Own A GM Car? This Is What Personal Data The Company May Have Sold Without Your Consent

In January 2025, the Federal Trade Commission (FTC) dropped a bombshell of an order when it announced that it was taking action against one of America's largest automakers, General Motors (GM), for data privacy violations. The commission proposed an order that would effectively bar GM from sharing customer-centric data with consumer reporting companies like LexisNexis and Verisk for the next five years. The FTC action came after it was revealed that GM was sharing alarming bits of data — including customers' precise location as well as their driving behavior — to consumer reporting companies without explicit consent from its users.

The FTC order was a result of an NYT exposé' from early 2024 that laid bare some of the shady practices auto companies adopted to collect consumer-centric data and sell them to data brokers. The data sold to these companies included customer's driving patterns, how often they drove at night, and their speeding history. All this information ended up in the hands of insurance companies, who then updated the risk profiles of the "affected" consumers, some of whom would notice an unexplained increase in their insurance premiums.

After the FTC got wind of these violations, they launched an investigation into the practice, at the end of which the commission gathered enough material to allege that GM misled users into enrolling in its OnStar connected vehicle service and Smart Driver feature. These services were promoted to users as a tool to give insights into their driving patterns, earn achievement points, and promote safe driving habits. However, the FTC alleges that GM never disclosed to users that their location and driving behavior data would also be sold to 3rd parties.

Neither the FTC nor GM has issued a list of vehicles that are affected by GM's shady data collection exercise. However, given that the company introduced the Smart Driver feature in 2016 across multiple GM-owned brands, including Chevrolet, GMC, Cadillac, and Buick, the number isn't likely small.

According to law firm Motley Rice, an estimated 8 million GM vehicles may have been affected. It's important to understand that not every GM vehicle was automatically enrolled. The Smart Driver feature was available only to users who signed up for the OnStar service and opted into the program. Those who didn't sign up for OnStar — and for good reason, as we've explained here — may have narrowly escaped having their driving habits and location data quietly harvested and shared by GM.

Following the NYT report and the subsequent uproar, GM responded swiftly by terminating the now controversial "Smart Driver" program. With media attention also turning to third-party telematics companies like LexisNexis and Verisk, GM terminated agreements with them, with all forms of data sharing ending on March 20, 2024. The company also claimed they are working on offering greater transparency with their privacy policies. In addition to these moves, GM also hired a new Chief Trust and Privacy Officer on April 29, 2024.

Meanwhile, if you happen to be a GM vehicle owner wanting to check if you were among the users whose data was collected and shared, you can demand a Consumer Disclosure Report from companies like LexisNexis and Verisk. These companies are bound by the Fair Credit Reporting Act and are liable to provide the same to consumers.

It's been well over six months since the FTC's proposed order against GM was released to the public. The FTC's analysis of its own order revealed that the proposed order would be placed on the public record for a month to receive comments from members of the public. Following this process, the commission will review the comments and then decide whether to give the proposed order some finality. With the FTC maintaining a stoic silence on the current fate of its order against GM, with almost half a year passing, it is unclear as to what eventually became of the order.

If GM's proposed order is passed without modifications, it would mean that GM, as well as OnStar, would be banned from disclosing consumer data to reporting agencies for 5 years. The company will also be asked to clearly and explicitly inform customers how their data is collected and used. The order also proposes that all consumers shall have the right to obtain details of the data collected by GM while also having the power to seek the deletion of their data. The order also aims to give consumers greater control over data collection, including the ability to limit access to their geolocation.

Ironically, GM has already taken some of the steps that the FTC order proposes. As outlined earlier, the company's controversial Smart Driver program has been axed, and its association with the consumer reporting companies has ended even before the FTC's proposed 5-year ban comes into force.

Nevertheless, it's alarming to see how GM is merely the latest addition to a growing list of automakers turning modern vehicles into privacy nightmares on wheels.