A Growing Wave of Class Actions Targets Automakers for Selling Drivers’ Data Without Consent
Mason & Perry LLP | May 11, 2026
When you drove your new car off the lot, you probably did not realize you had just enrolled in one of the most invasive surveillance programs of your life. Connected vehicles — equipped with cellular modems, GPS units, and dozens of sensors — quietly transmit detailed information about how, when, and where you drive. Some automakers have turned that information into a quiet revenue stream, packaging driver-behavior data and selling it to insurance pricing networks and data brokers. The result, plaintiffs allege, is millions of drivers paying higher premiums because of habits they never knew their car was reporting.
How Your Car Collects — and Shares — Your Driving Data
Most cars built in the last several years contain a telematics control unit that streams data back to the manufacturer in near real time. The transmitted data can include hard-braking events, rapid acceleration, cornering speed, late-night trips, total miles driven, and the GPS coordinates of those trips. Some manufacturers also capture cabin audio, seat-belt usage, and infotainment-system inputs.
This information has substantial commercial value. Industry insurance pricing networks — including LexisNexis Risk Solutions and Verisk Analytics — purchase driver-behavior data from automakers and incorporate it into consumer reports that insurance companies use to set, raise, or deny coverage. Some drivers have reported premium spikes of 20% or more after their automaker began sharing their data — with no traffic incident, claim, or moving violation in their history.
A Growing Wave of Class Actions
Beginning in 2024, drivers across the country filed class actions alleging that their automakers enrolled them in driver-behavior tracking programs without meaningful consent and then sold the resulting data to insurance brokers. Many of the federal cases against General Motors and OnStar were consolidated in a multidistrict litigation pending in the U.S. District Court for the Northern District of Georgia. The consolidated complaint alleges that GM’s “Smart Driver” feature was opt-in in name only — buried inside a dealer setup workflow, presented as a “vehicle health” tool, and toggled on by salespeople trying to complete the sale.
The Federal Trade Commission has also weighed in. In early 2025, the FTC announced a proposed consent order with GM and OnStar that, if finalized, would prohibit the company from sharing connected-vehicle data with consumer reporting agencies for five years and require affirmative express consent before any future collection of geolocation or driver-behavior data.
State enforcers have not been idle. In August 2024, the Texas Attorney General filed suit against General Motors alleging violations of the Texas Deceptive Trade Practices Act for collecting and selling driver-behavior data without proper consent. Similar inquiries have been opened in California, Massachusetts, and other states. Honda, Hyundai, Toyota, and several other manufacturers have been named in related class actions over the same business model.
Why “Buried Consent” Is a Legal Problem
The defense most automakers offer is that drivers agreed to data collection somewhere — in the OnStar terms of service, in the in-car infotainment setup screen, or in a 90-page owner’s manual. Courts and regulators are increasingly skeptical of that defense.
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq., businesses that collect “sensitive personal information” — a category that expressly includes precise geolocation — must provide clear notice and a meaningful opportunity to opt out. The California Privacy Protection Agency announced an enforcement sweep of connected-vehicle manufacturers in 2024 and has signaled that buried disclosures and dealer-driven enrollment do not satisfy the statute. The federal Driver’s Privacy Protection Act, 18 U.S.C. §§ 2721–2725, separately limits how driver-license records and certain related data may be shared. And under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, deceptive disclosures — those a reasonable consumer would not understand — can themselves be unlawful, regardless of what fine print the dealer placed in front of you.
For consumers, the practical issue is even simpler: if you never knew your car was sharing your braking habits with your insurer, you never had the chance to drive differently, opt out, or shop for coverage that does not punish you for behaviors you cannot verify.
What Class Members Can Recover
Class actions in this area typically seek (1) disgorgement of the profits the automaker earned from selling driver data, (2) statutory damages under state privacy and consumer-protection laws, and (3) injunctive relief requiring the automaker to delete the data and stop sharing it going forward. In some cases, plaintiffs also pursue out-of-pocket damages tied to higher insurance premiums or denied coverage that resulted from shared data.
Settlements in privacy class actions often include both a cash fund and “structural” relief — court-supervised changes to how the company collects, retains, and shares data. The FTC’s proposed order against GM is a useful preview of what those structural reforms can look like: a multi-year ban on sharing connected-vehicle data with consumer reporting agencies, an affirmative-consent requirement for any future collection, and mandatory deletion of historical data on request.
What You Can Do to Protect Yourself
Pull your “consumer disclosure report” from LexisNexis and Verisk. Both companies are required by the Fair Credit Reporting Act to provide you with a free copy of the consumer report they maintain about you. Look for a section labeled “telematics,” “driver behavior,” or “vehicle data.” If your driving data appears, note the source — that identifies which automaker or app sold it.
Check your vehicle’s connected-services settings. Log in to the manufacturer’s app (myChevrolet, myHyundai, Toyota Connected, and similar) and look for a “Smart Driver,” “Driving Score,” or “data sharing” toggle. Turn it off, then call customer service and confirm in writing that data sharing has stopped and that historical data has been deleted from any downstream broker.
Read your insurance renewal notice carefully. If your premium increased without an at-fault claim or moving violation, ask your insurer in writing what data they relied on. Federal law entitles you to know the source of any consumer-report information that was used to raise your rates.
Document the timeline. Save the original purchase paperwork, the OnStar or connected-services enrollment screens (if you can recover them), and your insurance correspondence. The central question in this litigation is what did the consumer actually see and consent to at the moment of enrollment. Your records help answer that question.
Mason & Perry LLP represents individuals and groups in privacy and consumer-protection class action litigation. If you believe an automaker collected or sold your driving data without proper consent, contact us to discuss your options.