On January 14, 2026, the Federal Trade Commission finalized a sweeping order against General Motors LLC, General Motors Holdings LLC, and OnStar LLC. The order resolves allegations that the companies collected, retained, and sold sensitive geolocation and driving-behavior data without obtaining valid consumer consent. Certain terms of the order will govern GM's activity for the next 20 years. The action marks one of the most significant federal privacy enforcement efforts in the emerging connected-vehicle industry and on the collection and use of geolocation data.
The FTC alleged that GM and OnStar gathered precise location information and detailed driving-behavior metrics from millions of vehicles, then shared that data with third parties—including companies that generated risk scores used by insurers—without providing clear notice or obtaining affirmative permission. Although GM did not admit wrongdoing, the FTC's order states that the companies' practices constituted unfair or deceptive acts or practices in violation of Section 5 of the FTC Act and imposed a series of strict requirements designed to reshape how they handle consumer data.
Covered Driver Data
The FTC’s order focuses on “Covered Driver Data,” a category that includes:
- Precise geolocation information
- Driving‑behavior events such as hard braking, acceleration, cornering, speeding, and late‑night driving
- Trip‑level details, including time and duration
- Radio‑listening data when linked to a consumer or vehicle
The FTC emphasized that Covered Driver Data can reveal intimate details about a person's daily life, routines, and movements. According to the FTC, GM and OnStar collected and disclosed this data without obtaining "Affirmative Express Consent"—meaning clear, unambiguous permission separate from general privacy policies or terms of service.
Major Restrictions and Requirements
The final order imposes a broad set of obligations on GM and OnStar:
- Five-Year Ban on Sharing Data with Consumer Reporting Agencies. For the next five years, GM is prohibited from sharing any Covered Driver Data with entities acting as consumer reporting agencies, as defined under the Fair Credit Reporting Act. This directly targets the alleged practice of providing telematics data to insurance-industry partners.
- Strict Consent Standards. Within 180 days of the order becoming final, GM must obtain separate, explicit consent for each service or feature that collects or uses Covered Driver Data. The disclosures must be clear and conspicuous; identify the specific categories of data collected; explain the purposes for collection and sharing; and identify the third parties receiving the data or link to a regularly updated list.
- Dark-Pattern Ban. The order prohibits user interfaces that manipulate or deceive users—for example, by inferring consent from silence or using confusing design elements.
- No Penalty for Withholding Consent. GM may not penalize consumers who decline to consent to data collection or sharing.
- Data Minimization and Retention Limits. GM must limit data collection to what is reasonably necessary for the clearly disclosed purpose. The company must also publish a retention schedule and delete previously collected Covered Driver Data unless it is needed for legal compliance or safety, has been de-identified, or the consumer has provided new, explicit consent.
- Consumer Access and Deletion Rights. GM must provide an easy-to-use mechanism allowing consumers to request copies of their data or request deletion. The company may not use information collected through these requests for any other purpose.
- Obligations for Third-Party Data Recipients. GM must instruct all third parties that previously received Covered Driver Data to delete it unless retention is legally required. GM may not share new data with those entities (subject to the order's other restrictions) until they confirm deletion.
- Ability to Disable Location Tracking. Consumers must be able to disable location tracking if their vehicle supports it. Even when tracking is disabled, GM may collect location data only for emergency, theft-related, safety, or legal-compliance purposes. In addition, if a consumer declines OnStar services, GM must stop remote vehicle data collection except for safety recalls and software updates.
A Turning Point for Vehicle-Data Privacy
The GM order is a landmark moment for automotive privacy, particularly with respect to geolocation data. It signals that the FTC is prepared to treat vehicle-generated data with the same seriousness as financial or health information. The order's strict consent requirements and deletion mandates may set a new industry standard as connected-vehicle technologies continue to expand.
[View source.]
