Arkansas Sues General Motors Over Driver Data Practices

If you grew up thinking your car’s job was to drive, Arkansas has some news: your car may also be
quietly auditioning for a second career as a data collector. (And not the cute kind that organizes baseball
cards. The kind that organizes where you go and how you drive.)

On February 26, 2025, Arkansas Attorney General Tim Griffin filed a lawsuit against General Motors and its
OnStar subsidiary, alleging the companies improperly collected detailed driving data and sold it to third
parties, which then sold it to insurance companies. The state says that pipeline helped insurers raise rates
or deny coveragewhile consumers allegedly weren’t given clear, informed consent to what was happening behind
the touchscreen.

This article breaks down what Arkansas is claiming, how the connected-car data “supply chain” works, why
regulators are suddenly very interested in telematics, and what drivers can do right now if they want their
vehicle to stop being so… chatty.

What Arkansas alleges (and why GM is in the hot seat)

Arkansas is using the Arkansas Deceptive Trade Practices Act (plus an unjust enrichment claim) to argue that
GM and OnStar marketed connected services as consumer-friendlysafety features, better driving insights, a
more convenient ownership experiencewhile allegedly failing to clearly disclose the scope, purpose, and
downstream consequences of data collection and sale.

The lawsuit’s basic theory is straightforward:

• GM vehicles and services collected sensitive data about driving behavior and, in some cases, precise location.
• That data was sold to third parties (often described as data brokers or consumer reporting entities).
• Insurers used the resulting reports/scores to adjust premiums, deny coverage, or cancel policies.
• Drivers didn’t meaningfully consent (or didn’t understand they were consenting) to that whole chain.

The state has publicly estimated that data from more than 100,000 Arkansans was involved. The complaint also
frames the issue as a long-running practicenot a single glitch or one confusing checkbox.

The heart of the case: “informed consent” vs. “fine print consent”

Most privacy disputes aren’t really about whether data exists (it does), but whether people had a fair chance
to understand what was being collected, why, and what could happen next. Arkansas argues the disclosures and
enrollment flows didn’t deliver that clarityand that the result was consumers getting financially dinged by
insurance decisions they never connected to their car’s settings.

Connected cars 101: what “driver data” usually includes

“Driver data” sounds vague until you realize how specific it can get. Telematics can include things like:

• Precise geolocation (where the car is and where it has been)
• Trip metadata (start/end time, distance, frequency)
• Driving behavior (speeding events, hard braking, rapid acceleration)
• Pattern flags (late-night driving, high-speed driving percentages)
• App and service interactions tied to connected features

A key nuance: this isn’t just “you went 78 in a 65 once.” It’s the aggregation of patternshow often you brake
hard, how frequently you drive at night, how consistent your trips are, and whether your behavior looks like
“higher risk” when turned into a scorecard.

Regulators have focused on how frequently data can be collected. Federal allegations in related enforcement
actions described some location tracking happening as often as every few seconds, which is a reminder that
modern telematics can feel less like a speedometer and more like a second-by-second diary.

The data pipeline: from your dashboard to an insurance decision

Arkansas’s lawsuit is part of a bigger national argument about how vehicle data is commercialized.
Here’s a plain-English version of the pipeline the state is concerned about:

Step 1: Data gets collected through connected services

Many drivers enroll in connected services at the dealership or during a new-car setup flow. The pitch is
usually reasonable: emergency response, roadside assistance, stolen vehicle help, safety notifications, vehicle
health reports, remote start from an appthe stuff that makes a car feel like a helpful gadget instead of a
rolling chunk of metal.

Some programs also offer “driver feedback” features that score your driving or provide tips. In the GM/OnStar
universe, that’s where the now-famous “Smart Driver” discussions show up in reporting and enforcement.

Step 2: Data is shared or sold to third parties

The controversy is less about a car maker using data to make a feature work and more about when data moves
into a marketplace: third-party exchanges, broker ecosystems, or consumer reporting contexts. Arkansas alleges
GM/OnStar collected detailed driving data and sold it to third parties who then resold it to insurers.

Step 3: Data becomes a risk profile (and then a price)

Here’s where it gets real for consumers. The reports created from driving behavior can be used by insurers in
underwriting or pricingsimilar to how other specialty consumer reports influence financial decisions. If a
driver is labeled “higher risk,” the output could be a higher premium, a reduced discount, a denial, or a
cancellation.

Arkansas argues that consumers weren’t given a meaningful chance to understand that “help me drive safer”
could translate to “help my insurer charge me more.”

