The Federal Trade Commission has taken enforcement action against General Motors and its OnStar subsidiary for collecting and selling drivers’ precise location and driving-behavior data without adequate consent, according to the agency. The case, settled through a finalized order in January 2026, exposes how modern car infotainment systems quietly funnel personal information to third parties, including consumer reporting agencies that use the data to set auto insurance prices. The GM action is not an isolated episode. Congressional scrutiny is now spreading across the auto industry, with Senator Edward Markey sending formal inquiries to 14 automakers about their data practices, signaling that the era of unchecked vehicle surveillance may be closing.
What GM and OnStar Did With Driver Data
According to the FTC, GM and OnStar collected precise geolocation and driving-behavior data from connected vehicles and shared and sold that data to third parties without obtaining adequate informed consent from drivers. The data was not limited to broad location zones or general trip summaries. It included granular records of where drivers went and how they behaved behind the wheel, details that carry significant commercial value for companies looking to profile consumers.
The settlement, per the Associated Press, resulted in the FTC banning GM from sharing driving data to resolve claims that the automaker sold information to consumer reporting agencies. Those agencies then used the data for insurance pricing, meaning a driver’s everyday commute or weekend road trip could directly influence what they paid for coverage. The FTC’s press release and the AP’s reporting describe slightly different procedural stages of the same action: the FTC cites a finalized order settling the allegations, while the AP references a proposed order and complaint. Both accounts point to the same underlying enforcement, and the practical outcome for consumers is the same: GM can no longer sell this data.
How Driving Data Reaches Insurance Companies
The pipeline from a car’s dashboard to an insurance quote runs through intermediaries like LexisNexis. According to the Consumer Financial Protection Bureau, LexisNexis operates a product called Telematics OnDemand, which collects and reports driving behavior specifically for auto insurance pricing. LexisNexis is classified as a consumer reporting company under the Fair Credit Reporting Act, which means the data it handles carries legal weight similar to a credit report.
This distinction matters because most drivers do not think of their car as a credit bureau input. When a vehicle’s infotainment system or connected services platform records acceleration patterns, braking frequency, time of day on the road, and trip routes, that information can flow to agencies like LexisNexis and become part of a driver’s risk profile. The GM case showed that this transfer can happen without drivers clearly understanding or agreeing to it. The CFPB provides an official consumer contact record for LexisNexis so individuals can request access to their data or file disputes, but awareness of that right remains limited among the general public.
The real-world consequence is straightforward: a driver who brakes hard in stop-and-go traffic or regularly drives late at night could see higher insurance premiums, not because of an accident or a ticket, but because their car quietly reported those habits to a data broker. This represents a shift from traditional insurance underwriting, where rates were based on claims history and demographic factors, toward a model where continuous behavioral monitoring shapes what consumers pay.
Congressional Pressure on 14 Automakers
The problem extends well beyond a single manufacturer. Senator Edward Markey queried 14 automakers about invasive data practices and called for stronger consumer privacy protections in vehicles. The letters asked detailed questions about data collection, in-car and infotainment integrations, third-party software and software development kits, data retention timelines, and sharing arrangements with outside companies.
These questions target the full supply chain of vehicle data. Infotainment systems today run on software platforms that often include third-party code, and each layer of that software stack can introduce new data collection points. A navigation app, a voice assistant, or a connected services subscription might each have its own data-sharing terms buried in lengthy agreements that few drivers read. Markey’s inquiry attempts to map this ecosystem across the industry rather than relying on enforcement actions against one company at a time.
No public responses from the 14 automakers have been confirmed in available reporting. That gap itself is telling. If manufacturers were confident their practices were transparent and consumer-friendly, prompt public disclosure would serve their interests. The silence suggests that the answers may be uncomfortable, or that legal teams are carefully calibrating what to reveal.
