According to the FTC’s complaint and press releases, GM and OnStar collected and sold: • Precise geolocation data from vehicles, in some cases captured as often as every three seconds (revealing detailed trip routes and locations such as visits to medical facilities). • Detailed driving‑behavior data from the OnStar Smart Driver feature, including events such as hard braking, hard acceleration, speeding (e.g., over 80 mph), late‑night driving, seat‑belt‑use indicators, and other trip and vehicle information (such as VIN), which was then shared or sold to third parties including consumer reporting agencies for insurance‑related uses.
OnStar is General Motors’ connected‑services and telematics brand, operated by OnStar LLC, a GM‑owned company. It provides in‑vehicle safety, security, emergency, navigation, and other connectivity services that are offered in GM vehicles under the “OnStar” name. In the FTC case, OnStar and its Smart Driver feature were the systems through which GM collected and shared drivers’ location and behavior data.
In FTC practice, “affirmative express consent” (often shortened to “affirmative consent”) means a consumer must be given clear, prominent, and specific information about what data will be collected, how it will be used and shared, and then must take a clear, opt‑in action agreeing to it (such as actively ticking an unchecked box or clicking a clearly labeled consent button). Consent cannot be inferred from silence, pre‑checked boxes, or buried disclosures. The GM/OnStar order requires this standard before collecting, using, or sharing connected‑vehicle data, with limited exceptions (e.g., emergency location for first responders).
The finalized FTC order against GM and OnStar (which mirrors the earlier proposed order) requires them to: • Stop certain data sharing: They are banned for five years from disclosing consumers’ geolocation and driving‑behavior data to consumer reporting agencies. • Obtain affirmative express consent: For the 20‑year term of the order, they must get consumers’ affirmative express consent before collecting, using, or sharing connected‑vehicle data (including with consumer reporting agencies), with narrow exceptions such as providing location data to emergency first responders. • Improve transparency and accuracy: They are prohibited from misrepresenting how they collect, use, or share drivers’ location and behavior data. • Give consumers access and deletion rights: They must create a mechanism for all U.S. consumers to request a copy of their connected‑vehicle data and to seek its deletion. • Allow limits on data collection: Where the vehicle’s technology allows, they must let consumers disable collection of precise geolocation data and must provide a way to opt out of collection of geolocation and driver‑behavior data (subject to limited exceptions). These requirements are in force for 20 years (with the five‑year ban on sharing with consumer reporting agencies applying within that period).
The public FTC materials describing the proposed and final order do not mention any civil penalty, fine, or consumer‑refund program as part of this settlement. Instead, the relief is injunctive and behavioral (bans, consent requirements, access/deletion rights, and other restrictions). The FTC notes that future violations of the final order could carry civil penalties per violation, but those are not part of the settlement itself.
The FTC alleges the practices affected data from “millions of vehicles” and “millions of drivers,” but the publicly available complaint and press releases do not give a more precise number of vehicles or consumers. So only “millions” is known from the record at this time.
No. As is typical in FTC administrative consent orders, GM and OnStar settle the case without admitting the law violations alleged in the complaint. The Federal Register analysis and the press releases describe the order as a consent agreement resolving allegations; they do not state that GM or OnStar admitted wrongdoing.
The order itself does not set up an individual lookup tool to see whether a particular customer’s data was sold. However, it requires GM/OnStar to: • Create a process for all U.S. consumers to request a copy of their connected‑vehicle data and to seek its deletion; and • Provide ways for consumers to disable precise geolocation collection (if the vehicle supports it) and to opt out of collection of geolocation and driver‑behavior data going forward, subject to limited exceptions. Practically, current or past GM/OnStar customers would need to use the access/deletion and opt‑out mechanisms that GM and OnStar are required to implement (for example, through their account portals or customer‑service channels) to see what data is held about them and to limit future collection.