You never signed up for a driving monitor. You never plugged a tracking device into your OBD port or downloaded a telematics app promising a discount. But if you drive a 2015-or-newer connected vehicle, your car may have been recording every hard brake, every late-night errand, every five-over-the-limit stretch of highway, and transmitting that data to the automaker’s servers. From there, it can land in the hands of a data broker who packages it into a score and sells it to your insurance company.
That is not speculation. Two major enforcement actions, one federal and one in Texas, have confirmed the pipeline is real, active, and shaping what millions of Americans pay for auto coverage.
A Florida driver’s wake-up call
When Tampa-area driver Ken Dahl checked his LexisNexis consumer disclosure report in 2024, he found pages of trip-level data pulled from his GM vehicle: timestamps, distances, hard-braking counts, and rapid-acceleration events. Dahl had never enrolled in a telematics discount program. He told The New York Times he believed the data contributed to a roughly 21 percent increase in his insurance premium at renewal. His experience matches the pattern regulators have since described in court filings: data collected without meaningful consent, packaged into risk scores, and sold to insurers who use those scores to adjust what drivers pay.
Two enforcement cases that proved the pipeline exists
In January 2025, the Federal Trade Commission took action against General Motors and its OnStar division for collecting granular driving behavior data, including hard braking, speeding, and precise GPS coordinates, and selling it to consumer reporting agencies without obtaining meaningful consent. The FTC’s five commissioners voted unanimously to issue the complaint. According to the agency, those consumer reporting agencies then packaged the data into reports that insurers used to adjust premiums. Under the proposed consent order, GM and OnStar are banned from selling geolocation and driving behavior data for five years and must give consumers clear options to delete their information.
A separate case targets the broker side of the transaction. In January 2024, Texas Attorney General Ken Paxton sued Allstate and its subsidiary Arity, alleging the companies collected driving, location, and movement data from more than 45 million Americans through mobile apps and connected-vehicle integrations without proper authorization. According to the complaint, Arity scored drivers based on their behavior and marketed those scores to insurers and other buyers. That lawsuit remains active as of June 2026.
Read the two filings side by side and a complete supply chain comes into focus: your car’s onboard sensors feed data to an automaker, the automaker passes it to a broker, the broker scores you, and an insurer uses that score when setting your rate. Neither case has reached a final judicial determination as of June 2026, but the allegations are detailed, specific, and backed by internal records cited in both complaints.
This is not the telematics program you opted into
Plenty of drivers already participate in voluntary usage-based insurance programs like Progressive Snapshot, Allstate Drivewise, or State Farm Drive Safe & Save. Those programs are upfront about the deal: you plug in a device or download an app, share your driving habits, and potentially earn a discount.
What the GM and Arity cases describe is fundamentally different. Regulators allege that data was harvested from vehicles and apps without drivers understanding it would be sold to third parties or used in insurance underwriting. A driver who never enrolled in a telematics discount program could still have their braking patterns scored and sold to the company setting their premium. The consent that regulators say was missing is the entire distinction.
“Exposed driving data is being weaponized against consumers,” said Justin Brookman, director of technology policy at Consumer Reports, in a public statement urging automakers to make opt-out controls easier to find and more transparent about what they actually disable.
What automakers have acknowledged in writing
In February 2024, automakers including GM, Toyota, Ford, Honda, Hyundai, and Stellantis responded to a privacy inquiry from U.S. Senator Edward Markey. Their written responses confirmed that connected vehicles routinely log speed, braking behavior, and precise GPS coordinates. Several of those manufacturers acknowledged that owners can limit data sharing through in-vehicle privacy settings or by disabling connectivity features entirely.
Those letters are the clearest on-the-record admissions that privacy controls exist and that drivers can act on them, if they know where to look. But the responses were voluntary, not the product of a subpoena. They describe privacy controls in broad terms without listing every commercial partner that receives data or specifying exactly which data flows each toggle controls.
Which brands and vehicles are affected
GM is the only automaker named in a federal enforcement action so far, making it the most documented offender. However, the Markey inquiry responses show that connected-vehicle data collection is an industry-wide practice, not a single-manufacturer problem. Any vehicle with an embedded cellular modem, a feature that has become standard in most new cars from GM, Ford, Toyota, Honda, Hyundai, Stellantis, and others since roughly the 2015 model year, has the technical ability to transmit driving behavior to the automaker’s servers.
This applies to used cars as well as new ones. A 2018 Chevrolet Equinox purchased secondhand still carries the same OnStar hardware and software as it did on the dealer lot. Unless the second owner actively reviews and adjusts the vehicle’s privacy settings, data sharing may continue under whatever permissions the original owner accepted. Buyers of used connected vehicles should treat the privacy settings as a first-day checklist item, just like checking the tire pressure or updating the registration.
How to find and use your vehicle’s privacy settings
The opt-out controls are real, but they come with caveats. Based on the automaker disclosures to Senator Markey and manufacturer support pages, here is what drivers can do:
- Check the infotainment system. Most connected vehicles from GM, Ford, Toyota, Hyundai, and other major brands have a “Connected Services,” “Privacy,” or “Data Sharing” menu buried in the settings screen. Look for toggles labeled “vehicle data sharing,” “location sharing,” or “driving behavior.” The exact wording varies by brand and model year.
- Review the companion app. Many automakers offer separate data-sharing controls through their smartphone apps (myChevrolet, FordPass, Toyota Connected Services, and others). Permissions you granted during app setup may need to be revoked independently from in-vehicle settings.
- Call the automaker directly. Some manufacturers require a phone call to fully opt out. GM’s OnStar, for example, has historically required owners to contact a representative to cancel certain data-sharing features. If you cannot find a toggle in the car or the app, a call to the connected-services hotline is the fallback.
- Understand what you lose. Disabling connected services may also turn off automatic crash notification, stolen-vehicle tracking, remote start, and real-time traffic updates. That is a real trade-off, and each driver has to weigh privacy against safety and convenience for their own situation.
One important caveat: no independent audit has verified that toggling these settings fully stops all third-party data flows. Opting out is the best available step, but until automakers or regulators publish detailed technical disclosures, it is not a guaranteed shield.
The questions regulators still have not answered
Several significant gaps remain. As of this writing, no insurer has publicly detailed how it weights purchased telematics data inside its rate-setting algorithms. The FTC and Texas AG describe the end result, higher premiums or coverage changes, but the internal math that converts a hard-braking event into a dollar figure on your renewal notice is still opaque.
The scope of the problem beyond GM, Allstate, and Arity is also unclear. The FTC case names one automaker; the Texas lawsuit names one broker and its parent insurer. Senator Markey’s inquiry went to multiple manufacturers, which suggests the practice extends further, but no additional enforcement actions have been announced as of June 2026.
Federal privacy legislation that would set uniform rules for connected-vehicle data has been discussed in Congress but has not advanced to a vote. Until it does, enforcement will continue to happen case by case, state by state.
How to check whether your data has already been sold
If your vehicle has an active cellular connection, it has the technical ability to share your driving behavior with third parties. That is not a hypothetical; the enforcement record proves the pipeline exists, and the automakers’ own letters confirm that opt-out controls are available. Start by requesting your consumer disclosure report from LexisNexis, the agency named most often in connection with vehicle telematics data. If driving data appears on that report and you never consented to share it, you have grounds to dispute it under the Fair Credit Reporting Act. Then open your infotainment settings, check the companion app, and call the hotline if you have to. The controls may not be perfect, but they are the only lever drivers have until regulators or lawmakers close the gaps that let this data market operate in the first place.
