As many are aware, cars, trucks, and vehicles manufactured over the last 20-30 years contain various devices that collect data on vehicle use. The primary device is a “vehicle black box” similar to the device used on airplanes for decades. The device collects data on speed, braking, whether a seat belt is being used, the turning of the steering wheel, etc. Other devices include various forms of global positioning systems (“GPS”), on-board cameras and video, and systems that deliver music or other products. A set of “hot-button” legal questions surrounds the privacy of that data. For example, General Motors has been targeted by the Federal Trade Commission (“FTC”) and at least three States for selling data collected by GM vehicles and by its OnStar wireless service that is marketed as providing emergency services, roadside repair/accident assistance, and other forms of vehicle assistance.

As reported here by the FTC, the general allegations against GM are that it collected, used, and sold geolocation and driving behavior data of millions of drivers of GM vehicles to insurance companies, consumer reporting agencies, and others. The data was collected and sold without sufficient notice to vehicle users or any sort of consent. The data was used, for example, by insurance companies to set insurance rates and to deny coverage in some cases. The FTC and GM reached an agreement earlier in 2025 to settle the administrative enforcement action. Among other things, GM has agreed to be banned for five years from selling or disclosing geolocation and driver behavior data to consumer reporting agencies. GM has also agreed to amend/modify its notices to consumers to make it clear what data is being collected and how that data is used. GM has also agreed to obtain specific consents from consumers for the disclosure of their vehicle data.

The Attorneys General for Texas, Nebraska, and Arkansas have filed similar enforcement actions against GM and OnStar. It is expected that other States will follow suit.

The FTC’s actions against GM/OnStar are significant for several reasons. This is the first time the FTC has filed this sort of enforcement action. In particular, this is the first time that the FTC is claiming that failure to provide notice and obtain consumer consents for the sale and disclosure of data is considered to be a form of false, deceptive, and/or misleading business practice. As a consequence, this GM case will set a precedent for other cases and will serve as a general notice/warning to other vehicle manufacturers about the privacy of consumer data.

In addition, by investigating and punishing GM/OnStar, the FTC is signaling that it will use State-level consumer data privacy laws as a basis for decisions about what business practices are false, deceptive, and/or misleading. In this particular case, the GM disclosures were deemed misleading because there was insufficient clarity about what data was being collected and what was going to be done with the data. That is, for example, no information was provided by GM/OnStar about the selling, sharing or disclosure of the data. Further, the quantity of data being collected has significantly increased over the last few years.

Finally, businesses should note and understand that, through this method, the FTC is expanding the reach of State-level consumer data protection statutes and that the FTC will “enforcing” such statutes.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

What Vehicle Data Is Actually Being Collected

Modern connected vehicles generate an extraordinary volume of data. Industry analysts estimate that a modern vehicle generates between 25 and 100 gigabytes of data per hour. This data falls into several categories:

• Vehicle operational data: Speed, braking force, acceleration patterns, gear changes, engine diagnostics, fuel consumption, and vehicle performance metrics collected by the vehicle’s event data recorder (“EDR”) and telematics systems
• Location and movement data: GPS coordinates, route history, time-stamped location data, and geofencing alerts generated by navigation systems and connected services
• Behavioral data: Driving style scores, distracted driving detections, seatbelt use, phone connection logs, and radio and entertainment preferences
• Personal identification data: Contact lists synced from connected phones, voice commands and recordings, calendar information, and biometric data from driver-monitoring systems
• Financial transaction data: Toll payment records, fuel purchase transactions, and in-vehicle purchase history

The Legal Theory Behind the GM/OnStar Action

The FTC’s enforcement action against GM and OnStar was brought under Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC charged that GM and OnStar engaged in deceptive practices by:

• Enrolling millions of consumers in its Smart Driver program without adequately disclosing that their driving data would be collected and sold to third parties, including insurance companies and data brokers
• Representing in privacy disclosures that consumers would be “in control” of their data while simultaneously sharing that data without meaningful consumer choice
• Collecting and selling precise geolocation data and driving behavior scores used by insurers to increase premiums or deny coverage without consumers’ awareness

The GM settlement requires the company to refrain from selling or sharing geolocation and driving behavior data with consumer reporting agencies for five years, implement a comprehensive data privacy program, obtain express informed consent before sharing covered data, and submit to FTC oversight through compliance reporting. This settlement establishes the FTC’s de facto standards for connected vehicle data practices.

State-Level Vehicle Data Laws

In addition to FTC enforcement, state laws are increasingly relevant to vehicle data privacy. Several states with comprehensive consumer data privacy statutes — California, Colorado, Connecticut, Virginia, and others — apply their statutes to the personal data collected by vehicles and connected services. California’s CCPA/CPRA specifically covers precise geolocation data as “sensitive personal information” subject to heightened protections and opt-out rights. Texas and Oregon have enacted dedicated connected vehicle data statutes that restrict the collection and sale of vehicle data without consumer consent.

Practical Compliance Steps for Vehicle-Adjacent Businesses

The GM case and the broader regulatory environment create specific compliance obligations for automotive manufacturers, telematics providers, usage-based insurance underwriters, fleet management companies, and any business that purchases or uses vehicle-generated data:

• Audit your data collection and sharing practices. Identify every category of vehicle data you collect, every third party you share it with, and the contractual and legal basis for each sharing arrangement.
• Update your privacy disclosures. Privacy policies and notices must specifically and clearly describe the collection and use of vehicle data, including any sale or sharing with insurers or data brokers.
• Implement opt-in consent for sensitive uses. Data used for insurance underwriting, credit decisions, or marketing purposes likely requires opt-in consent rather than a passive opt-out mechanism.
• Evaluate your data retention practices. Keep vehicle data only as long as necessary for the disclosed purpose and implement data deletion schedules.
• Review contracts with data recipients. Downstream use of vehicle data by purchasers and licensees remains your legal exposure.

The Intersection with Insurance Law

Usage-based insurance (“UBI”) programs — which use driving behavior data to set premiums — sit at the intersection of vehicle data privacy law and insurance regulation. State insurance commissioners are beginning to scrutinize how UBI programs obtain consumer consent and disclose the use of driving data. In states where vehicle data statutes impose consent requirements, UBI programs that rely on data sold by automakers without consumer consent may be on legally precarious ground. Businesses in this space should consult with both privacy counsel and insurance regulatory counsel.

Contact Revision Legal

If you have questions about data privacy and FTC compliance law, the experienced attorneys at Revision Legal can help. We represent businesses, entrepreneurs, and individuals across the country. Contact us through the form on this page, visit our data privacy and FTC compliance law practice page, or call us at (855) 473-8474.