Drivers across California gained a new layer of protection this year after the state barred General Motors from selling driving behavior and location data to consumer reporting agencies for five years. The ban followed a $12.75 million settlement over GM’s collection and sale of OnStar data to companies that feed insurance pricing models. With Texas pursuing its own lawsuit alleging GM harvested data from more than 1.5 million drivers, and federal regulators separately cracking down on location-data brokers, the enforcement wave is forcing automakers to reckon with how connected-car telematics reach insurers and what drivers can do about it.
How GM’s OnStar data reached insurance scoring systems
The California Attorney General’s office found that GM collected driving and location data through its OnStar system, retained that data longer than necessary, and sold it to LexisNexis and Verisk for use in setting auto insurance rates. Drivers were not given meaningful notice or consent before their acceleration patterns, braking habits, and trip histories were packaged into products that insurers used to adjust premiums. The resulting settlement required GM to pay $12.75 million and to build out a formal privacy program with ongoing compliance obligations.
The five-year sales ban is the sharpest remedy in the deal. Under its terms, GM cannot sell driving data to consumer reporting agencies, with LexisNexis named explicitly. That prohibition matters because LexisNexis operates a product called Telematics OnDemand, which the Consumer Financial Protection Bureau lists as a consumer reporting service. Because it falls under the Fair Credit Reporting Act, drivers already have the legal right to request their own files and dispute inaccuracies. The California enforcement action log confirms the ban and the privacy-program mandate as binding terms of the stipulated judgment.
Practically, the settlement forces GM to treat driving data less like a proprietary asset and more like regulated credit information. The company must build internal controls around how telematics are collected, stored, and shared, and it has to document those practices for state overseers. That compliance work is likely to influence product design: features that once defaulted to broad data sharing may now require clearer disclosures, shorter retention periods, or technical limits that keep certain fields from ever leaving GM’s systems.
Texas and federal regulators widen the enforcement perimeter
California did not act alone. Texas Attorney General Ken Paxton filed a separate lawsuit alleging that GM collected and sold data from over 1.5 million Texans without their knowledge or consent. The Texas complaint accused GM of using its OnStar Smart Driver feature in ways that amounted to dark-pattern consent practices, framing data collection as a safety benefit while funneling the resulting records to insurance companies. The case is still active, and its outcome could extend similar restrictions beyond California’s borders.
Texas is also testing how far state consumer-protection laws can reach into software design. By characterizing Smart Driver’s enrollment flows as deceptive, the lawsuit challenges the idea that a buried disclosure or a pre-checked box is enough to justify detailed tracking. If a court agrees, other automakers may have to revisit how they pitch “driver coaching” or “safety score” programs, especially when those programs double as data pipelines to insurers or analytics firms.
At the federal level, the FTC reached a settlement with data broker Kochava and its subsidiary, banning both from selling sensitive location data. That agreement requires affirmative express consent before any future sale or sharing of such data and mandates a compliance program governing location-data practices. While Kochava is not an automaker, the FTC’s willingness to impose outright sales bans on location data signals that regulators view the commercial trade in granular movement records as a category deserving strict limits, not just disclosure rules.
Together, these actions create a pattern. State attorneys general are targeting the automaker side of the pipeline, while federal enforcers are going after the data-broker side. Any company sitting between a vehicle’s sensors and an insurer’s pricing algorithm now faces regulatory risk from multiple directions. Automakers, telematics vendors, and scoring firms each have to assume that if one link in the chain is deemed deceptive or unfair, the entire flow of data could be interrupted by a court order or settlement.
What drivers still cannot see or control
The GM cases exposed one automaker’s practices in detail, but the broader market remains opaque. No public government dataset currently quantifies how many other manufacturers send comparable telematics feeds to LexisNexis, Verisk, or similar firms. Industry reporting has suggested the practice is widespread, yet enforcement actions so far have named only GM. That gap leaves drivers unable to determine whether their Ford, Toyota, or Hyundai is transmitting similar data streams unless they individually request disclosure from each data broker.
Even in California, where the settlement is now in force, there is no published count of how many drivers have exercised their right to pull their LexisNexis telematics files. The CFPB’s listing of Telematics OnDemand as a consumer reporting product gives drivers a legal hook, but awareness of that right appears limited. Without sustained public education or automated opt-out tools built into vehicle dashboards, the practical benefit of the settlement may reach only those drivers who already know the system exists.
There are also structural limits on what drivers can change. Many connected-car systems bundle emergency assistance, navigation, remote start, and data collection into a single subscription. Opting out of telematics sharing can sometimes mean losing features that feel essential, especially for drivers who rely on in-vehicle connectivity for roadside help or for managing electric-vehicle charging. If consent is effectively tied to core safety or functionality, the distinction between voluntary data sharing and coerced participation starts to blur.
The hypothesis that states adopting California-style bans will see measurable drops in telematics data flowing to insurance scoring products within 24 months is plausible but unproven. Two metrics could eventually test it: the volume of LexisNexis disclosure requests filed by consumers in affected states, and the number of enforcement actions state attorneys general bring against other automakers. Neither metric has a public baseline yet, which means any decline would be hard to quantify until regulators or researchers establish one.
What drivers should do now
For anyone who owns or leases a connected vehicle, the first practical step is to request a copy of any telematics file associated with their name. Because products like Telematics OnDemand function as consumer reports, drivers can use existing credit-report rights to ask for disclosures and to challenge errors. If a report shows hard-braking events or speeding incidents that do not match a driver’s experience, they can file a dispute and demand corrections before those entries influence insurance pricing.
Drivers should also review their vehicle’s settings and account portals for any toggles related to “driver performance,” “usage-based insurance,” or “sharing with partners.” Turning off optional programs that score driving behavior can reduce the volume of data leaving the car, even if it does not eliminate all telemetry. When in doubt, calling the automaker’s customer-service line and asking directly whether data is shared with insurers or consumer reporting agencies can surface options that are not obvious in the dashboard menus.
Another practical step is to treat connected-car enrollment like signing up for a financial product. That means reading the privacy policy at least once, saving a copy of key terms, and noting any references to data sharing with affiliates or third parties. If the language is vague-promising only to share information with “trusted partners” or “service providers”-drivers can assume that telematics may be used for analytics or risk modeling unless they explicitly opt out.
Finally, drivers who live in states with active privacy or consumer-protection enforcement can monitor their attorney general’s announcements for new cases involving automakers or data brokers. Each public settlement or judgment tends to include specific rights, such as enhanced notice, new opt-out mechanisms, or time-limited bans on certain types of data sales. Knowing when those remedies become available can help drivers act quickly, before insurers or data brokers have fully adjusted their models.
The GM settlements and lawsuits do not end the debate over who controls driving data, but they shift the default assumption. Instead of treating telematics as an unregulated byproduct of modern vehicles, regulators are beginning to frame it as sensitive information subject to bans, consent requirements, and ongoing oversight. Until that framework is fully built out, drivers who take the time to understand and challenge how their data is used will be the ones most likely to avoid surprise insurance hikes tied to trips they never realized were being scored.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.