Why regulators are extra interested: consumer reporting rules and “adverse action”

One reason this story escalated beyond a typical privacy complaint is the concept of consumer reporting.
Federal regulators have characterized certain data flows as involving consumer reporting agencies, which
triggers a more serious compliance conversationespecially when the data influences insurance availability or
cost.

That matters because when information affects eligibility or pricing, consumers generally expect:
(1) transparency that it’s happening, and (2) a fair process for access, correction, or dispute.
When people learn about a file only after the premium spikes, it tends to feel less like “innovation” and more
like a surprise fee dressed up as technology.

The FTC factor: a federal case running alongside state enforcement

Arkansas didn’t bring this case in a vacuum. In January 2025, the Federal Trade Commission announced an action
against GM and OnStar alleging they collected and sold sensitive geolocation and driving behavior data without
adequate notice and affirmative consent. Under a proposed order, GM/OnStar faced a five-year ban on disclosing
certain sensitive data to consumer reporting agencies and additional requirements around consent, transparency,
and consumer choice.

GM has said it discontinued the Smart Driver program and ended certain third-party telematics relationships.
Even so, Arkansas’s lawsuit shows how state attorneys general can pursue separate claims under state consumer
protection lawsespecially where they believe residents were harmed or misled.

How Arkansas’s lawsuit fits into the bigger national trend

If this feels like “one state being dramatic,” it isn’t. State and federal scrutiny of connected-car data has
been building for years, fueled by investigative reporting, consumer complaints, and pressure from lawmakers.

Other states have moved too

Texas sued GM in 2024 over allegations of collecting and selling drivers’ data without consent. Nebraska later
filed its own lawsuit in 2025. Different states use different legal tools (some have comprehensive privacy
laws; others rely on consumer protection statutes), but the pattern is consistent: connected-car data is no
longer a niche issue reserved for privacy nerds and people who read terms of service for fun.

Lawmakers have been pushing regulators

U.S. Senators have urged the FTC to investigate automakers and data brokers, describing practices where
driving behavior and location data could be shared widely and monetized at scale. The political takeaway is
simple: once the story becomes “your car can raise your insurance bill,” it stops being abstract.

What GM drivers (and really, all drivers) can do right now

You can’t un-invent connected cars, but you can reduce the odds that your vehicle is running a side hustle.
Here’s a practical checklist that balances convenience with privacy.

1) Audit your connected services settings

• Open your vehicle’s app and look for privacy, data sharing, telematics, analytics, or “driving insights” settings.
• Check whether any “driver score,” “smart driver,” or “usage-based” feature is enabled.
• Look for toggles tied to sharing with partners, insurance, or “research/analytics.”

2) Don’t assume the dealership setup is neutral

Many enrollments happen fastnew car smell, paperwork stack, someone showing you how the screen works, and
suddenly you’re nodding “yes” to seven things in a row because you just want to pair Bluetooth.
Slow down. Ask what each consent covers, and whether the feature still works if you opt out of data sharing.

3) Request your consumer disclosure file

If you suspect your driving data may have been used for insurance decisions, you can request your consumer
disclosure report from specialty consumer reporting companies. LexisNexis Risk Solutions provides a process to
request a Consumer Disclosure Report under the Fair Credit Reporting Act framework. The Consumer Financial
Protection Bureau also maintains a list of consumer reporting companies and contact information for requesting
reports.

4) If something looks wrong, dispute it

If you find inaccurate information in a consumer report, dispute procedures generally exist, and you can ask
for corrections. If you received an “adverse action” (like a denial or higher premium), keep the notice and
use it to guide what reports to request and what to challenge.

5) Ask for deletion or limitation where available

Depending on the company and applicable state laws, you may have options to delete data, limit collection, or
restrict sharing. The FTC’s proposed order in the GM matter also emphasized consumer choice and the ability to
limit or delete certain data, which signals where industry expectations are headedeven beyond GM.

What businesses should learn: privacy design isn’t optional anymore

If you work in auto, insurance, or connected-device product design, Arkansas’s lawsuit is a warning label with
legal letterhead. The era of “we disclosed it somewhere” is fading fast.

Clear consent has to be separate, specific, and understandable

Regulators are skeptical of consent buried inside broad terms that bundle unrelated permissions. When a
feature is presented as “safety” but functions as “underwriting fuel,” the gap between marketing and reality
becomes the litigation zone.

Downstream harms matter

Even if data is “de-identified” or “aggregated,” the practical consequence for consumers is what drives
enforcement: increased premiums, canceled policies, denied coverage, or confusion that makes people feel
tricked rather than served.

Dealership scripts and setup flows are part of compliance

The point of consent is not just the checkboxit’s the moment of understanding. If the dealership experience
pushes drivers into enrollment without real explanation, it becomes part of the compliance risk story.

