagen—all of these companies operate telematics services that collect location and driving behavior data. The GM settlement puts them on notice: you need to audit your data practices, get clear consent, and don't sell location data to insurers or data brokers without explicit permission, as discussed in Retail Consumer Products Law.

We're already seeing the effects. Several automakers have made public commitments to stronger privacy practices. Some have discontinued data sharing arrangements similar to what GM did with Lexis Nexis and Verisk. Others have announced privacy-first approaches to data collection. The GM settlement didn't explicitly ban other companies from doing what GM did, but it made the regulatory consequences clear enough that most companies are choosing not to take that risk.

Insurance and the True Impact of Location Data

Understanding the real impact of the GM settlement requires understanding why location data matters so much to insurers.

Insurance pricing is fundamentally about risk prediction. An insurer's profit depends on accurately predicting which customers will have accidents, and pricing their premiums accordingly. Someone who has a 1% accident probability should pay less than someone with a 5% probability.

Traditionally, insurers used static factors: age, gender, driving record, type of vehicle, credit score. These are coarse proxies that correlate with risk but don't measure it directly. A clean driving record means someone probably isn't reckless, but it's not a guarantee. It's historical, not real-time.

But location data enables something different. If an insurer knows that a driver spends 60% of their time in congested urban areas with higher accident rates, that's actionable information. If they know a driver tends to drive at night—when accident rates are higher—that's relevant. If they can measure actual driving behavior—acceleration smoothness, braking patterns—they have direct measurements of driving skill.

This is theoretically rational. Safer drivers should pay less. Riskier drivers should pay more. The problem emerges in practice: not all drivers generate this data equally.

Drivers who use premium telematics services like GM's Smart Driver tend to be relatively wealthy (they buy new GM vehicles), relatively tech-literate (they use the app), and relatively concentrated in certain demographics. Younger drivers might not buy new cars. Rural drivers might not use mobile apps. Low-income drivers might not drive new vehicles at all. Meanwhile, the drivers whose location data insurers do have—disproportionately wealthier, urban, tech-forward—suddenly become more observable and possibly more vulnerable to rate increases if the data shows risky driving patterns.

There's also the information asymmetry problem. When GM was selling location data to insurers, only the insurer could see the insurer's data. The driver didn't know they were being tracked. They didn't know their insurance rates were being influenced by location data. They couldn't contest the data or correct errors.

The FTC settlement addresses this by requiring explicit consent. If you want an insurer to access your vehicle's location data for rating purposes, you have to knowingly agree to that. You can say no. This restores choice and transparency.

But there's a secondary effect that's worth understanding. If location-based insurance rating requires explicit driver consent, then only drivers who voluntarily consent will be subject to it. That might actually make the risk assessment worse for everyone else. Drivers who consent to location tracking are likely those who drive safely and believe they'll get better rates. Drivers who don't consent are unknown—their behavior is unmeasured. From an insurer's perspective, non-consenters become higher-risk, regardless of their actual behavior.

This is called adverse selection, and it's a persistent problem in insurance. But it's better than the alternative—secret tracking that drivers don't know about.

Compliance and What GM Actually Had to Change

The finalized order requires specific compliance mechanisms, and GM has already implemented most of them. Understanding what actually changed—and what didn't—matters for appreciating what this settlement accomplishes.

First, data deletion. GM has processed requests from drivers who participated in Smart Driver and wanted their data deleted. This sounds simple but involves tracing data across multiple systems. On Star's central database had to be purged. Backup systems had to be purged. Third-party data brokers who had received copies of the data had to delete their copies—and GM had to verify they did. This took months of coordination.

Second, the consent mechanism. When you activate On Star on a new GM vehicle, or when an existing customer updates their On Star settings, there's now a clear disclosure about data collection. The disclosure explains what data is collected (location, driving behavior), how long it's kept (typically until you delete your account or disable the feature), and who it's shared with (emergency responders, research partners, but not insurers or data brokers). You have to affirmatively opt in to location data collection. The default is not to collect it.

