In the Federal Trade Commission’s (“FTC”) first action related to connected vehicle data, the agency announced that it reached a settlement with General Motors (“GM”) over GM’s unauthorized collection, use, and sale of driver data to third parties. The FTC’s complaint alleged that the company employed its tracking technology, OnStar Smart Driver, to collect data about millions of drivers’ habits, behavior, and sensitive location data without their consent.
The complaint came after the FTC’s comments in May 2024 that it would begin more closely monitoring business practices related to “connected cars.” In those comments, it emphasized the need for companies to avoid harming consumers — if not through abstaining from collection, by implementing appropriate safeguards. The FTC, citing other recent enforcement actions, noted that:
- geolocation is sensitive data;
- surreptitious disclosure of sensitive information may be considered an unfair trade practice; and
- companies that collect sensitive data and use it for automated decision making may be breaking the law.
Echoing its concerns from last year, the FTC’s complaint against GM highlighted the ubiquitous nature of motor vehicles in daily life, and the “always-on” connectivity that provides consumer convenience, but also poses risks to their privacy.
It further alleged that through purchasing a car at a GM-authorized dealership, consumers were prompted to sign up for GM’s OnStar service and, thereafter, for the Smart Driver connected vehicle service. The FTC stated that GM’s disclosures and consent mechanisms with respect to data sharing did not inform consumers of the invasive nature of the data collected by GM about them. GM additionally did not provide consumers options with respect to “opt-in” for certain features separately from other features and led consumers to believe that they would lose functionality of all services if they did not consent to OnStar’s terms.
The FTC also stressed GM’s unauthorized sharing and selling of consumer information without informed consent. With respect to consumers’ precise geolocation data, which GM allegedly collected every three seconds, the FTC noted that such data was almost immediately transferred to third parties for data monetization purposes after entering GM’s storage systems — and GM approved sublicenses with respect to the data it licensed first-hand. During the relevant period, GM’s privacy statement contained no meaningful disclosure to consumers about how their data was shared with and sold to third parties.
With respect to the behavioral data that GM collected through its OnStar Smart Driver service (including hard acceleration, hard braking, speeding over 80 mph, VIN number, and indication of seat belt usage), GM furnished and sold the data to consumer reporting agencies for insurance purposes. Not only were consumers unaware of the potential disclosure and negative financial consequences of GM sharing their behavioral data with consumer reporting agencies, but it also gave them false assurances that such data was only being used to support their own assessment of their driving habits. For example, GM’s communications to consumers indicated that it collected consumers’ data “in order to provide [them] with [their] driving activity information” and communicated that collection was “not intended as an assessment of [their] compliance with driving laws or guidelines.”
Among other things, the FTC’s settlement with GM bans it from sharing sensitive and behavioral driver data to consumer reporting agencies for the next five years. It also limits GM’s ability to collect, use, or disclose such data absent affirmative and express consumer consent; requires deletion of previously collected data absent consumer consent; and requires GM to request its sharing partners to delete data it furnished to them and direct them against further sharing.
The FTC’s case against GM outlines another area where the FTC will likely be more active in the coming years and highlights the importance of informed consent and consideration of consumer expectations regarding data use.
