For years, lawyers advising data-driven companies have taken relative comfort in a familiar premise: collect consumer data, disclose it in a privacy policy, and reserve flexibility through broadly drafted consent language. In January 2026, the Federal Trade Commission (FTC) made clear that this comfort may be overstated, at least where sensitive data is repurposed in ways consumers do not reasonably anticipate.
In a closely watched enforcement action, the FTC finalized a sweeping consent order against General Motors (GM) and its OnStar subsidiary, alleging that the companies collected and sold precise geolocation and driving-behavior data without consumers' informed consent.[1] The matter drew widespread attention after reporting revealed that driving data generated through GM vehicles had been shared with third-party data brokers and ultimately used by insurers when setting premiums.[2] While the facts arose in the automotive context, the legal theories the FTC applied are neither new nor dependent on industry-specific rulemaking, and that is precisely why the case deserves closer attention from companies well outside the auto industry.
Ultimately, the FTC's case against GM did not turn on novel privacy rulemaking or a sudden expansion of federal law. Instead, the agency relied on its long-standing authority under Section 5 of the FTC Act[3] to police unfair or deceptive acts or practices, applying that framework to modern, connected-device data flows.[4] For in‑house counsel unfamiliar with the details of the enforcement, the case provides a useful and cautionary illustration of how the FTC now evaluates consent, disclosure, and downstream data use in complex consumer products.
Before turning to the implications, it is worth underscoring what the FTC did not say. The commission did not hold that telematics data is inherently too sensitive to collect, nor did it prohibit manufacturers from sharing data with third parties as a categorical matter. Rather, the agency focused on the gap between consumer expectations and actual data practices, concluding that GM's enrollment and disclosure mechanisms failed to adequately convey how driving data would be monetized and by whom.
That distinction between data collection itself and the way consent is obtained runs throughout the FTC's complaint and final order. It also explains why this case resonates far beyond connected vehicles.
The takeaway is that consent is not assessed in the abstract. The GM/OnStar matter illustrates that consent is increasingly evaluated in context of expectations. From the FTC's perspective, the problem was not simply that GM collected detailed driving data. Rather, it was that consumers enrolled in a feature marketed as a driving-feedback tool without being clearly informed that the same data could be used by third parties in ways that affected insurance pricing, which the FTC deemed unfair or deceptive.[5] Where sensitive data travels down a chain of secondary uses, the commission appears less willing to rely on generalized disclosures or bundled permissions as evidence of meaningful consent.
The parallel consumer litigation now moving forward in federal court reinforces the point. There, judges have declined to dispose of wiretap and privacy claims at the pleading stage, emphasizing that questions of authorization, notice, and control are fact‑intensive and ill‑suited for early resolution.[6] Whatever the ultimate outcome, the litigation underscores how consent mechanics, often treated as settled at product launch, can later become central to both regulatory scrutiny and civil liability.
For in-house counsel advising companies that collect and share consumer data, the lesson is not to abandon data-driven features or partnerships but to recognize that how consent is obtained, explained, and operationalized may matter just as much as whether consent exists at all. In an environment where regulators and courts are prepared to interrogate the practical realities of user understanding, assumptions that once felt conservative may now merit re-examination.
For more information, please contact Lloyd Wilson or another member of Shumaker’s Technology, Data Privacy, Cybersecurity & AI Service Line.
____________________________________________________
[1] FTC Finalizes Order Settling Allegations that GM and OnStar Collected and Sold Geolocation Data Without Consumers' Informed Consent, Fed. Trade Comm'n (Jan. 14, 2026), https://www.ftc.gov/news-events/news/press-releases/2026/01/ftc-finalizes-order-settling-allegations-gm-onstar-collected-sold-geolocation-data-without-consumers.
[2] Kirsten Korosec, The FTC's Data‑Sharing Order Against GM Is Finally Settled, TechCrunch (Jan. 14, 2026), https://techcrunch.com/2026/01/14/the-ftcs-data-sharing-order-against-gm-is-finally-settled/.
[3] Federal Trade Commission Act § 5, 15 U.S.C. § 45.
[4] 15 U.S.C. § 45(a); FTC Takes Action Against General Motors for Sharing Drivers' Precise Location and Driving Behavior Data Without Consent, Fed. Trade Comm'n (Jan. 16, 2025), https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-general-motors-sharing-drivers-precise-location-driving-behavior-data.
[5] FTC Finalizes Order Settling Allegations that GM and OnStar Collected and Sold Geolocation Data Without Consumers' Informed Consent, supra note 1.
[6] GM OnStar Lawsuits Over Driving Data Tracking Cleared To Move Forward, AboutLawsuits.com (Apr. 28, 2026), https://www.aboutlawsuits.com/gm-onstar-lawsuit/gm-onstar-lawsuits-driving-data-tracking-cleared-to-move-forward/.