The Federal Trade Commission (FTC) has initiated enforcement actions against General Motors (GM) and its subsidiary OnStar for unauthorized and misleading practices involving the collection and sale of sensitive driver data. The investigation uncovered that GM systematically collected precise geolocation and driving behavior data from millions of vehicles without obtaining explicit consent from consumers. This data was subsequently sold to third-party organizations, raising significant privacy and cybersecurity concerns.
This regulatory intervention underscores the critical need for transparency and consumer protection in the rapidly evolving landscape of connected automotive technologies.
Key Findings
- Unauthorized Data Collection:
- GM and OnStar collected geolocation data at three-second intervals, along with detailed driving behaviors such as acceleration, braking, and speeding. This was done without obtaining prior consumer consent, violating privacy expectations.
- Misleading Practices:
- OnStar’s “Smart Driver” feature was marketed as a tool to help drivers assess and improve their habits. However, the FTC revealed it was primarily a mechanism to collect and monetize driver data.
- GM’s privacy disclosures failed to adequately inform consumers about how their data was being collected, shared, or sold, creating a false sense of security among vehicle owners.
- Data Monetization:
- The data collected was sold to consumer reporting agencies, including Verisk, Lexis Nexis, and Jacobs Engineering. These entities used the data to adjust insurance rates or deny coverage outright, impacting consumers financially and undermining trust in GM’s services.
FTC’s Proposed Settlement
To address these violations, the FTC has proposed a settlement that includes the following key provisions:
- Data Sharing Ban:
- GM and OnStar are prohibited from sharing geolocation and driving behavior data with consumer reporting agencies for five years.
- Mandatory Consumer Consent:
- The settlement requires GM to obtain explicit consumer consent before collecting or selling their data.
- Data Deletion Requirements:
- Previously retained consumer data must be deleted unless consumers explicitly opt in to its retention and use.
- Enhanced Consumer Controls:
- Drivers must be provided with clear and accessible tools to view, manage, and delete their personal data, as well as options to disable data collection entirely.
- Transparency and Disclosure Improvements:
- GM must provide comprehensive and plain-language disclosures about the types of data collected, its purpose, and how it will be used.
- Civil Penalties:
- Although no immediate fines were levied, the FTC has set a potential penalty of $51,744 per violation. GM and OnStar have been given 180 days to comply with the settlement.
Broader Implications for the Automotive and Cybersecurity Communities
This enforcement action highlights growing concerns over data privacy and security within the automotive sector. The increasing integration of connected technologies in vehicles has created new avenues for data collection, often outpacing regulatory frameworks and consumer awareness.
- Regulatory Shift in Data Practices:
- The FTC’s intervention signals a more aggressive stance on holding companies accountable for mishandling consumer data. It also sets a precedent for stricter oversight in the automotive industry, where privacy considerations are becoming as critical as physical safety features.
- Implications for Cybersecurity:
- The sale of sensitive driver data to third parties increases the risk of cyberattacks and misuse. Data brokers and other entities handling such information could become targets for hackers, potentially compromising personal and financial information on a massive scale.
- Corporate Accountability:
- This case serves as a reminder for corporations to prioritize consumer trust by implementing robust cybersecurity measures and transparent data governance policies. Non-compliance with emerging regulations could result in hefty fines and reputational damage.
Similar Cases and Industry Context
The GM case is not isolated. Similar concerns have arisen across the automotive and technology sectors:
- Allstate Lawsuit: The Texas Attorney General recently sued Allstate and its subsidiary Arity for collecting and selling driving data from over 45 million Americans without consent.
- Global Scrutiny: Automotive giants such as Toyota, Chrysler, and Mazda have faced allegations of engaging in unauthorized data collection practices, intensifying calls for uniform privacy standards across industries.
These developments highlight the pressing need for cohesive data privacy legislation that holds corporations accountable for protecting consumer information.
Looking Ahead
The FTC’s action against GM and OnStar may serve as a watershed moment, prompting automakers and tech companies to reevaluate their data collection practices. For cybersecurity professionals, it emphasizes the importance of implementing systems that not only secure data but also respect consumer rights.
As the automotive industry continues to innovate, the balance between technological advancement and privacy protection will remain a central challenge. Governments, corporations, and cybersecurity experts must collaborate to ensure that consumer trust is not eroded in the pursuit of profit.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