This is implemented at the point of service—at the dealership when you buy the vehicle, or in the mobile app if you activate On Star later. It's a separate consent choice, not buried in a 50-page privacy policy. It's documented so GM can prove consent was obtained.

Third, the unified privacy policy. GM consolidated its data practices documentation into a single, clearer privacy notice. Instead of scattering data practices across multiple documents (On Star privacy policy, vehicle privacy policy, mobile app privacy policy, dealer privacy policy), there's now one document explaining how GM collects, uses, and shares data from your vehicle. It's in plain language. A typical consumer can read it in 10-15 minutes and understand what's happening to their data.

Fourth, the data access mechanism. Through GM's website or mobile app, you can request a copy of all personal data associated with your On Star account. You can request specific categories of data: location history, driving metrics, service records. GM must provide this data in a standard format within 45 days. If you request deletion, GM must delete it within a similar timeframe.

Fifth, the location disable feature. In your vehicle's settings or through the On Star app, you can disable the collection of precise geolocation data entirely. This doesn't disable all data collection—On Star still tracks general connectivity and service status for technical purposes. But the precise GPS coordinates that could reveal your movements? You can turn that off.

Sixth, the data broker notification. GM had to formally end relationships with Lexis Nexis and Verisk. The company sent formal notices informing these data brokers that no new data would be provided. GM also had to request that existing data be deleted. While the company couldn't force the data brokers to delete data they already purchased (data brokers have their own complex arrangements), it had to make the request and document it.

What GM did NOT have to do, importantly, is stop collecting vehicle data entirely. GM still collects location and driving behavior data for internal research and development. This helps the company understand how vehicles are actually used in the field, which informs design and safety improvements. The company also still shares de-identified data for approved research partnerships.

This distinction matters because it shows the FTC isn't taking an absolutist stance against automotive data collection. The agency's issue was specifically with data sharing for insurance purposes without clear consent. The issue was with deception. The issue was with opaque data brokers buying and selling location information. The FTC still permits data collection when it's transparent, when consumers consent, and when the data isn't being weaponized to adjust someone's rates without their knowledge.

The Precedent and What Other Automakers Should Expect

One of the most important aspects of the finalized GM order is what it signals to other automakers about regulatory expectations.

Toyota, Ford, Honda, BMW, Volkswagen, Hyundai, Kia—all of these manufacturers operate connected car platforms with telematics services. All of them collect location and driving behavior data. Many of them have established relationships with data brokers or insurance companies. The question is whether they've been doing what GM did.

The answer is probably yes, at least to some degree. Connected vehicle data sharing has been largely unregulated. Most manufacturers have privacy policies that technically disclose data practices, but the disclosures are often vague, scattered, and don't clearly explain downstream uses like insurance rating.

The FTC hasn't announced investigations into other automakers yet, but the agency almost certainly has them on its radar. The GM settlement sets a clear standard. If another automaker is selling location data to data brokers or insurers without explicit, transparent consent, the FTC could take similar action.

Some manufacturers have already started preemptively adjusting practices. Ford announced enhanced privacy controls for its connected vehicle services. BMW made public commitments to limiting data sharing. Hyundai published clearer privacy disclosures. These moves are partly voluntary privacy leadership, partly defensive—getting ahead of potential FTC action.

The GM settlement also matters for the broader insurance industry. Insurance companies that have been purchasing vehicle location data from data brokers now face uncertainty. Does a data broker's data come from transparent consent or secret collection? As data brokers have to disclose their data sources, insurers will increasingly find that their data comes from questionable practices. That creates liability and reputational risk.

We might see a market shift where insurers demand that manufacturers provide data only when consumers have explicitly consented to insurance rating purposes. That would create a different model: rather than buying data through brokers, insurers would directly contract with automakers for access to telematics data, with clear consumer consent.

