Taking your customers' data and selling it without their knowledge or consent is a really rotten thing to do. That's why the Federal Trade Commission is throwing the book at General Motors for doing just that — officially barring the automaker from sharing certain consumer data with consumer reporting agencies for five entire years. I know, I know. Sounds like a tough sentence, but if you can't do the time, don't do the crime.

GM first agreed to this sweetheart settlement with the FTC in January 2025 over allegations it stole data from millions of customer vehicles "without adequately notifying customers and obtaining their affirmative consent." Now, the settlement has officially been agreed upon.

Don't worry, GM will also have to pay a hefty financial penalty of zero dollars. From the Detroit Free Press:

"As vehicle connectivity becomes increasingly integral to the driving experience, GM remains committed to protecting customer privacy, maintaining trust, and ensuring customers have a clear understanding of our practices," [a GM] statement said. In the initial complaint, federal regulators alleged GM's enrollment process for OnStar's connected vehicle service and OnStar Smart Driver features was misleading; customers were not aware their data was being sold to third parties. A New York Times investigation in March 2024 concluded that GM sold customer data to global data broker LexisNexis, which ultimately found its way to auto insurance companies that in turn increased premiums for certain drivers. One month after that report, GM discontinued Smart Driver across all GM vehicles, unenrolled all its customers, and ended third-party telematics relationships with LexisNexis and Verisk. [...] The final order imposes a five-year ban on GM for disclosing consumers' geolocation and driver behavior data to consumer reporting agencies, the agency said in a news release, also noting that "this fencing-in relief is appropriate given GM's egregious betrayal of consumers' trust."

The agreement with the FTC will last for 20 years, and GM will be required to obtain affirmative express consent from customers before collecting, using or sharing data. It'll also have to create a method for all GM customers in the U.S. to request a copy of their connected vehicle data, with the ability to delete it. Additionally, it will have to allow customers to disable geolocation data collection for their vehicles, and it must provide a way for customers to opt out of geolocation and driver behavior data collection "with some limited exceptions."

I'm sure this tap on the wrist will teach GM its lesson.