FAQ: quick answers people are Googling right now

Is Arkansas accusing GM of “spying”?

Arkansas’s allegations are framed as deceptive practices and unlawful selling of data, not as cinematic
spy-movie behavior. The core issue is whether GM/OnStar collected and sold detailed driving data without
informed consumer consent and whether consumers were misled about the purpose and consequences.

Does this affect only Arkansas drivers?

The lawsuit is brought on behalf of Arkansas consumers, but similar allegations and enforcement actions have
shown up in other states and at the federal level. The broader issueconnected-car data sharingaffects
drivers nationwide, regardless of brand.

Can insurers legally use driving data?

Insurers can use telematics when consumers knowingly enroll (for example, usage-based insurance programs).
The controversy is about data being used without clear notice, or when the enrollment path is confusing enough
that people don’t realize what they agreed to.

What if my insurance rate jumped and I suspect telematics?

Start by asking your insurer what factors changed, then request relevant consumer disclosure reports and
connected-car data records where available. If a consumer report contributed to an adverse action, you may
have rights to access and dispute the information.

Real-world experiences: what this issue feels like from the driver’s seat

Not everyone experiences “data practices” as a legal headline. Most people experience it as a vibeusually a
confused, mildly annoyed vibefollowed by a phone call that starts with, “Hi, can you explain why my premium
just did that?”

A common pattern described by drivers in public reporting and consumer discussions looks like this: you buy a
car, you activate the app because it’s genuinely useful, and you breeze through setup screens the way humans
have always doneby tapping “Agree” with the confidence of someone who has never been personally betrayed by a
toaster. You tell yourself, “This is just for remote start and emergency help.” That assumption feels
reasonable because it matches the marketing: safety, convenience, driving insights, peace of mind.

Then comes the moment that makes people suspicious. It might be a renewal notice. It might be a new quote.
It might be an insurer saying your risk profile looks different. Most drivers don’t think, “Ah yes, my
late-night burrito runs have finally been statistically modeled.” They think, “Did I get a ticket? Did
inflation hit my zip code? Did my car become expensive to repair?” Those are normal explanations.

What flips the switch from “normal” to “wait, what?” is when a driver discovers that a third party may have a
file that reads like a driving diary: braking events, speeding flags, time-of-day percentages, trip lengths,
and other metrics that feel oddly intimate for something you never knowingly handed over. It’s not just the
data; it’s the story the data tells. A “hard braking” event can mean aggressive driving… or it can
mean you avoided a crash because someone cut you off. A “late-night driving percentage” can mean risky
behavior… or it can mean you work second shift, visit family after dinner, or live in a place where errands
happen when the heat finally backs off. When people see that their life got turned into a spreadsheet without
context, they feel misrepresented.

Another real-world frustration is how hard it can be to identify the exact source of the data. Consumers may
bounce between an automaker, an insurer, and a data company, with each party speaking a different dialect:
“telematics,” “analytics partners,” “consumer disclosure,” “adverse action,” “risk exchange.” Drivers aren’t
trying to earn a graduate degree in paperwork; they’re trying to answer a simple question: “Who has my data,
and what are they doing with it?”

The most productive experiences tend to happen when drivers take a methodical approach:
they document what changed (premium, denial, cancellation), request the relevant consumer disclosure reports,
and audit their connected-car settings. People often describe the process as tedious but clarifying. Once you
have a copy of what’s on file, you can at least stop guessing. And once you understand what settings exist,
you can choose a level of connectivity that matches your comfortkeeping emergency services while limiting
sharing, for example.

Finally, there’s an emotional component that doesn’t show up in legal filings: trust. Drivers often say they
feel fine sharing data when they clearly understand the deal“I opt in, I get a discount, I can opt out later.”
What they resent is feeling tricked by ambiguity. Arkansas’s lawsuit taps into that exact sentiment: a sense
that the technology moved faster than transparency, and consumers paid the price in dollars and confidence.
Whether the courts ultimately agree with the state, the lived experience is already shaping the market: people
are learning to treat “connected” like a setting, not a default.

Conclusion: what to watch next

Arkansas’s lawsuit against GM and OnStar is about more than one company’s settings menu. It’s a referendum on
whether “connected” can coexist with genuine consentespecially when the downstream effect may show up in
something as practical as your insurance bill.

In the near term, watch for three things: (1) how GM responds in court, (2) whether other states follow with
similar consumer protection cases, and (3) how automakers redesign enrollment flows so drivers can say “yes”
to safety features without accidentally saying “yes” to an invisible data resale chain. If the industry wants
trust, it has to earn itpreferably in plain English, not in 47 scrolls of legalese.