The Technical Implementation Challenges

While the finalized order is legally straightforward, the technical implementation has been genuinely complex.

Consent management at scale is non-trivial. GM has millions of vehicles in the field. Implementing a clear consent mechanism that works at the dealership, works in the mobile app, and works across different generations of vehicles running different software versions required significant backend engineering. The company had to build systems that could track whether a specific vehicle owner had consented to location data collection, and sync that across all of GM's service platforms.

Data deletion is even more challenging. When you request deletion of your On Star data, that data exists in multiple places: GM's primary database, backup databases, archive systems, analytics databases, third-party servers where GM had shared data. Deleting from one place isn't enough—the company had to verify deletion across all of these systems.

This is why the FTC gave GM 45 days to respond to data access requests. Pulling together a complete picture of all data associated with a specific account—across multiple systems, accumulated over years—takes time. Particularly if you're doing it for millions of customers.

The unified privacy policy sounds simple but required massive internal coordination. Data practices that were scattered across 15 different legal documents had to be consolidated and made consistent. Teams that had been operating independently had to align on what data they actually collect, how long they keep it, and whether they share it. This exposed internal inconsistencies that then had to be resolved.

The data access portal—where customers can request and download their data—had to be built to handle potentially millions of requests. It had to be secure. It had to be accessible to people with varying technical literacy. It had to format data in standard formats (CSV, JSON) that customers could reasonably understand.

The location disable feature had to work across different hardware generations. Older GM vehicles had different telematics hardware and software than newer ones. The company had to implement a location disable feature that worked consistently across this hardware diversity.

From a technical standpoint, implementing privacy-by-design—where privacy is built into systems from the start rather than bolted on—is harder than it sounds. But that's ultimately what the FTC order required.

What This Means for Vehicle Owners

If you own a GM vehicle, the finalized order changes your actual experience in several concrete ways.

First, you have more control. If you buy a new GM vehicle going forward, the dealership will present you with a clear choice about location data collection. You can say no. Your On Star service will still work for emergency services and basic connectivity. But precise location data won't be collected. This is a genuine increase in control compared to the pre-settlement world where most drivers had no idea location data was being collected at all.

Second, you have transparency. The unified privacy policy explains what GM does with vehicle data. If you want to know what location data GM has collected about you, you can request it. You can see where the company tracked your vehicle, when, and in what direction.

Third, you have deletion rights. If you're uncomfortable with historical data, you can request deletion. GM has to honor that request. This applies to anyone who was in the Smart Driver program previously—GM has already processed requests from those customers.

Fourth, you have the option to disable location tracking. If you agreed to location collection but change your mind, you can disable it through the On Star app or your vehicle settings.

For existing vehicle owners, GM has already sent notice about the changes and made it easy to request deletion of historical data. Anyone who participated in Smart Driver received explicit notice about their data and options to delete it.

One nuance: if you purchase or lease a vehicle from a dealer who doesn't properly implement the consent process—who doesn't present you with the clear choice about location data—that would be a violation of the FTC order. In practice, this is unlikely given that GM has strong incentives to train dealerships correctly. But if it happens, consumers have a path to complaint.

Another nuance: the FTC order applies to GM and On Star as they exist today. If GM gets acquired, or if On Star is sold to another company, there are questions about whether the acquirer is bound by the same requirements. Typically yes, but the transition period could create compliance gaps. The FTC would have to monitor that.

The Insurance Industry's Response

Insurers have mostly stayed quiet about the GM settlement, but the implications for the insurance industry are substantial.

The settlement cuts off one major source of location data that some insurers were using for pricing. This doesn't mean insurers can't use location information—customers can still voluntarily share it—but the stream of data coming through data brokers is being restricted.

