The FTC finalized its order against GM and OnStar on January 14, 2026, and the agency didn't mince words. It called GM's data practices an "egregious betrayal of consumers' trust." That phrase matters. The FTC uses language like that when it wants to send a message beyond the company in front of it.
If your product collects location data, behavioral signals, or any information that could end up with a data broker, this settlement is your new compliance baseline. The order imposes a 20-year consent framework and mandatory data deletion. This isn't a slap on the wrist. It's a structural overhaul that every connected device company should study.
What GM Actually Did
GM's OnStar service and Smart Driver feature collected precise geolocation and driving behavior data from millions of vehicles. Sometimes as often as every three seconds. The problem wasn't just the collection. It was what happened next.
GM sold this data to LexisNexis Risk Solutions and Verisk, two major consumer reporting agencies. Those companies repackaged the driving data and sold it to auto insurers, who used it to set rates and, in some cases, deny coverage entirely. One driver, Temeika Clay, saw her insurance premium jump 80% after GM shared 603 entries of her driving data from her Chevy Camaro.
The FTC alleged that GM used a misleading enrollment process. Consumers who thought they were signing up for navigation services or vehicle diagnostics didn't understand they were also consenting to surveillance-level data collection and sale. The disclosure technically existed. But it was buried, unclear, and failed to convey what would actually happen with the data.
GM discontinued the Smart Driver program in April 2024 after a New York Times investigation exposed the data sales. But the FTC still brought the hammer down.
The Order's Key Provisions
The final order has teeth. Here's what it requires:
Five-Year Data Sharing Ban: GM cannot disclose geolocation or driver behavior data to consumer reporting agencies for five years, except in limited circumstances like providing location to emergency responders.
20-Year Consent Requirement: For the next two decades, GM must obtain "affirmative express consent" before collecting, using, or sharing connected vehicle data. This isn't a passive checkbox. It requires clear disclosure of what data is collected, why, who gets it, and how to withdraw consent.
Mandatory Deletion: GM must delete or destroy all previously collected driver data, except where legally required to retain it for law enforcement purposes.
Consumer Rights Infrastructure: GM must create a mechanism for all U.S. consumers to request a copy of their data and request its deletion. Consumers must also be able to disable geolocation collection entirely if their vehicle has the necessary technology.
Why This Matters Beyond Automakers
This is the FTC's first enforcement action on connected vehicle data. But the principles apply far beyond cars.
The core violation was collecting sensitive data through a consent process that consumers didn't actually understand, then selling it in ways they never anticipated. That pattern exists across the connected device landscape: fitness trackers, smart home devices, mobile apps with location permissions, fleet management software, workplace monitoring tools.
The FTC has made clear that geolocation data paired with a persistent identifier, like a device ID, is sensitive personal data. Period. Even if you're not attaching a name to it.
The agency is also focused on what we'd call "downstream surprise." Your privacy policy might technically disclose that you share data with "third-party partners." But if a reasonable consumer wouldn't expect their driving data to show up in an insurance underwriting decision, you have a problem.
The Affirmative Express Consent Standard
The GM order crystallizes what the FTC means by affirmative express consent. Based on this and prior settlements like the InMarket case, here's the framework:
Before collecting sensitive data, you must clearly disclose:
1. The categories of data being collected
2. The purposes for collection, use, and disclosure
3. Who receives the data (with a simple, descriptive link to the full list)
4. How the consumer can withdraw consent
This isn't optional disclosure. It must be prominent, clear, and understandable. If your users need a law degree to figure out what they're agreeing to, you've failed the test.
The Dark Patterns Connection
The GM case also connects to the FTC's broader crackdown on dark patterns. The agency found that GM's enrollment flow was designed in a way that obscured the true nature of data collection.
This tracks with a larger enforcement trend. In September 2025, the FTC secured a $2.5 billion settlement against Amazon for using dark patterns to enroll consumers in Prime and making cancellation unreasonably difficult. Seventy-six percent of online services reviewed by international regulators use at least one dark pattern.
If your consent flow buries the opt-out, makes accepting the default easier than declining, or uses confusing language, you're in the crosshairs.
The Board Meeting Question
If you're raising capital or preparing for acquisition due diligence, expect questions on this. Investors and acquirers are going to ask:
"Do you collect geolocation or behavioral data? If so, how do you obtain consent, and who do you share it with?"
Your answers matter for valuation. A company with clean data practices and demonstrable consent mechanisms is a safer bet than one with legacy collection flows that could trigger FTC scrutiny. We've seen diligence teams flag data practices as material risks in term sheets. Expect that trend to accelerate.
And if your data ends up with a consumer reporting agency, whether directly or through a reseller, you may also trigger Fair Credit Reporting Act obligations you haven't accounted for.
What About Other Automakers?
GM isn't alone in collecting connected vehicle data. Ford shares driving patterns with insurers through FordPass. Toyota has an affiliate, Connected Analytic Services, that operates as a consumer reporting agency and partners with Allstate-owned Arity. Tesla's privacy policy warns that opting out of data sharing could make your car "inoperable."
The FTC is watching. State attorneys general are too. California fined Honda $632,500 for inadequate data rights processes, and the state's privacy agency is running a Data Broker Enforcement Strike Force that just issued new penalties on January 8, 2026.
If you're selling to or partnering with automakers, their data practices become your problem.
Practical Takeaways
Audit your data flows this month. Map every source of location or behavioral data collection, identify all downstream recipients, and document the consent mechanism for each.
Review your consent UX for dark patterns. Is opt-out as easy as opt-in? Is the disclosure clear enough that a reasonable consumer would understand what they're agreeing to? If not, redesign it.
Check if any of your data recipients are consumer reporting agencies. This includes companies like LexisNexis, Verisk, and Arity. If so, you may have FCRA obligations and should assess whether your data sharing agreements are compliant.
Implement a deletion mechanism now. The GM order requires a consumer-facing deletion process. California, Colorado, and other states already mandate similar rights. Build the infrastructure before you need it.
Create an opt-out for geolocation. If your product can technically function without location data, offer consumers the choice to disable it. The FTC expects this.
Brief your board on data monetization risks. If you're selling or sharing data with third parties, frame it as a liability conversation, not just a revenue conversation. The GM order shows how quickly the economics can flip.
Review data broker registration requirements. California requires data brokers to register by January 31 each year and pay a $6,600 annual fee. The DELETE Act (SB 362) adds deletion obligations starting August 2026. If you're handling California consumer data and meet the data broker definition, get compliant.
What We're Watching
Other automaker investigations. The FTC rarely stops at one company when an industry practice is widespread. Ford, Toyota, and Tesla all use similar data collection methods.
FTC commercial surveillance rulemaking. The agency has been developing broader rules on data collection for years. The GM order signals how aggressive final rules might be.
State AG parallel actions. California, Texas, and other states with active privacy enforcement may bring their own cases, potentially with different remedies.
Insurance industry response. Insurers have relied on driving data for risk assessment. Losing access to this data could reshape how they underwrite policies and create pressure for new, compliant data sources.
The Path Forward
The GM settlement isn't the end of connected device data collection. It's a recalibration. Companies that build consent infrastructure now, before enforcement catches up, will have a competitive advantage. Those that don't will face the choice GM faced: discontinue the program or face structural remedies.
The FTC has made its expectations clear. The question is whether you're going to meet them proactively or wait for a complaint.