Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone. If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. Both live on the same Substack. Feel free to share either one. We’re glad you’re here.

Your car knows where you go, how fast you drive, how hard you brake, and what time you get home at night. And in millions of cases, your car manufacturer has been quietly selling that information to data brokers, who pass it to insurance companies, who use it to raise your premiums.

You probably did not agree to this. You may not even know it is happening. 82% of connected car drivers have no idea how much data their vehicle collects. The FTC just took action against General Motors for doing exactly this. And GM is far from the only brand involved.

What Happened?

On January 14, 2026, the Federal Trade Commission finalized a consent order against General Motors and its OnStar subsidiary. The FTC found that GM had been collecting detailed driving behavior data from more than 14 million vehicles and selling it to data brokers, specifically Verisk Analytics and LexisNexis Risk Solutions. Those data brokers then made the information available to insurance companies.

The data was granular. OnStar recorded precise geolocation every 3 seconds, hard braking, hard acceleration, speeding (anything over 80 mph was flagged), late-night driving patterns, trip times, and seatbelt usage. GM earned approximately $20 million from selling this data. Honda sold similar data for about $0.26 per car. The financial incentive for the manufacturer is modest. The financial impact on the driver can be anything but.

Your car is not the only device in your life with this problem. Smart TVs, fitness trackers, doorbell cameras, thermostats, and yes, even smart refrigerators collect data about your daily habits and routines. Your car just happens to be the one the FTC caught selling it to your insurance company. The principle is the same across every connected device you own: if it is connected to the internet, it is collecting data. The question is who else is seeing it.

What Happened to Real People

When the New York Times investigated in 2024, they found consumers whose insurance premiums had increased by 21% and 80% after their driving data was shared without their knowledge. One driver reported being rejected by seven insurers. Another discovered a 258-page LexisNexis report documenting every trip they had taken for months.

A 2024 study found that only 31% of drivers who participated in telematics programs (voluntarily or not) saw lower premiums. 24% paid more. The rest saw no change, meaning the data collection provided no benefit to them but still created a permanent record of their driving behavior in a third-party database.

Why Should You Care?

This affects most people who drive a car manufactured in roughly the last decade. The Mozilla Foundation evaluated 25 major car brands for privacy in 2023. Every single one failed. Mozilla called cars “the worst product category for privacy we have ever reviewed.” For example, Nissan’s privacy policy claims the right to collect “sexual activity” and “genetic data.” Most brands reserve the right to share data with law enforcement without a warrant.

• 82% of connected car drivers don’t know how much data their car collects

• 40% don’t even know they have connected services active in their vehicle

• 96% of consumers say they should own the data their car generates

• A modern connected car transmits 1 to 1.5 gigabytes per day to the manufacturer’s cloud

How Does This Work?

Think of your car as a smartphone on wheels. It has a cellular connection, a GPS receiver, and dozens of sensors. Every time you drive, the car records where you went, how you got there, and how you drove along the way. That data is transmitted to the manufacturer through the car’s built-in cellular connection.

Historically, this data was used for services like navigation, crash detection, and remote diagnostics. Those are legitimate functions. The problem is that manufacturers began selling the same data to third parties, particularly data brokers who aggregate driving records and sell “risk profiles” to insurers.

Here is how the pipeline works:

1. Your car collects driving data (speed, braking, location, time of day) and transmits it to the manufacturer’s cloud.

2. The manufacturer sells or shares the data with a data broker like Verisk or LexisNexis.

3. The data broker builds a driving profile on you, which may include a risk score, trip history, and behavioral patterns.

4. Your insurance company purchases or accesses the profile and uses it to adjust your premium at renewal, sometimes without telling you why your rate changed.

The consent you gave was typically buried in the terms of service you accepted when you set up OnStar, FordPass, or Toyota Connected Services. The FTC found that GM’s enrollment process was designed to obscure the data-sharing, with consent bundled into multi-step flows that most consumers clicked through without reading.

Which Brands Are Doing This?

The brands that have been confirmed selling or sharing driving data with insurance-related data brokers include:

• General Motors (OnStar, sold to Verisk and LexisNexis)

• Honda (sold to Verisk)

• Hyundai (shared with Verisk)

• Kia (shared with LexisNexis)

• Subaru (shared with LexisNexis)

• Mitsubishi (shared with LexisNexis)

• Ford (shared with Verisk)

Verisk announced in early 2025 that it would stop collecting driving data from automakers. LexisNexis continues to operate its driving data program.

Toyota, Tesla, BMW, Mercedes-Benz, and other brands collect extensive driving data but the specifics of their third-party sharing arrangements are less well-documented. Their privacy policies broadly reserve the right to share data with “business partners” and “affiliates.”

What Can You Do?