Some insurers have responded by developing their own telematics programs. Rather than buying data through brokers, they're offering customers discounts in exchange for installing a monitoring app or using the insurer's mobile app to track driving behavior. This is consent-based by design. The customer knows they're being tracked, and they agree to it in exchange for a potential discount.

Other insurers are leaning more heavily into traditional underwriting factors. They can't see location data anymore, so they're making more use of credit scores, driving history, vehicle type, and other traditional variables.

The competitive effect is uncertain. Some drivers will benefit from not being tracked. Others might actually want to be tracked if it could get them a discount—they drive safely and want to prove it. The settlement essentially says insurers can't mandate that drivers provide location data, but they can offer incentives for voluntary provision.

There's also the question of how insurers will treat drivers who don't provide location data. If location data is no longer available, insurers have to make assumptions about unknown drivers. That could lead to higher average rates for drivers who don't share data—because the insurance company can't measure their actual risk.

From a public policy perspective, this is a genuine trade-off. Privacy advocates prefer this outcome—no secret tracking. Drivers who want insurance discounts enough to share their data can still do it. But it does mean that opting out of data sharing might make insurance slightly more expensive.

Regulatory Momentum and Federal Privacy Law

The GM settlement is also important in the context of broader federal privacy legislation efforts.

The U. S. still doesn't have comprehensive federal privacy law like Europe's GDPR or California's more recent CPRA. Congress has been debating privacy legislation for years without passing anything. In that vacuum, the FTC has been using its existing authorities—Section 5 of the FTC Act—to enforce privacy standards where it sees violations.

The GM settlement is part of a pattern. The FTC has brought data privacy cases against numerous tech companies over the past 5 years. The agency has become much more aggressive about enforcement. The GM case signals that the FTC is extending this enforcement mindset into automotive—an industry that previously considered itself outside traditional consumer privacy regulation.

This regulatory momentum matters because it creates pressure for federal privacy legislation. Congress looks at what the FTC is doing and asks: should we formalize these standards into law? The GM settlement will likely be cited in congressional hearings about privacy legislation. It demonstrates both why privacy regulation is needed (location data is being weaponized to adjust rates) and that existing FTC authority can address some of these issues.

If Congress does pass comprehensive federal privacy legislation—which seems increasingly likely—it will probably codify standards similar to what the FTC imposed on GM. Consumer consent for data collection. Transparency about data practices. Data access and deletion rights. Prohibition on selling certain types of sensitive data without explicit opt-in.

The GM settlement is thus both enforcement action and precedent-setting. The FTC is saying: this is what we think privacy standards should be. If Congress agrees and passes legislation, these standards become law for everyone.

International Implications and Global Privacy Standards

One aspect of the GM settlement that's easy to miss: it applies globally to all GM vehicles, not just U. S. vehicles.

The FTC's jurisdiction nominally applies only in the United States. But GM operates globally—it sells vehicles in Europe, Asia, Latin America, and other regions. When the FTC says GM must obtain explicit consent for location data collection and provide data access rights, that applies to GM vehicles everywhere.

This creates interesting dynamics with existing privacy regulation in other countries. Europe's GDPR already requires explicit consent for location data processing. GM's European subsidiary likely already had these controls in place due to GDPR requirements. The FTC order essentially extends GDPR-like standards to all GM vehicles globally, including those sold in countries without comprehensive privacy laws.

This is one way regulatory standards propagate globally. U. S. companies comply with GDPR in Europe because they have to. Once they've built the compliance infrastructure, it's often cost-effective to apply the same standards everywhere. The FTC order accelerates this by requiring it.

For developing countries or countries with weaker privacy regulation, this can be beneficial. Drivers in India, Brazil, Mexico, and other GM markets now get the same data access and consent rights as drivers in the U. S. They didn't have to lobby their governments to pass privacy laws. They benefit from the regulatory standards imposed on GM by American regulators.

