A PYMNTS Company

FTC, State Regulators Step Up Scrutiny of Data Collected From Connected Vehicles

By  |  February 20, 2026

Federal regulators are intensifying scrutiny of how automakers collect, use and monetize data generated by connected vehicles, with geolocation and driver behavior information emerging as the focal point of enforcement.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    A recent analysis of transportation privacy developments by Nelson Mullins warns that 2026 will mark a turning point, as vehicle-generated data is “no longer viewed as a byproduct of innovation, but as a category of highly sensitive consumer information warranting strict regulatory oversight.”

    The Federal Trade Commission has made clear that traditional consumer protection authorities under Section 5 of the FTC Act will be deployed aggressively against automakers and their telematics partners.

    The agency signaled in May 2024 that it would more closely examine the privacy risks associated with connected vehicles, particularly the collection and sharing of precise location data and other sensitive information. The agency has long treated geolocation as sensitive data, akin to information gathered by mobile phones, because it can reveal visits to medical facilities, religious institutions or other sensitive locations.

    Under the FTC’s unfairness and deception authority, the surreptitious disclosure of such data may constitute an unfair practice. The agency also cautioned that sensitive data should not be used for automated decision-making in ways that produce harmful or discriminatory outcomes. That warning is significant for automakers that feed telematics and behavioral data into insurance scoring, driver profiling or other algorithmic systems.

    Companies do “not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service,” the FTC said in its 2024 statement. That position places subscription-based features, data-driven insurance partnerships and analytics arrangements squarely within the agency’s enforcement crosshairs.

    The FTC’s January 2026 final order against General Motors and OnStar illustrates the scope of remedies regulators are prepared to impose. The agency alleged that GM collected, used and sold precise geolocation and driving behavior data from millions of vehicles without adequately notifying consumers and obtaining affirmative express consent.

    We’d love to be your preferred source for news.

    Please add us to your preferred sources list so our news, data and interviews show up in your feed. Thanks!

    Add as Preferred Source

    Read more: California Privacy Regulator Investigates Automotive Industry Over Data Use

    According to the complaint, GM used a misleading enrollment process tied to its OnStar connected vehicle service and Smart Driver feature, and failed to clearly disclose that it was collecting and selling precise geolocation and driver behavior data to third parties. That framing squarely invokes deception principles under Section 5.

    The final order imposes a five-year ban on disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies. For 20 years, GM must obtain affirmative express consent before collecting, using or sharing connected vehicle data, provide consumers with access and deletion rights, enable drivers to disable precise geolocation collection where technologically feasible, and offer an opt-out from geolocation and driver behavior data collection.

    Notably, the order restricts data flows to consumer reporting agencies, raising Fair Credit Reporting Act implications where telematics data may influence underwriting or eligibility determinations. The FTC’s willingness to treat certain downstream uses as implicating credit reporting frameworks signals a broader regulatory theory of harm, according to Nelson Mullins.

    As connected vehicles generate increasingly granular location histories and behavioral metrics, law enforcement access requests may also trigger constitutional challenges analogous to those seen in mobile phone location cases.

    The feds are not alone in stepping up scrutiny of connected-vehicle privacy. Nelson Mullin anticipates more state-specific rules and enforcement by states, including California and Texas, layering comprehensive privacy statutes and sectoral laws on top of FTC oversight.

    For automakers, the regulatory message is unambiguous. Precise geolocation, driver behavior metrics and algorithmically derived telematics data are being treated as sensitive personal information. Enrollment flows, disclosures and consent mechanisms must withstand scrutiny under deception standards. Data sharing arrangements, particularly with insurers, analytics providers and consumer reporting agencies, must be reevaluated in light of both Section 5 and FCRA risk.

    As vehicles evolve into software-defined platforms, regulators are making clear that innovation will not excuse opaque data practices. In 2026 and beyond, compliance programs in the automotive sector will need to resemble those of sophisticated digital platforms, with robust consent architecture, data minimization controls and defensible governance over the full lifecycle of connected vehicle data.