Data Privacy Enforcement Tracker

What Happened

The Federal Trade Commission (FTC) is taking action against General Motors and its OnStar subsidiary (collectively, GM) for allegedly mishandling drivers' personal data. Specifically, GM is alleged to have collected precise geolocation data (as frequently as every 3 seconds) and driving behavior information from millions of vehicles without proper consumer consent. In addition, the FTC alleges GM shared this data with consumer reporting agencies, who then used it to create credit reports that insurance companies used for setting rates and making coverage decisions. In its order, the FTC alleges that this behavior, along with GM’s enrollment process for OnStar was misleading. This represents the FTC's first enforcement action related to connected vehicle data.

Under the proposed settlement, GM must:

• • Stop sharing driver data with consumer reporting agencies for five years
  • Obtain explicit consent before collecting connected vehicle data
  • Provide users ways to access, delete, and limit collection of their data
  • Be transparent about how it collects, uses, and shares consumer data

The Texas Attorney General sued GM in August of 2024 under Texas’s Deceptive Trade Practices Act for the same alleged behavior.

Key Takeaways

In particular, this settlement illustrates the creative settlement rights available to the FTC. In this instance, the FTC is proposing a ban on sharing data with consumer protection agencies for five years. Another recent case with creative settlement terms was the order against Weight Watchers in which the FTC ordered deletion of the collected data, deletion of any models that used the collected data, and payment of a monetary fine.

The recent GM settlement exemplifies the complexity in navigating US privacy compliance and , namely, the application of  distinct state and federal regulations to address privacy violations. For example, a single privacy incident can trigger multiple enforcement actions under diverse legal frameworks with different types of penalties. Take, for instance, the Texas Attorney General's parallel lawsuit against GM—notably pursuing the same conduct but under legislation not specifically designed for privacy matters. This multilayered enforcement approach means that companies face cascading consequences when their data collection practices are alleged to fall short of legal requirements. The FTC's action in this case further demonstrates how regulatory bodies actively collaborate and share intelligence, creating a coordinated enforcement network that amplifies the stakes for businesses handling consumer data.

Final Thoughts

In May 2017, The Economist published an article titled, “The world’s most valuable resource is no longer oil, but data.” At the time, data was already a valuable commodity, but with the rise of artificial intelligence (AI), it has become indispensable. Recognizing this, companies have gone to great lengths to collect data and heavily invest in monetizing it through AI model training. Until recently, these data collection practices largely operated with minimal oversight. However, a wave of regulatory scrutiny, including actions by the Texas Attorney General and increased enforcement by the FTC, is changing the landscape. Unlike other regulatory penalties that may simply involve fines, the consequences of poor data collection practices are far more significant. Companies risk losing access to tainted data sets and the AI models or algorithms trained on them. To mitigate these risks, businesses must take a proactive approach to identifying and addressing deficiencies in their data collection processes. Failing to do so could have profound and lasting impacts.