This also matters for data brokers and insurers operating globally. If they're buying vehicle data from GM, they're now dealing with data that comes with explicit consent and documented deletion requests. This makes the data cleaner, more legally defensible, and potentially more expensive. It incentivizes these companies to develop consent-based approaches to data acquisition.

The Data Broker Ecosystem and Broader Implications

One often-overlooked aspect of the GM settlement is its implications for the data broker industry specifically.

Data brokers like Lexis Nexis and Verisk have built their entire business models on acquiring data from various sources and repackaging it for buyers. They're fundamentally middlemen. They buy data cheap, verify and aggregate it, sell it dear. When a major source of data (GM's location tracking) gets cut off, it affects their bottom line.

But more importantly, it creates a model for how they need to operate going forward. Data sources they partner with need to have legitimate consent from data subjects. Data they sell needs to come with verification that consent was obtained. This is more expensive and slower than the previous model where data collection happened in the shadows and nobody asked questions.

We might see data brokers increasingly operating in two tiers. Consent-based data that's expensive but defensible. And whatever legacy data they still have from the old collection methods, which they'll gradually age out.

For consumers, this is mostly good news. It makes the data broker ecosystem slightly less lucrative and slightly more transparent. But it also means that opt-in, consent-based systems might become standard for anyone collecting location data at scale.

There's also the question of how data brokers will innovate. Rather than buying raw location data and selling it to insurers, they might start offering new products: risk assessment services where they analyze location data without handing it over to insurers directly. Or consent management platforms that help companies gather and verify consent at scale. The business model will evolve but probably won't disappear.

Challenges in Enforcement and Monitoring

The finalized FTC order against GM is legally binding, but enforcement is complex.

The FTC has to actually monitor whether GM is complying. This requires the agency to conduct periodic audits, review complaints from consumers, test systems to ensure they work as required. The FTC has limited resources. They can't audit every transaction GM makes or verify every data deletion.

This creates an incentive for companies to technically comply while finding loopholes. For instance, GM is now required to delete data when customers request it. But does that include aggregated or anonymized data? The order specifies de-identified data used for research is permitted, but what counts as "de-identified"? A clever company could probably find ways to argue that certain data deletion requests don't actually apply to certain data stores.

The FTC order does allow for civil penalties if GM violates the requirements. Each violation can result in significant fines. But the FTC has to detect violations first, and enforcement takes time.

Consumers also have remedies. If someone believes GM violated the order—say, by selling their location data to an insurer without consent—they could file a complaint with the FTC or potentially pursue private litigation. The existence of these avenues is itself a deterrent against blatant violations.

In practice, the strongest enforcement mechanism is probably reputational. If GM was discovered to be violating the FTC order—selling location data secretly, ignoring data deletion requests—the public and media backlash would be severe. Companies care about their reputations. That's often a stronger deterrent than fines.

The Bigger Picture: What This Settlement Reveals About Data Regulation

The GM settlement might seem like a niche regulatory action—one company's telematics practices being corrected. But it actually reveals something important about how data regulation is evolving.

The FTC's approach is pragmatic. The agency isn't banning data collection or mandating that companies stop collecting data entirely. Instead, it's imposing structural requirements: transparency, consent, access rights, deletion rights. These structural requirements are flexible enough to permit beneficial data use (internal research, safety improvements, emergency services) while preventing harmful use (secret tracking for insurance pricing).

This is what effective regulation probably looks like. Not an outright ban on new technology, but rules that ensure technology is used transparently and consensually.

It also reveals the FTC's thinking about what constitutes "deception" in the modern context. It's not just false statements. It's also omissions of material facts, unclear disclosures, and settings where consumer choice is illusory. Smart Driver wasn't marketed as data collection for insurance pricing—if it had been, maybe the FTC wouldn't have acted. But it was marketed as a safety rating tool, while the real purpose was generating saleable data. That's deception.

