Insurance Curator Privacy Regulators Open Inquiries Into Auto Telematics Firms Over Consent, Data Retention and Location Tracking
By [Staff Writer]
Lead — Who, What, When, Where, Why
Privacy regulators in the United States and Europe have opened multiple inquiries into companies that supply telematics data to auto insurers, examining whether drivers gave meaningful consent, whether companies retained location histories too long, and whether third‑party sharing put consumers at risk — moves that accelerated after a year‑long U.S. probe of automakers’ telematics programs and a January 2026 Federal Trade Commission order against General Motors and its OnStar unit. The inquiries, announced and intensified between March 2025 and January 2026, target manufacturers, telematics vendors and data brokers whose compiled driving profiles have been sold or licensed to insurers and other third parties. Regulators say consumers were often not told clearly how drag‑and‑drop location and driving telemetry would be reused, and privacy advocates warn the practices can affect rates, coverage and safety for vulnerable groups. (ftc.gov)
What regulators say and what they are investigating
U.S. and state officials have flagged three related problems: whether drivers were enrolled in telematics programs through deceptive or unclear enrollment flows; whether precise location and second‑by‑second telemetry were retained longer than necessary; and whether data was resold or repurposed without legally valid consent.
In the most visible action, the Federal Trade Commission finalized an order on Jan. 14, 2026, with General Motors and OnStar that bans the company from disclosing precise geolocation and driver‑behavior data to consumer‑reporting agencies for five years and requires affirmative express consent before collecting or sharing certain connected‑vehicle data for 20 years. The FTC described the agency’s action as necessary to protect consumers from “unchecked surveillance.” (ftc.gov)
State attorneys general and other federal watchdogs have opened parallel probes. California Attorney General Rob Bonta in March 2025 launched an “investigative sweep” of the location‑data industry, issuing letters to ad networks, app makers and data brokers about their obligations under the California Consumer Privacy Act and warning that location data is “deeply personal” and must be safeguarded. Several state regulators have since requested documents and filed lawsuits or investigations into manufacturers and data intermediaries. (oag.ca.gov)
Why insurers and telematics vendors drew scrutiny
Connected‑vehicle telematics — ranging from factory‑fitted modules and embedded subscriptions to smartphone apps and aftermarket dongles — produce high‑granularity data that insurers prize for usage‑based insurance (UBI) and “pay‑how‑you‑drive” products. The same datasets can show when and where someone travels, how often they brake hard or exceed speed limits and even whether a seat belt was used. Insurers say that properly anonymized and proportionate use of telematics can improve pricing accuracy, reward safer driving and reduce fraud. Regulators and consumer advocates counter that the data is often repurposed, recombined with other sources, and used in opaque scoring to alter coverage or raise premiums — sometimes without consumers realizing what they agreed to. (fintel.io)
How data flowed from cars to insurers and brokers
Investigations and congressional oversight have traced commercial relationships in which automakers and telematics vendors shared driver telemetry with analytics firms and data brokers that then compiled driver “scorecards” and sold them to insurers. A July 2024 letter from U.S. Senators Ron Wyden and Ed Markey to the FTC flagged arrangements between automakers and a broker, Verisk, noting that Hyundai shared driving data from 1.7 million vehicles for roughly $1 million and Honda shared data from about 97,000 vehicles for roughly $25,920 — amounts that critics described as pennies per consumer. The senators urged the FTC to investigate whether consumers’ consent had been lawfully obtained. (fortune.com)
The New York Times and other outlets first publicized the contours of these relationships in 2024; subsequent regulator inquiries and litigation widened the net to cover telematics vendors and data brokers that facilitate resale to insurers. Prosecutors and regulators say some consumers learned they had been tracked only after insurers raised rates or canceled coverage — a downstream harm that made the question of consent central to enforcement work. (automotivedive.com)
Consent, dark patterns and dealer enrollment
