Millions of GM vehicle owners had their precise driving behavior collected through OnStar and funneled to consumer reporting agencies that feed insurance pricing models, all without clear consent. The Federal Trade Commission issued an order against General Motors to stop the practice, while Texas Attorney General Ken Paxton filed suit against the automaker for the same conduct. For drivers who never realized their car was reporting trip-level data to third parties, the fix sits buried in the vehicle’s infotainment settings.
How GM Driving Data Reached Insurance Pricing Models
The FTC’s complaint, filed as Matter No. 2423052, documented that GM and OnStar collected precise geolocation data and driver behavior records without adequate notice or affirmative express consent. That data was then provided to consumer reporting agencies, which packaged it for insurance-related uses. The result: insurers could see granular details about how fast someone drove, where they went, and how often they braked hard, then factor those signals into premium calculations.
The pipeline worked quietly. Drivers who enrolled in OnStar connected services or used the myChevrolet, myGMC, or myCadillac apps often agreed to broad terms buried in lengthy disclosures. GM treated that click-through as permission to share trip-level telemetry with outside data brokers. The FTC found this fell short of the affirmative express consent the law requires for sensitive location and behavioral information.
A congressional inquiry preceded the FTC’s investigation. Senators had flagged concerns about automaker data practices before the commission opened its probe, according to an Associated Press report. That political pressure helped accelerate the enforcement timeline, turning what had been a murky industry practice into a formal federal case.
For consumers, the most immediate impact was on insurance pricing. Because the telematics feed was routed to consumer reporting agencies, the information could be incorporated into risk scores that carriers use when setting premiums. Drivers who never signed up for a usage-based insurance program nonetheless found themselves effectively scored as if they had, based on data they did not realize their vehicle was transmitting.
Texas AG Lawsuit and the FTC Order Against General Motors
Ken Paxton’s office pursued a parallel track. The Texas Attorney General sued General Motors for unlawfully collecting drivers’ private data and selling it to insurance companies. Paxton also opened a broader investigation into car manufacturers’ collection and sale of driver data, signaling that GM was not the only target on his radar.
Separately, Paxton launched a data privacy and security initiative aimed at protecting Texans’ sensitive information more broadly. The GM enforcement action became a centerpiece of that effort, connecting the automaker’s data sales to a wider pattern of corporate surveillance that state officials wanted to curtail.
The FTC’s proposed order, docketed as C-4828, bars GM from continuing to share driving data with consumer reporting agencies and requires the company to improve how it notifies vehicle owners about data collection. The order represents the first major federal enforcement action against an automaker specifically for selling telematics data to the insurance industry. In addition to prohibiting certain forms of sharing, the order obligates GM to implement more transparent disclosures and obtain affirmative express consent before gathering or transmitting sensitive trip information.
The Texas lawsuit and the FTC order reinforce each other. While the federal case focuses on deceptive and unfair practices under consumer protection law, the state complaint frames GM’s conduct as a violation of Texans’ privacy rights and state data protection statutes. Together, they send a signal that quietly monetizing in-vehicle telemetry without clear, opt-in consent is no longer a tolerable business model.
What GM Drivers Can Do Now
For current GM owners, the controversies highlight the importance of checking connected services settings. Many vehicles allow drivers to disable certain data-sharing features through the infotainment system or mobile apps. Turning off optional connectivity, reviewing privacy settings, and declining enrollment in data-sharing programs can limit how much information leaves the vehicle.
Drivers can also request copies of their data from GM and, where applicable, from the consumer reporting agencies that received telematics information. In some jurisdictions, consumers have the right to dispute or correct records that may have affected their insurance pricing. If a driver suspects their premiums were raised based on undisclosed telematics data, they can ask their insurer what information was used in underwriting and pricing decisions.
A Test Case for Connected-Car Privacy
The GM enforcement actions are likely to shape how other automakers handle connected-car data. Manufacturers have increasingly relied on subscription services and data monetization to generate revenue beyond the initial vehicle sale. The FTC order and the Texas lawsuit draw a clearer line around what regulators view as acceptable when that revenue depends on sensitive, continuous tracking of drivers.
For policymakers, the case underscores the need to modernize privacy rules for vehicles that function as rolling smartphones. Existing laws were not written with always-connected cars in mind, yet those cars now generate some of the most detailed behavioral data available on consumers. How the GM matter is resolved-and whether additional state or federal actions follow-will help determine whether drivers retain meaningful control over where that data goes and how it is used.