Finally, it reveals how the FTC is stretching its authorities to address novel challenges. The FTC's core authority under Section 5 of the FTC Act is to prohibit deceptive or unfair practices. The agency is interpreting this broadly to include data practices that were never contemplated when the statute was written. The FTC is essentially doing the work Congress should be doing—establishing data privacy standards through enforcement rather than through legislation.

This is sub-optimal long-term. It would be better for Congress to pass comprehensive privacy legislation that sets clear, consistent standards for all companies. But in the absence of congressional action, the FTC is using the tools available. The GM settlement is what regulatory agency enforcement looks like in a legislative vacuum.

Looking Ahead: What Comes Next

The finalized GM order is a beginning, not an endpoint.

We should expect similar investigations into other automakers. Ford, Honda, Toyota, BMW, Volkswagen, Hyundai—all of these companies have been collecting and sharing location data through telematics services. The FTC will likely be looking at whether they have transparent consent mechanisms and whether they're selling data to third parties without clear consumer permission.

We should also expect Congress to eventually pass comprehensive federal privacy legislation. The GM settlement will be cited as evidence that privacy regulation is needed. It will probably be used as a template for what federal standards should look like.

For consumers, expect more control and transparency over vehicle data going forward. New vehicles will have clearer privacy choices. Data access and deletion will become standard features rather than novel rights. Insurance pricing based on secret tracking will become less common.

For automakers, expect higher compliance costs. Privacy-by-design, consent management, data infrastructure—these things cost money. But they're increasingly just a cost of doing business. Companies that don't invest in privacy will face regulatory action and reputational damage.

For the data broker and insurance industries, expect disruption. Traditional models of buying and selling location data are becoming riskier. Companies are shifting toward more transparent, consent-based models or finding new ways to derive insight from data without accessing the raw information.

The GM settlement is important precisely because it's not the end of the story. It's one enforcement action that signals how privacy regulation will evolve. It sets a precedent that other agencies, other countries, and other companies will watch closely.

FAQ

What is the FTC's settlement with General Motors about?

The FTC finalized an order prohibiting General Motors from collecting and selling geolocation and driving behavior data from connected vehicles without explicit consumer consent. The settlement originated from the agency's concerns that GM's Smart Driver program collected precise location data and sold it to data brokers like Lexis Nexis and Verisk, who then sold it to insurance companies that used it to adjust consumer rates—often without drivers knowing about this process.

How did GM's Smart Driver program collect and use location data?

Smart Driver was a feature in GM's mobile app that tracked drivers' precise GPS coordinates, acceleration patterns, braking behavior, and seatbelt compliance. GM packaged this data and sold access to it to data brokers, who resold it to insurance companies. Insurers then used the location and driving behavior information to adjust insurance premiums for individual drivers. Most drivers didn't realize their location was being tracked and sold in this manner because the practice was disclosed only in dense legal documents.

What specific changes did the finalized order require GM to make?

The order requires GM to obtain explicit, documented consent before collecting precise geolocation data from vehicles, consolidate its privacy policies into a single clear document, provide consumers a mechanism to request copies of their personal data and request deletion, allow drivers to disable location tracking from their vehicles, and terminate sharing of location data with third parties like data brokers and insurance companies. GM is still permitted to share de-identified (anonymized) data for research purposes and to share location data with emergency first responders.

Why did it take the FTC a year to finalize the settlement after proposing it?

The FTC order went through a formal notice-and-comment rulemaking process where interested parties could submit feedback and request modifications. The agency needed to verify that GM could technically comply with all requirements—such as implementing consent at dealership scale, processing data deletion requests across multiple systems, and ensuring third-party data brokers also deleted shared data. GM also needed time to actually implement the required changes, including consolidating privacy policies and building systems to handle data access and deletion requests. The extended timeline allowed the FTC to ensure robust compliance infrastructure before finalizing the order.

What does the settlement mean for consumers who own GM vehicles?