Regulators and privacy researchers say the core consent problem is that disclosures are fragmented, buried or presented in ways that are not “free” under privacy law. In several cases, dealers or in‑car interfaces routed purchasers through many screens and dense policies at the point of sale; many customers later reported they were unaware they had been enrolled. The FTC and state authorities have said such enrollment flows can amount to “dark patterns” if they nudge users into sharing data they otherwise would decline to provide. (ftc.gov)
“Location data can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements,” California Attorney General Rob Bonta said when announcing the 2025 sweep, stressing that companies must take extra care with geolocation data. (oag.ca.gov)
Retention, aggregation and re‑identification risks
Telematics firms argue that aggregated or “de‑identified” datasets reduce risk. Yet privacy researchers and regulators have repeatedly found that high‑frequency telemetry and location traces are difficult to anonymize: patterns of movement can be re‑identified by cross‑referencing public records, parking locations, or device identifiers. Regulators have pressed companies for retention timelines and technical measures such as local in‑vehicle processing, deletion windows and cryptographic minimization to limit re‑identification. The European Data Protection Board and national authorities have emphasized that geolocation must be collected only if strictly necessary, that storage periods should be short, and that users need easy ways to deactivate tracking. (bristows.com)
“Where possible, processing should be local to the vehicle, and only scores — not raw traces — should be transmitted to third parties,” legal analysts and EU guidance have recommended. Regulators in France and across the EU have been consulting on guidance aimed at vehicles, telematics suppliers and insurers to tighten controls on location data. (365trust.me)
Insurance industry perspective and the business case for telematics
Insurers and insurtech companies say telematics is an actuarial advance: it substitutes observed behavior for proxy variables such as credit scores or ZIP code, potentially reducing cross‑subsidies and rewarding safer drivers. Major carriers and insurtechs file telematics programs in many states and report large datasets supporting underwriting and claims management. Companies such as Allstate have long‑running programs; startup insurers and legacy carriers increasingly deploy telematics scores, smartphone apps and device options. In securities filings and annual reports, firms cite telematics as a strategic tool to segment risk, reduce fraud and engage customers. (fintel.io)
But insurers acknowledge regulatory constraints. California’s Proposition 103, for example, limits the use of telematics in underwriting to mileage verification in some cases, and other states vary in their treatment of behavior‑based pricing. Firms say regulatory uncertainty — and enforcement actions such as the FTC’s order — could chill programs or force redesigns that emphasize in‑vehicle scoring or local processing rather than raw trip data transmission. (sec.gov)
Privacy advocates and consumer harms
Civil‑society groups and privacy scholars stress that telematics can amplify discrimination and compound harms when combined with other datasets. They worry that automated scores lack transparency and that the syndication of driving histories gives insurers new vectors to deny coverage or to intensify price‑based sorting. Some advocates point to real‑world harms already alleged in lawsuits and regulatory complaints: drivers who were unaware of tracking say their policies rose or were not renewed after data flagged “risk.” (roadandtrack.com)
Senators Wyden and Markey captured the theme in their July 2024 letter: “If the FTC determines that these companies violated the law, we urge you to hold the companies and their senior executives accountable,” they wrote, pressing for a wide probe of how automakers disclosed data flows and how brokers resold driving records. (fortune.com)
Legal and regulatory tools under consideration
Regulators are using a mix of existing consumer‑protection statutes, state privacy laws and sectoral insurance rules. The FTC has relied on its unfair‑and‑deceptive‑acts authority to challenge misleading enrollments and failures to disclose downstream uses of data. State attorneys general are using consumer‑protection statutes and the California sweep invoked the CCPA’s sensitive‑personal‑information provisions to probe location‑data flows. In Europe, the GDPR’s strict requirements for consent and data‑minimization give national data protection authorities a route to curb telemetry that is not strictly necessary. (ftc.gov)
Industry groups are also seeking clarity. Automakers, dealers and telematics vendors have pointed to the benefits of UBI and pushed for rules that recognize the legitimacy of tailored pricing while prescribing clear consent standards and data‑use limits. Some industry coalitions favor standardized privacy notices and technical APIs that allow drivers to control what leaves the vehicle. (puntersouthall.law)