Why Most Coverage Misses the Bigger Risk
Much of the public discussion around connected car data focuses on privacy as an abstract principle. But the GM enforcement action reveals a more concrete and measurable harm: financial discrimination based on driving behavior that consumers never knowingly shared. When telematics data feeds into insurance pricing models, it creates a system where the cost of mobility is shaped by surveillance that drivers did not meaningfully authorize.
This dynamic has the potential to widen existing gaps in transportation costs. Drivers in dense urban areas with more stop-and-go traffic, or workers with late-night shifts, could face systematically higher rates through no fault of their own. The data does not distinguish between a reckless driver and someone whose commute simply involves more braking events. Without transparency about how telematics scores are calculated and weighted, consumers have no practical way to contest or adjust the behavior being monitored.
The standard industry defense is that telematics-based insurance rewards safe drivers with lower premiums. That framing assumes informed, voluntary participation. The FTC’s findings in the GM case, per the agency, directly contradict that assumption by establishing that drivers were not adequately informed that their location and driving patterns would be sold to data brokers and used to set insurance prices. Instead of an opt-in discount program, the system functioned more like a covert risk assessment tool embedded in everyday vehicles.
What Drivers Can Do Now
For individual drivers, the GM case underscores the importance of scrutinizing connected services. That starts with reviewing the privacy settings in a vehicle’s infotainment system and mobile apps tied to the car, and disabling data-sharing features that are not essential to safety or navigation. Consumers should also be aware that they can request copies of their files from consumer reporting companies that handle telematics data and dispute inaccuracies that might affect insurance pricing.
When drivers suspect that their data has been misused or shared without consent, the FTC encourages them to submit detailed complaints through its fraud reporting portal. Those reports help regulators spot patterns, prioritize investigations, and build cases that can lead to enforcement actions like the one against GM and OnStar. While an individual complaint may not immediately change an insurance rate, it contributes to a broader record that can shape policy and industry behavior.
In more serious cases where connected car data is tied to impersonation or unauthorized accounts, drivers may need to respond as they would to any other identity-related abuse. The FTC maintains identity theft resources that walk consumers through placing fraud alerts, freezing credit, and documenting unauthorized activity. These steps are not limited to traditional financial fraud; they can also be relevant if telematics data is improperly linked to a driver’s name or insurance profile.
Some consumers may also want to reduce the volume of unsolicited marketing that can follow from broad data sharing. While not specific to vehicles, the federal Do Not Call registry offers one way to cut down on telemarketing tied to personal information circulating in commercial databases. Combined with careful review of app permissions and dealership paperwork, it can form part of a more defensive posture toward how personal data is used across the automotive and insurance sectors.
The Road Ahead for Connected Car Privacy
The GM and OnStar enforcement action, coupled with Senator Markey’s industry-wide inquiry, marks a turning point in how regulators and lawmakers view connected vehicles. Cars are no longer just transportation devices; they are rolling data hubs whose outputs can affect everything from insurance bills to personal safety. The FTC’s order sends a clear signal that undisclosed data monetization tied to driving behavior crosses a legal line, especially when it feeds into consequential decisions like pricing and eligibility for coverage.
At the same time, the lack of comprehensive federal privacy legislation specific to vehicle telematics means that much of the oversight still depends on piecemeal enforcement and voluntary industry standards. Automakers face a choice between building transparent, consent-based data practices or risking future investigations and reputational damage. Insurers and data brokers, for their part, will have to weigh the benefits of granular risk scoring against growing public and regulatory skepticism about surveillance-driven pricing.
For drivers, the message is increasingly clear: the way you drive, where you go, and when you travel can be tracked, scored, and sold unless strong protections are in place. The GM case shows that regulators are willing to step in when those protections fail, but it also highlights how much of the connected car ecosystem still operates out of view. As more consumers, advocates, and lawmakers focus on this space, the pressure to align vehicle technology with meaningful privacy rights, and fairer insurance practices, is likely to intensify.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