Current and future GM vehicle owners now have more control over location data. When purchasing a new vehicle, the dealer must clearly explain data collection practices and obtain explicit opt-in consent for location tracking. Existing owners can request deletion of historical location data, access copies of data GM has collected about them, and disable location tracking through the On Star app or vehicle settings. These changes make automotive data collection transparent and give drivers meaningful choice about whether their location is tracked and used for insurance pricing or other purposes.

How might this settlement affect insurance pricing and availability?

With GM no longer supplying location data to insurers through data brokers, insurers lose one source of detailed driving behavior information. Insurers may respond by relying more on traditional underwriting factors (driving history, vehicle type, age) or by offering voluntary telematics programs where drivers can opt-in to tracking for potential insurance discounts. Drivers who choose not to share location data might face slightly higher insurance rates because insurers can't measure their actual driving behavior, but they retain the privacy choice to not be tracked.

Will other automakers face similar FTC action?

The settlement signals that the FTC expects all automakers operating connected vehicle platforms to have transparent, consent-based data practices. Companies like Ford, Honda, Toyota, BMW, and Volkswagen that operate telematics services collecting location and driving behavior data will likely face FTC scrutiny. Some manufacturers have already made proactive privacy improvements, anticipating regulatory action. The GM settlement essentially establishes a regulatory precedent for how automotive data collection and sharing should work across the industry.

Does the settlement prevent GM from using vehicle location data entirely?

No. GM can still collect location data for its own internal research and development purposes to improve vehicles and safety systems. The company can share de-identified (anonymized) location data with research partners like universities for urban planning and traffic studies. The core restriction is that GM cannot share precise location data with third-party data brokers or insurance companies for commercial purposes without explicit driver consent. Emergency responders can still receive location data to facilitate rescue operations.

What are the practical privacy controls available to GM vehicle owners?

GM vehicle owners can disable location tracking through their vehicle's in-dashboard settings or through the On Star mobile app. They can request access to all personal data GM has collected about them through the On Star portal. They can request deletion of specific categories of data or their entire data history. GM must respond to access and deletion requests within 45 days. For new vehicle purchases, owners must affirmatively consent to location data collection at the dealership—the default setting is now no location tracking rather than automatic opt-in.

Key Takeaways

Transparent Consent is Now Standard: The FTC's settlement establishes that automakers cannot collect and sell precise location data without explicit, documented consumer consent—a standard that will likely be extended to all automotive telematics services.
Data Deletion Rights Matter: Consumers can now request deletion of historical location data collected through GM vehicles, setting a precedent for automotive privacy rights that other manufacturers will need to implement.
Insurance Pricing Transparency Required: The days of secret location tracking informing insurance rates are ending; any future insurance-related data sharing must be transparent and consensual.
Regulatory Momentum is Building: This settlement signals aggressive FTC enforcement on automotive privacy and creates momentum for broader federal privacy legislation that would codify similar standards.
Industry-Wide Implications: All major automakers with connected vehicle platforms should expect regulatory scrutiny and similar requirements, making privacy compliance a competitive necessity rather than an optional feature.

TL; DR Summary

The FTC finalized its order against General Motors in January 2025, prohibiting the automaker from collecting and selling geolocation and driving behavior data through On Star to data brokers and insurance companies without explicit consumer consent. GM's Smart Driver program had previously tracked drivers' precise location and driving metrics, selling this data to Lexis Nexis and Verisk, which then resold it to insurers who used it to adjust premiums—often without drivers' knowledge. Under the finalized order, GM must obtain clear, documented consent before collecting location data, provide unified privacy policies, allow data access and deletion requests, and enable drivers to disable location tracking. While the settlement took a year to finalize, the delay allowed for formal regulatory review and GM's compliance infrastructure development. The settlement signals the FTC's aggressive stance on automotive privacy and will likely trigger similar investigations into other automakers' telematics services. For consumers, this means more control over vehicle data, greater transparency about data practices, and protection against secret tracking affecting insurance rates.