By Elizabeth Crooks and Susan Hintze

On January 14, 2026, the Federal Trade Commission (FTC) finalized a settlement order with General Motors (GM) and OnStar regarding the collection and disclosure of driver behavioral and location data. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), including the collection, use, and disclosure of such data without notice to consumers and without consumers’ informed consent.

The Complaint

In its complaint claiming deceptiveness and unfairness under the FTC Act, the FTC made the following allegations.

GM and OnStar gave consumers false assurance that the driving data collected would only be used for consumers for their own safety and to assess their own driving habits. Instead, GM and OnStar sold this data to third parties, including consumer reporting agencies, auto insurance companies, and others for unrelated purposes and without appropriate notice or consent.

Consumers were not informed that constantly collected precise geolocation data; detailed driving events such as seat-belt usage, hard braking, and speeds over 80 mph; and data about which radio stations consumers listened to would be shared with these entities. These entities used the data for unexpected purposes including denying or canceling insurance, increasing insurance premiums, and for advertising analytics. Many consumers were, therefore, unaware of what exactly they had opted into when giving their consent. Based on the incomplete information GM and OnStar had provided to consumers, those consumers had no reason to expect that their consent to collection and use of their driving data might have real-world, negative financial consequences.

In addition to inappropriate notice and consent about sharing, consent for different features were bundled together inappropriately. Consent for safety and maintenance alerts were bundled with a consent to enroll in OnStar Smart Driver, a service unrelated to vehicle maintenance. There was only one ‘accept’ or ‘decline’ choice for such features and the choice was described in such a way that consumers did not understand what maintenance and safety features and alerts they would lose by not consenting to the OnStar service.

Further, GM did not provide a setting that allowed consumers the ability to mask location data on all vehicles. Where the setting was available, it was defaulted to “off,” and GM did not widely communicate the availability of the setting to consumers. Moreover, because of the lack of adequate disclosures at consent about the constant collection and sharing of precise location data, consumers did not appreciate the importance of the setting.

The complaint alleged that as a result of GM and OnStar’s business practices, consumers experienced loss of auto insurance, unexpected increases in insurance premiums, and loss of privacy about sensitive data, including locations visited and day-to-day movements.

The Order

In its order, the FTC defines location data more broadly than in past orders. For the first time, the definition of ‘location data’ includes data that reveals the precise location of not only a mobile device or consumer but also of their vehicle.

In its definition of Covered Driver Data, the FTC also describes a car’s vehicle identification number (VIN), or an alternative identifier that can be linked to VIN, as “reasonably linkable” to a consumer. It further describes data linked to a VIN as not included in its definition of “Deidentified.” Both definitions suggest a willingness to treat VIN as personal information.

The FTC’s order requires GM and OnStar to, in sum:

·         Not disclose driver data to a Consumer Reporting Agency.

·         Obtain affirmative express consent prior to collecting, using, or disclosing driver data to a third party; obtain separate consent for each separate, unrelated service or feature; and not place limits on withholding or withdrawing consent, such as by degrading the quality or functioning of a product or service as a penalty.

·         Give consumers a means to disable collection of 1) location data and 2) all vehicle data if they decline OnStar.

·         Honor consumer requests to access and delete their driver data.

·         Minimize data collection to what is reasonably necessary to fulfill the specific purpose for which it was collected.

·         Document, adhere to, and publish an up-to-date data retention schedule.

·         Delete or destroy all prior-retained driver data within 180 days of the order and instruct third parties to destroy data.

·         Not misrepresent collection, use, and disclosure of data or purposes for the same.

The order has a typical 20 year termination date. However, the FTC departed slightly from its standard duration, limiting the requirement not to disclose driver data to a Consumer Reporting Agency to only five years.

Key Takeaways

We highlight several key takeaways below, particularly for any organization collecting telemetry or location data:

Choice Mechanisms. Ensure that consents for unrelated services and features are not bundled together. And make sure that effects of consents are described clearly and thoroughly and not in a way that might cause confusion.

Treatment of ‘Location Data.’ Present consumers with a way to opt-in to and disable the collection and use of precise geolocation data separate from other choices and clearly inform consumers how to do so.
Ensure that your definitions and application of rules regarding precise geo-location data extends not only to the consumer but also those things a consumer has with them or travels in.

Notice. Ensure that consent disclosures and privacy statements are presented accurately and with enough detail that consumers can understand the impact of choices. Train those responsible for handling agreements to understand privacy commitments made to consumers and to ensure that agreements do not violate those commitments.

VIN and Other Unique IDs as Identifiable Data. If you collect VIN associated with data about an individual, ensure that you protect it as you would other personal data. Consider treating other unique identifiers that, like VIN, could be linked to individuals as personal data.

Third Party Accountability. Review data sharing agreements with third parties to ensure that limitations are clearly outlined and that continued access to data is conditioned on agreeing to, and having a process in place to, delete data upon your instruction. Verify that contractual commitments with third parties about consumer data do not conflict with promises made to consumers and that adequate consents are obtained before agreeing to share sensitive data with third parties.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on AI, privacy, and data security. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Elizabeth Crooks is Senior Privacy Analyst at Hintze. Elizabeth has a Masters of Science in Information Management and guides global companies on privacy, cybersecurity, and data protection matters. 

Susan Hintze is Co-Managing Partner at Hintze Law PLLC, on the IAPP’s Board of Directors, and a Westin Emeritus Fellow with the IAPP.