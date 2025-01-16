The Federal Trade Commission is taking action against General Motors (GM) and OnStar over allegations they collected, used, and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent.

Under a proposed order settling the FTC’s allegations, General Motors LLC, General Motors Holdings LLC, and OnStar LLC, which are owned by General Motors Company, will be banned for five years from disclosing consumers’ sensitive geolocation and driver behavior data to consumer reporting agencies. They also must take other steps to provide greater transparency and choice to consumers over the collection, use, and disclosure of their connected vehicle data. This is the FTC’s first action related to connected vehicle data.

In its complaint, the FTC alleged that Michigan-based GM used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature. GM failed to clearly disclose that it collected consumers’ precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers’ consent.

“GM monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said FTC Chair Lina M. Khan. “With this action, the FTC is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”

GM has offered OnStar as a service that will aid consumers during an emergency and provide hands-free voice assistance and real-time traffic and navigation. Over time, the company has increased the amount of data it collects through OnStar to include precise geolocation data—collected every three seconds for some users.

Tracking and collecting geolocation data can be extremely privacy invasive, revealing some of the most intimate details about a person’s life, such as whether they visited a hospital or other medical facility, and expose their daily routines.

When consumers bought a GM vehicle, they were encouraged to sign up for OnStar and its Smart Driver feature, which they were often told would be used to help them assess their driving habits. The FTC alleged, however, that GM’s enrollment process for the data collection for both its OnStar service and Smart Driver feature was confusing and misleading. In fact, some consumers were unaware that they had been signed up for the Smart Driver feature, according to the complaint.

In addition, GM failed to clearly disclose to consumers the types of information it collected through its Smart Driver feature, including that their geolocation and driving behavior data—such as every instance of hard braking, late night driving, and speeding—would be sold to consumer reporting agencies. These consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were used by insurance companies to deny insurance and set rates.

Many consumers were unaware of these practices and complained to GM after finding out that their driving habits were being used by insurance companies to set their rates. For example, one consumer told a GM customer service representative that “[w]hen I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. Nothing. […] You guys are affecting our bottom line. I pay you, now you’re making me pay more to my insurance company.”

Proposed Order

The proposed order would prohibit GM and OnStar from misrepresenting information about how they collect, use, and share consumers’ location and driver behavior data. Additional provisions of the proposed order require GM and OnStar to:

Not disclose covered driver data to consumer reporting agencies: The proposed order would ban GM and OnStar from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years from the date the order is entered.

Obtain consent prior to collection: The companies must obtain affirmative express consent from consumers prior to collecting connected vehicle data, with some exceptions such as providing location data to emergency first responders.

The companies must obtain affirmative express consent from consumers prior to collecting connected vehicle data, with some exceptions such as providing location data to emergency first responders. Allow consumers to obtain and delete their data: The companies must create a way for all U.S. consumers to request a copy of their data and seek its deletion.

The companies must create a way for all U.S. consumers to request a copy of their data and seek its deletion. Allow consumers to limit data collection from their vehicles: The companies must also give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology and provide a way for consumers to opt-out of the collection of geolocation and driver behavior data, with some limited exceptions.

During a closed meeting, the Commission voted 3-0-2 to accept the proposed consent agreement for public comment. Commissioners Melissa Holyoak and Andrew N. Ferguson were recorded as absent.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are Amy Teng, Breena Roos, and Sarah Shifley with the FTC’s Northwest Regional Office.