For years, millions of drivers enrolled in OnStar, believing they were buying an emergency lifeline: a button that calls an ambulance if you crash in the middle of nowhere. What they actually got was a location tracker pinging their coordinates every three seconds and a behavioral profile, sold without their knowledge, to the data brokers that feed into auto insurance pricing. Those brokers turned ordinary driving habits, hard brakes, speeding, late-night trips, into risk scores, and insurers used those scores to raise premiums, deny coverage, or cancel policies outright, often without the driver ever learning why their bill went up. A finalized FTC order and a record California settlement now confirm, in regulators’ own words, exactly how that happened, and exactly how little it cost General Motors.

“This fencing-in relief is appropriate given GM’s egregious betrayal of consumers’ trust.” — Federal Trade Commission

The Pitch Versus the Practice

OnStar has spent decades building trust on a single promise: if something goes wrong on the road, someone is watching out for you. That promise is why the discovery beneath OnStar Smart Driver came across as a genuine betrayal rather than a technicality.

According to the FTC’s complaint, the enrollment process was confusing and misleading, often happening during the vehicle purchase experience itself, with the pitch framed entirely around helping drivers assess their own habits. Some consumers did not realize they had been enrolled at all. GM later expanded what it collected to include precise geolocation data without giving customers any notice.

The company discontinued Smart Driver across all its brands in April 2024, after a New York Times investigation brought the practice into public view, two years before the FTC’s order became final.

But GM shutting down one program didn’t close the underlying gap. The same year GM pulled Smart Driver, California opened a sweeping investigation into how connected vehicles across the entire industry handle driver data, and that investigation has since produced penalties against Honda and Ford for similar conduct and remains active today.

This is Coercive Capitalism, Not Just a Privacy Violation

Most privacy failures get filed under “didn’t read the fine print.” This one deserves a different name.

Reporting on GM’s enrollment process found that the screen that signed drivers up for OnStar’s emergency rescue service was the same screen that signed them up for Smart Driver’s data collection, with no version of the form that let a driver accept the ambulance button and decline the tracker.

A buyer who wanted out of Smart Driver had to opt out of OnStar entirely, giving up remote diagnostics, software updates, and the rescue service.

That isn’t a disclosure failure you can fix with clearer language. It’s coercion built into the product itself: a genuine need, help if you crash on an empty road, made conditional on accepting something the driver never asked for.

Coercive capitalism doesn’t need you to agree to a bad trade if it can make that trade the only door into the good one.

What “Every Three Seconds” Actually Buys

The granularity here is what turns an abstract privacy concern into something concrete. This wasn’t occasional location data tied to navigation requests.

Regulators found GM’s systems pinging precise coordinates as often as every three seconds, layered with behavioral telemetry: how hard you braked, how fast you accelerated, whether you were speeding, and when.

That combination, location plus behavior plus timestamp, is exactly the input an actuarial model needs to build a risk profile of a specific person’s daily driving life, not a general statistic about cars.

From Your Dashboard to a Data Broker to Your Premium

GM sold that data to LexisNexis and Verisk, both of which operate as consumer reporting agencies under the Fair Credit Reporting Act, the same federal framework that governs your credit report.

California's Department of Justice found GM earned roughly $20 million nationwide from these sales between 2020 and 2024. The brokers compiled the telemetry into driver-rating products and marketed them to insurance companies, who folded the resulting risk scores into underwriting and pricing decisions.

The mechanism is fully automated: a data broker’s algorithm correlates braking events, timing, and location against actuarial tables, generates a score, and sells it, all without a human in the loop and without the driver ever being told it happened.

Reporting at the time of GM’s original FTC settlement documented drivers who only learned they had been scored this way when their premiums unexpectedly rose.

The Federal Order: Real Restrictions, No Fine

When the FTC voted 2-0 to finalize its order against GM and OnStar in January 2026, it imposed a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies, plus a 20-year requirement that GM obtain affirmative, explicit consent before collecting, using, or sharing connected vehicle data going forward.

That consent now has to happen at the dealership, tied to the vehicle’s VIN, when someone actually buys the car.

The order does not include a financial penalty. GM had already shut Smart Driver down in 2024 in response to public pressure, so by the time the federal order landed, the practical business impact was limited to the consent and reporting requirements going forward.

Separate lawsuits by state attorneys general in Texas, Nebraska, and Arkansas, plus a Florida consumer suit, are still addressing the same underlying conduct.

California’s Record Penalty, and Its Limits

Four months after the FTC order, California Attorney General Rob Bonta, the California Privacy Protection Agency, and four county district attorneys announced a $12.75 million settlement with GM, the largest penalty ever issued under the California Consumer Privacy Act and the first CCPA enforcement action built specifically around the law’s data minimization and purpose limitation requirements.

The order requires GM to delete retained driving data within 180 days, absent fresh consent; direct LexisNexis and Verisk to delete the data GM already gave them; and build an ongoing privacy assessment program that is reviewed by the state.

There’s an important nuance buried in California’s own findings: state insurance law already prohibits California insurers from using driving behavior data to set rates, so California drivers were not directly affected by the rate-setting use case the brokers had planned.

That protection does not exist in most other states. The mechanism this investigation describes, vehicle telemetry sold to a broker, scored, and fed into an insurer’s pricing model, remains legal and active wherever a state hasn’t specifically barred it, through whichever automaker’s program is currently running it.

Part of a Three-Year Sweep, Not a Single Bad Actor

GM’s settlement is the third and largest result of a sweep California’s Privacy Protection Agency opened into the connected vehicle industry back in 2023.

The agency fined Honda $632,500 in March 2025 for making it harder for customers to opt out of data sharing than to opt in.

A year later, it fined Ford $375,703 for quietly discarding opt-out requests that customers had already submitted.

GM’s $12.75 million penalty is the same sweep’s most serious finding to date, because unlike Honda and Ford, GM was not just making it hard to opt out; it was selling the underlying driving data itself.

Read across all three cases, the trajectory points in one direction: penalties are getting larger, and violations are becoming more concrete, as regulators dig deeper into an industry built on the assumption that nobody would check.

Why This Isn’t Close to Over

GM’s settlement closes one company’s case, but it does nothing to the underlying incentive.

Under Section 24220 of the Infrastructure Investment and Jobs Act, the federal government has mandated that all new passenger vehicles include advanced impaired driving prevention technology, with enforcement beginning no later than September 2027.

In practice, that means inward-facing cameras tracking eye movement and drowsiness, the same category of hardware GM, Honda, and Ford have already been caught misusing.

Nothing in the law restricts what an automaker can do with that camera feed once the safety check is done.

The federal mandate that’s about to put this hardware in every new car sold in the US contains no privacy backstop on how it gets used afterward, which means the version of this story we’re telling about GM today is the version that’s about to scale, not shrink.