Your Car Is a Surveillance Device: The GM OnStar Data Scandal

General Motors In January 2025, the Federal Trade Commission (FTC) banned General Motors from selling driver location and behavior data to data brokers for five years. Not because GM decided to respect privacy. Because they got caught. What GM Was Doing GM's OnStar service—marketed as a "safety feature"—was collecting and selling: Precise geolocation data (every 3 seconds) Driving behavior (speeding, hard braking, acceleration) Trip history (where you went, when, how long you stayed) Engine diagnostics (how you treat your vehicle) This data was sold to: LexisNexis — A data broker that compiles "consumer risk profiles" Verisk — An insurance analytics company Other third-party data brokers The "Consent" Problem GM claimed users consented through the terms of service. The FTC disagreed: Buried disclosures — Data sharing terms were hidden in lengthy privacy policies Confusing opt-in flows — Users thought they were enabling safety features, not surveillance No clear opt-out — Disabling data collection required navigating complex menus Continued collection after "opt-out" — Some data was still transmitted The FTC found that GM failed to obtain affirmative informed consent before selling driver data. The "Smart Driver" Trap GM's "Smart Driver" program was particularly insidious: Marketed as a discount program — "Drive safely and save on insurance!" Actually a data harvest — Every trip uploaded to GM's servers Shared without clear disclosure — Data sold to insurance analytics firms Used to raise premiums — Insurers could increase rates based on collected data GM discontinued Smart Driver in April 2024—after the investigation began. What the FTC Settlement Requires The settlement bans GM and OnStar from: Selling geolocation and driving behavior data to consumer reporting agencies (5 years) Failing to obtain explicit consent before collecting connected vehicle data Misrepresenting data collection practices GM must also: Allow customers to access and delete their data Provide mechanisms to disable geolocation and behavior tracking Implement a full privacy program The Bigger Picture GM isn't alone. The entire automotive industry treats your car as a data collection device: Tesla — Cameras record interior and exterior, fleet data shared Ford — Patents for in-car advertising based on driving patterns Toyota — Connected services collect trip and diagnostic data Every modern car — Cellular uplinks transmit data to manufacturers A 2023 Mozilla study found that 25 car brands (100% of those studied) collected more data than necessary, and only 2 allowed users to delete their data. Defense Protocol Read the connected services agreement before activating any features Decline "Smart Driver" or similar programs — The discount isn't worth the surveillance Disable cellular connectivity if possible (may void warranty or disable features) Check settings regularly — Manufacturers add data collection in OTA updates Consider an older vehicle — Pre-2015 cars have fewer connected features Your car knows where you live, where you work, where you worship, and who you visit. And until the FTC stepped in, GM was selling that information to anyone willing to pay.