Compliance · FTC

The FTC GM OnStar order made consent-first vehicle data the law

The FTC's order against GM and OnStar did not just penalize one company — it declared the old vehicle-data business model illegal and made consent-first access the new baseline.

Talk to our team

In early 2026 the U.S. Federal Trade Commission finalized an order against General Motors and its OnStar unit over the collection and sale of connected-vehicle data without proper consent. The order bars GM from sharing driver-behavior and precise-geolocation data without affirmative opt-in consent, and it does so for five years. The practical message to the entire industry is blunt: GM just proved that the old model is illegal, and consent-first vehicle data access is now the baseline regulators expect.

What the order actually says

  • A five-year ban on sharing driver-behavior data collected without affirmative, informed consent.
  • A requirement for affirmative opt-in before collecting or sharing connected-vehicle data going forward.
  • The conduct affected roughly 1.8 million GM customers whose data had been routed to data brokers, including LexisNexis and Verisk, where it could feed insurance risk scoring.

Why this kills bulk telematics brokerage

The downstream effect was immediate. Verisk stopped accepting OEM-sourced telematics data the same week the order was finalized. When the largest buyers of bulk vehicle data will no longer touch OEM-sourced feeds without airtight consent provenance, the economics of the brokerage model collapse. Bulk OEM telematics data brokerage is now legally dead as a business model.

That is not a temporary chill. It is a structural shift: value moves from whoever can aggregate the most data to whoever can prove the data was accessed with consent, for a purpose, and on the record.

The new model still has enormous value, if it is consented

None of this means vehicle data loses its worth. Insurers still want it: usage-based pricing works, and fleets that share telematics see better loss ratios. The problem the FTC order exposes is the plumbing, not the demand. What insurers and OEMs now need is a way to get driver-authorized data with a verifiable trail, rather than a broker feed that cannot survive a consent audit.

That is exactly what a session model provides. DIMO is the infrastructure that makes the new model work: access is created per session, scoped to what the driver authorized, and sealed with a signed, independently verifiable record. Consent is not a checkbox bolted onto a data pipe. It is part of how access is created, as described in session-scoped consent, and the resulting audit trail is the artifact an underwriter or regulator can actually accept.

The bigger pattern: value moves to consent provenance

Connected-services revenue is real and large. GM's own OnStar business reportedly reached roughly $5.4 billion in 2025, serving on the order of 12 million subscribers. The FTC order does not say that revenue is illegitimate. It says the mechanism matters: money earned from data that cannot survive a consent audit is now at risk, and money earned from data with clear, per-driver consent provenance is durable.

That is the shift to internalize. For a decade the implicit business model was “aggregate as much vehicle data as possible, then find buyers.” After this order, the durable model is “grant access per driver, scope it, and keep the receipt.” The asset is no longer the size of the data lake; it is the strength of the consent trail attached to each access.

Common questions

Is this just a GM problem?

No. The FTC framed it as an industry standard, not a one-off penalty. Any manufacturer or broker relying on non-consented driver-behavior data is exposed to the same theory. Treat the order as the baseline the rest of the market will be held to, not as a GM-specific event.

Can insurers still use vehicle data for pricing?

Yes. Usage-based pricing works and is not going away. What changed is the sourcing. Insurers now need driver-authorized data with a verifiable trail, which is exactly what a session audit trail provides, rather than a broker feed that just lost its largest buyer.

What OEMs and insurers should take from it

  • OEMs: any data-monetization plan that depends on bulk, broker-routed telematics is now a liability. Re-base it on per-driver consent with an audit trail.
  • Insurers: the path to usage-based and fleet-telematics pricing runs through consented, verifiable access, not broker feeds that just got cut off.

Related: the EU Data Act · mixed-fleet telematics for insurers · all compliance topics

This page is educational, not legal advice.