Step 1: Find Out What Data Brokers Already Have on You

You have a legal right under the Fair Credit Reporting Act to request a free copy of your consumer file from data brokers. Two reports to request:

• LexisNexis Consumer Disclosure: consumer.risk.lexisnexis.com/request. This is the report that has documented 258-page driving histories for some consumers. Request it and see what they have.

• Verisk Consumer Report: fcra.verisk.com. Even though Verisk says they stopped collecting new data from automakers, they may still have your historical records.

Both reports are free. They take about 15 minutes to request and typically arrive within 30 days.

Step 2: Check Your Vehicle’s Privacy Settings

You can also check what your specific car is sharing using Privacy4Cars, a free tool at VehiclePrivacyReport.com. Enter your VIN and it tells you what data your car collects and shares.

Step 3: Opt Out of Data Sharing

Most manufacturers provide a way to opt out, though they do not make it easy. Here is how to do it for the most common brands:

• GM/OnStar: Call OnStar (1-888-466-7827) or go to your OnStar account settings and disable “Connected Vehicle Data Sharing.” Under the FTC consent order, GM must now provide clear opt-out mechanisms and honor deletion requests.

• Ford: Open the FordPass app, go to Settings, then Privacy, and disable data sharing. You can also call Ford customer service.

• Toyota: Call Toyota Connected Services (1-800-331-4331) and request deactivation of data sharing. You can also manage settings through the Toyota app.

• Honda: Call 1-800-999-1009 and request opt-out from data sharing programs.

• Tesla: Go to Controls > Software > Data Sharing on the touchscreen and toggle off.

• Hyundai/Kia: Call Hyundai (1-800-633-5151) or Kia (1-800-333-4542) and request opt-out. You can also manage through the Bluelink or Kia Connect apps.

A word of caution: opting out of data sharing may disable some connected features you use, like remote start, stolen vehicle tracking, or automatic crash notification. You will need to decide which features are worth the trade-off.

Step 4: Dispute Inaccurate Driving Data With Your Insurer

If you discover that a data broker has inaccurate driving data about you, or if your insurance premium increased and you suspect it was based on vehicle telematics data, you have the right to dispute it. Under the FCRA, both the data broker and the insurer must investigate disputes and correct inaccuracies. Contact your insurance company and ask directly: “Are you using telematics or driving behavior data in my rate calculation?”

Step 5: Wipe Your Data When You Sell Your Car

When you sell or trade in your vehicle, your personal data goes with it unless you manually remove it. Connected cars can store saved addresses (including your home and workplace), Wi-Fi passwords, contacts synced from your phone, garage door codes, credit card information from in-car payment systems, and your complete trip history.

Before handing over the keys:

1. Perform a factory reset through the car’s settings menu

2. Remove the car from your manufacturer account (OnStar, FordPass, Toyota app, etc.)

3. Un-pair your phone from the Bluetooth system

4. Delete your home address and saved locations from the navigation system

5. Remove any stored garage door opener codes

A Note on the Law

Three states have now banned this practice outright: Maryland (2024), Oregon (January 2026), and Virginia (effective July 2026). California imposed a $12.75 million CCPA penalty on GM, the largest CCPA penalty ever. The Texas Attorney General sued multiple automakers over data collection affecting 45 million Americans. There is no federal law prohibiting this. If you do not live in one of those three states, opting out directly with the manufacturer is your only protection.

One more thing: rental cars. Roughly 90% of rental vehicles have GPS tracking and store the data for months. When you return a rental, disconnect your phone from Bluetooth, delete your navigation history, and sign out of any accounts on the infotainment system.

The Bottom Line

Your car is one of the most prolific data collectors in your life, and until recently, most manufacturers were sharing that data without meaningful consent. The FTC’s action against GM is a start, but it only covers one company. The driving data that has already been collected and sold is sitting in broker databases and may already be influencing your insurance rates.

Four things to do to address this:

1. Request your LexisNexis report at consumer.risk.lexisnexis.com/request. Find out what they have on you. It is free.

2. Check your car’s privacy settings using VehiclePrivacyReport.com. Enter your VIN.

3. Opt out of data sharing through your manufacturer’s app or by calling them directly.

4. Ask your insurer whether they are using telematics or driving behavior data in your rate calculation.

You probably gave your car permission to do this when you tapped “Agree” on a screen during setup. Now you know what you agreed to. Share this with anyone who drives.

Sources

• FTC: Order settling GM/OnStar geolocation data allegations (January 14, 2026)

• Mozilla Foundation: Privacy Not Included, Cars (2023)

• New York Times: Carmakers Are Sharing Driver Data With Insurers (March 2024)

• LexisNexis: Consumer Disclosure Request

• Verisk: Consumer Report Request

• Privacy4Cars: Vehicle Privacy Report

• FTC: New Trends in Imposter Scams (May 7, 2026)

Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out Intruvent Edge.