Your car logs every hard brake, and the FTC just banned GM from selling it for five years

Hacker News surfaced a blunt headline this month: modern cars are spying on you. It hit the front page because the receipts are overwhelming. Your car logs where you go, how hard you brake, what you tell the voice assistant, and who’s in your contacts, then ships much of it off over a cellular modem you never see, as the Associated Press detailed.

This isn’t a fringe worry anymore. In January 2025 the Federal Trade Commission accused General Motors of selling drivers’ location and behavior data to brokers without real consent, and in January 2026 it finalized an order banning GM from doing it for five years. Mozilla, after reviewing 25 car brands, called the category the worst it had ever studied. So here’s the plain-English version: what your car collects, where it goes, who pays for it, and what you can actually do.

What your car collects

Start with the obvious one. Location. A connected car’s GPS and telematics system know every trip you take, the route, the timestamps, and how long you idled in a parking lot. That’s the data insurers care most about, and it’s the data the FTC said GM was selling.

Then driving behavior. The AP report describes onboard cameras that track your face and eye movements, plus sensors logging steering, braking, acceleration, and seatbelt use. GM’s now-dead Smart Driver program flagged what it judged to be hard braking, hard accelerating, swerving, and speeding, and scored you on it.

The in-cabin stuff is where it gets uncomfortable. Pair your phone over Bluetooth and the car can pull your contacts, call logs, and text-message metadata. Voice assistants record what you ask. And the legal fine print goes further than most drivers would guess. Mozilla found that brands listed the ability to collect deeply personal categories, including health and genetic information, immigration status, race, and even sexual activity. Nissan’s policy was the standout, naming sexual activity and genetic data outright. That’s not a list of things your daily commute generates; it’s a list of what the policies reserve the right to touch.

Andrea Amico, who founded the privacy firm Privacy4Cars, sums up the shift in one line. “Cars have become giant electronic devices that collect a lot of personal data,” he told Automotive Fleet. The car is, functionally, a phone you sit inside for an hour a day.

How the data leaves the car

Collection is only half the problem. The other half is the pipe. Nearly every car sold today ships with an always-on cellular modem, so the telematics stream doesn’t wait for you to plug in a cable. It goes straight to the automaker’s cloud, often the moment you drive off the dealer lot.

From the automaker’s servers, the data fans out. Some goes to the brand’s own apps and partners. A chunk historically went to data broker firms, the companies that buy personal data they didn’t collect and repackage it for sale. In cars, the two names that keep surfacing are LexisNexis and Verisk. They turn raw trip logs into “risk scores” and driving histories, then sell those to insurance companies.

Kashmir Hill’s reporting for The New York Times exposed how this lands on real people. Drivers noticed their insurance rates jumping. When they asked why, insurers pointed them to their LexisNexis file, where they found hundreds of pages logging every trip they’d taken, each braking event, each fast acceleration. Many never knowingly signed up. They’d been enrolled in OnStar’s Smart Driver gamification feature, sometimes through a dealer flow they barely registered.

Consent is the load-bearing word here, and it’s doing very little work. Mozilla found that 84% of the brands it reviewed say they can share your personal data and 76% say they can sell it. More than half, 56%, say they’ll hand information to government or law enforcement on an informal request, no warrant required.

The insurer pipeline

Why does any company want to know that you braked hard on Tuesday? Money. Insurers price premiums on risk, and a granular record of your actual driving is a sharper risk signal than your age or ZIP code. Usage-based insurance programs have offered this trade for years: share your driving, maybe get a discount. The scandal wasn’t the existence of those programs. It was the data flowing to insurers from people who thought they were just using a feature in their car’s app.

The FTC’s case spells out the mechanism. GM and OnStar, the agency alleged, collected precise geolocation as often as every few seconds and sold driving-behavior data to brokers, who fed insurers, all without the informed consent of the people in the cars. FTC Chair Lina Khan didn’t hedge. The order, she said, addresses “GM’s egregious betrayal of consumers’ trust,” per the agency’s announcement. GM had already cut its broker partnerships in March 2024 after the Times reporting; the FTC order made the prohibition binding.

Here’s the part that stings. The federal action carried no fine. The finalized 2026 order bans GM from disclosing geolocation and driver-behavior data to consumer reporting agencies for five years, and requires affirmative consent for connected-vehicle data collection for the full 20-year life of the order. A separate civil settlement reported in 2026 put a $12.75 million figure on related claims. For a company GM’s size, that’s a rounding error, not a deterrent.

The regulation catching up

The GM case is the marquee federal action, but it sits inside a wider shift. State attorneys general are circling connected-car data, with Texas opening its own line of inquiry into automaker privacy practices. California’s privacy law gives residents the right to opt out of the sale of personal data, which in principle covers driving records. And the legal framing matters: this is consumer-data regulation, so what I’m describing is reported enforcement and policy, not legal advice or any prediction about how a given case resolves.

Europe runs ahead on paper. Under the GDPR, precise location and behavioral profiles count as personal data that needs a lawful basis and genuine consent, which is why the same automakers often expose more granular opt-outs to EU and UK drivers. That regulatory gravity is part of a broader pattern this site has tracked, from Palantir’s bid for unlimited NHS patient data to government demands for Google user records. Cars are the same fight, on wheels.

Whether any of this slows the underlying business is the open question. The FTC order disciplines one automaker’s worst practice. It doesn’t ban the telematics pipe, the brokers, or the insurer market that funds the whole thing.

What you can actually do

You have more control than the dashboard lets on, though none of it is one-click. Start by digging into the infotainment menus and the automaker’s companion app, where the real toggles hide. The AP walked through the brand specifics: Toyota drivers can decline “Master Data Consent” in the Toyota app, Ford owners can stop sharing through FordPass or the dashboard, and BMW exposes its controls in the infotainment system.

Three practical moves, in order of effort:

• Revoke consent in-app and in-menu. Turn off data sharing and driving-score features. The catch: killing location can also disable roadside assistance and remote unlock, so decide what you’ll actually miss.
• Use Privacy4Cars. Its free service either points you to your automaker’s opt-out portal or files the request for you across the US, Canada, the EU, the UK, and Australia.
• Check vehicleprivacyreport.com. Punch in your VIN and Privacy4Cars summarizes what your specific car can track and share, which is also worth doing before you buy or sell.

One more thing if you’re selling or trading in. Amico’s firm found that more than four in five cars get resold with the prior owner’s data still on them, contacts, home address, garage codes, paired phones. Factory-reset the infotainment system and unpair your phone before the car leaves your hands. A trade-in is a data breach waiting to happen if you skip that step. This is the same hygiene logic behind any account or platform you’d lock down before walking away from it.

What this means for you

If you drive anything built in the last five years, assume the default is collection, not privacy, and that consent was something you clicked past on a touchscreen. The fix isn’t paranoia; it’s twenty minutes with your car’s settings and the Vehicle Privacy Report. Do the opt-outs, kill the driving-score feature unless you genuinely want the insurance discount, and reset the car before you sell it. The FTC just proved the worst-case scenario was real for millions of GM drivers, and it took a federal order to unwind one program at one company. Until the brokers and the insurer market get the same treatment, the only privacy setting you can fully trust is the one you set yourself.