As many are aware, cars, trucks, and vehicles manufactured over the last 20-30 years contain various devices that collect data on vehicle use. The primary device is a “vehicle black box” similar to the device used on airplanes for decades. The device collects data on speed, braking, whether a seat belt is being used, the turning of the steering wheel, etc. Other devices include various forms of global positioning systems (“GPS”), on-board cameras and video, and systems that deliver music or other products. A set of “hot-button” legal questions surrounds the privacy of that data. For example, General Motors has been targeted by the Federal Trade Commission (“FTC”) and at least three States for selling data collected by GM vehicles and by its OnStar wireless service that is marketed as providing emergency services, roadside repair/accident assistance, and other forms of vehicle assistance.

As reported here by the FTC, the general allegations against GM are that it collected, used, and sold geolocation and driving behavior data of millions of drivers of GM vehicles to insurance companies, consumer reporting agencies, and others. The data was collected and sold without sufficient notice to vehicle users or any sort of consent. The data was used, for example, by insurance companies to set insurance rates and to deny coverage in some cases. The FTC and GM reached an agreement earlier in 2025 to settle the administrative enforcement action. Among other things, GM has agreed to be banned for five years from selling or disclosing geolocation and driver behavior data to consumer reporting agencies. GM has also agreed to amend/modify its notices to consumers to make it clear what data is being collected and how that data is used. GM has also agreed to obtain specific consents from consumers for the disclosure of their vehicle data.

The Attorneys General for Texas, Nebraska, and Arkansas have filed similar enforcement actions against GM and OnStar. It is expected that other States will follow suit.

The FTC’s actions against GM/OnStar are significant for several reasons. This is the first time the FTC has filed this sort of enforcement action. In particular, this is the first time that the FTC is claiming that failure to provide notice and obtain consumer consents for the sale and disclosure of data is considered to be a form of false, deceptive, and/or misleading business practice. As a consequence, this GM case will set a precedent for other cases and will serve as a general notice/warning to other vehicle manufacturers about the privacy of consumer data.

In addition, by investigating and punishing GM/OnStar, the FTC is signaling that it will use State-level consumer data privacy laws as a basis for decisions about what business practices are false, deceptive, and/or misleading. In this particular case, the GM disclosures were deemed misleading because there was insufficient clarity about what data was being collected and what was going to be done with the data. That is, for example, no information was provided by GM/OnStar about the selling, sharing or disclosure of the data. Further, the quantity of data being collected has significantly increased over the last few years.

Finally, businesses should note and understand that, through this method, the FTC is expanding the reach of State-level consumer data protection statutes and that the FTC will “enforcing” such statutes.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.