What changes are companies making
In response to public reporting and enforcement actions, several automakers and vendors have scaled back programs, terminated resale arrangements and simplified privacy notices. GM says it discontinued its OnStar Smart Driver program in 2024 and ended some third‑party telematics relationships; the company has told regulators it has simplified privacy statements and expanded ways for consumers to access and delete data. Data brokers such as Verisk temporarily closed or paused some driver‑scoring products after public scrutiny. But critics say structural incentives — recurring revenue from subscriptions and commercial licensing — will keep companies seeking ways to monetize vehicle data unless tighter regulation or market pressure intervenes. (automotivedive.com)
Potential policy outcomes and next steps
Regulators and legislators are weighing several policy responses: stronger consent rules requiring affirmative in‑dealer or in‑vehicle opt‑ins; limits on data retention and third‑party resale; rules forbidding use of high‑frequency location traces for non‑safety pricing decisions; and audit requirements for scoring vendors to guard against biased outcomes. Some lawmakers have proposed legislation to ban certain resale of vehicle data or to treat telematics as sensitive personal information requiring enhanced protections. At the same time, insurers and safety researchers warn that overly broad bans could slow innovations that reduce accident risk and claims costs. (congress.gov)
Experts say the likely equilibrium will mix technical bounds (local scoring, encryption, short retention windows), clearer consent mechanics at point of sale, and regulatory audits of brokers and scoring models. “Companies should limit the transmission of raw traces, apply rigorous deletion schedules, and give drivers straightforward toggles to disable precise location,” said a privacy analyst advising industry stakeholders. (Analyst remarks summarized from regulatory filings and public comments.) (scribd.com)
What drivers can do now
Regulators and consumer groups advise drivers to check in‑car privacy settings, opt out of optional telemetry where allowed, review dealer paperwork at sale time, and use state privacy rights where available to request copies of data or deletion. In California, consumers can exercise “opt‑out” rights under the CCPA for sensitive categories like geolocation. For drivers worried about insurance uses, experts recommend asking insurers how they score telematics and for written guarantees about resale and retention before enrolling. (oag.ca.gov)
Conclusion — stakes for insurance and privacy
Telematics and UBI remain a potent force for making insurance more individualized and, potentially, fairer when well governed. But the recent regulatory inquiries underscore a basic tradeoff: fine‑grained telemetry yields actuarial precision, yet it also creates powerful surveillance capabilities with downstream consequences for rates, eligibility and personal privacy. Regulators in the U.S. and Europe are now probing where the line should be drawn between actuarial innovation and consumer protection — a determination that will shape how insurers price risk and how drivers’ movements are governed for years to come. (ftc.gov)
Sources and reporting notes
This article draws on recent enforcement actions, public regulator statements and reporting by The Wall Street Journal, TechCrunch, Fortune, the California Attorney General’s office and the Federal Trade Commission, as well as securities filings and industry reports on telematics and usage‑based insurance. Specific referenced documents and reporting include the FTC’s Jan. 14, 2026 matter page, the California Attorney General’s March 10, 2025 press release, congressional correspondence summarized in contemporaneous reporting, and automakers’ and insurers’ public filings. (ftc.gov)
Selected recent sources
- Federal Trade Commission, “FTC Finalizes Order Settling Allegations that GM and OnStar Collected and Sold Geolocation Data Without Consumers’ Informed Consent.” (Jan. 14, 2026). (ftc.gov)
- Office of the Attorney General of California, “Attorney General Bonta Announces Investigative Sweep of Location Data Industry” (March 10, 2025). (oag.ca.gov)
- Fortune, “General Motors, Hyundai, and Honda are accused of inappropriately sharing customer data” (summary of U.S. senators’ letter and findings). (fortune.com)
- TechCrunch, “GM banned from sharing driving and location data with insurance companies” (coverage of FTC action and quote from FTC Chair Lina Khan). (techcrunch.com)
- Allstate 2023 Form 10‑K and telematics program descriptions; Root, Inc. SEC filings on telematics data use (company disclosures on reliance on telematics for underwriting). (fintel.io)
(Reporting continues. Journalists and regulators with new documents or comment are asked to contact the newsroom.)