The FTC Just Told GM to Stop Selling Your Vehicle Data. Fleet Operators Should Pay Attention.

In January 2026, the Federal Trade Commission entered into a consent order with General Motors and its OnStar subsidiary that, in the simplest terms, restricts what GM can do with the data its vehicles generate. The order is the result of a multi-year investigation into how GM collected and shared driving data — including precise location, driver behavior scores, and trip details — with third parties, including data brokers and insurance companies. The order limits GM's ability to share this data without explicit consent for a period of five years, and it's expected to influence how every major automotive OEM handles connected vehicle data going forward. Around the same time, in late 2025, a bipartisan group in Congress introduced federal legislation explicitly aimed at giving vehicle owners and fleet operators clearer rights over the data their vehicles produce. The bill is moving through committee at the time of writing, and while it's too early to predict its final form, the political consensus around it is unusual: this is one of the few digital privacy issues with active support across both parties. If you run a fleet, neither of these developments will probably show up on your dashboard tomorrow. But they should change how you think about the software systems your fleet relies on, and they should change the questions you ask when you evaluate the next one. Here's why.

Your fleet generates more data than you realize Modern fleet vehicles — especially electric ones, but increasingly all vehicles — are continuous data emitters. The telematics device in each truck reports location, speed, acceleration, idle time, fault codes, fuel level, battery state of charge, and dozens of other variables, often at sub-minute intervals. The infotainment and connectivity systems report driver behavior data, climate control settings, and connected app usage. The charging network logs every EV session: when it started, when it ended, how many kWh were delivered, at what price, on what kind of charger. The fleet card company logs every transaction: where, when, for how much. A 250-vehicle fleet generates, conservatively, several million data points a month. Across a year, that's a dataset detailed enough to reconstruct the precise movement of every vehicle, every driver behavior pattern, every fueling and charging decision, every operational anomaly. It's also detailed enough to reconstruct things you didn't intend to expose: which customer locations get visited most often, which drivers take longer breaks, which routes are most profitable. That data is valuable. Vehicle OEMs know this. Telematics companies know this. Charging network operators know this. The question every fleet operator should be able to answer — and very few currently can — is who has access to my fleet's data, what are they doing with it, and what would happen if I wanted to take it back?

The data flows the FTC just disrupted The GM/OnStar consent order is worth reading in some detail, because it lays out — in very plain language — the kinds of data flows that have been considered routine in the connected vehicle industry. Per the order, GM was sharing vehicle-generated data with third-party data brokers, who in turn were selling it to insurance companies, who in turn were using it to set premiums. None of this required the explicit, informed consent of the vehicle owner. None of it was disclosed in a way that an ordinary person would notice, let alone evaluate. The FTC's position, in essence, is that the data a vehicle generates while being driven by its owner belongs — practically and ethically — to the owner. Sharing it with third parties without specific consent is, in the FTC's framing, a deceptive practice. For consumer vehicle owners, this is a meaningful win. For fleet operators, it raises a more uncomfortable question: if my OEM was doing this with consumer vehicles, what is my OEM — or my charging provider, or my telematics vendor — doing with my fleet's data? The honest answer, for most fleets, is that nobody knows. The contracts are vague. The data flows are not disclosed in terms a non-specialist would understand. The vendors aren't asked, and they don't volunteer.

The federal legislation: where it might land The bill currently moving in Congress — and I'll avoid naming it specifically because the precise version is in flux — addresses several gaps the FTC consent order doesn't fully close. In particular, it focuses on commercial vehicle and fleet contexts, where the relationship between vehicle, owner, and data is different from the consumer case. The provisions that have the most practical implication for fleet operators include: a baseline right of fleet owners to know what data is being collected from their vehicles, by whom, and for what purpose; a right to access that data in a usable, exportable format; restrictions on the resale or aggregation of fleet operational data without explicit consent; and a requirement that vendors disclose data-sharing relationships in plain language, not buried in terms of service. It's too early to know which of these provisions survive the legislative process. Some version of fleet vehicle data rights is likely to become federal law within the next 12–24 months. The European Union has already moved further in this direction; under GDPR and the more recent Data Act, fleet operators in the EU already have stronger rights than their North American counterparts. The U.S. is, in this respect, catching up rather than leading.

What this means for fleet finance and operations leaders Here's where the actionable part begins. Whether or not the federal legislation passes in its current form, the regulatory direction is clear, and the smart move is to start asking the right questions of your software vendors now — not in 18 months when the law forces you to. Below is a set of questions every fleet controller, VP of finance, or director of fleet operations should be able to get clear answers to, from every vendor that handles fleet operational data. These aren't gotcha questions. They're the basic transparency questions a sophisticated buyer should be asking in 2026.

1. Where is my fleet's data physically stored? Specifically: in what country, in what cloud environment, and is it co-located with other customers' data or in a dedicated environment? Co-located storage isn't inherently problematic, but it has implications for how data is accessed, who can access it, and what happens if a third party makes a legal request for one customer's data.
2. Who has access to my fleet's data, and under what conditions? The vendor's own engineers, presumably. But also: support staff? Data science teams? Third-party processors? Marketing or sales teams using the data for case studies? If the vendor uses subprocessors (and most do), are they listed publicly?
3. Is my fleet's data ever aggregated with other fleets' data, even anonymously? This is the one many vendors hesitate on. Aggregated, "anonymized" data products are a significant revenue stream in fleet software. They're sold to insurance companies, infrastructure planners, and other industry players. If your data is being aggregated this way, it should be your decision — not the vendor's default.
4. Is my fleet's data ever resold or shared with third parties for any purpose other than delivering the contracted service? Read the answer carefully. "We don't sell your data" and "we don't share your data" are different statements. Both can be true while the vendor still includes your data in aggregated products that they sell.
5. If I terminate my contract, what happens to my historical data? Can you export it? In what format? Is there an export fee? How long do you have to retrieve it before it's deleted? And is it actually deleted, or just made inaccessible to you while the vendor retains a copy for "internal purposes"?
6. What is your process if a third party — a regulator, a litigant, another customer — requests access to my fleet's data? You want to know that the vendor will notify you and give you an opportunity to respond before complying with such a request, except where legally prohibited from doing so. Many vendors do not have a clear policy here, which usually means the answer is "we'd comply without telling you."
7. What audit logs exist for access to my fleet's data, and can I see them? The fact that the vendor maintains internal audit logs is good. The fact that you can see them — that you can review who accessed your fleet's data, when, and why — is better. This is a feature that didn't exist in the fleet software industry five years ago. It's becoming table stakes.

What good answers look like You'll know you're talking to a vendor that takes this seriously when their answers are specific, written down, and enforceable. Vague answers ("we take privacy very seriously") are a red flag. So are answers that exist in marketing materials but not in the contract. The vendors that handle this well typically have:

A published data processing policy that's specific to fleet customers, not a generic privacy notice Per-customer data isolation as the default, not as an upcharge A documented process for data export that doesn't involve a support ticket or a fee Clear contractual commitments — in the master services agreement, not just in marketing copy — about what they will and won't do with your data A subprocessor list that's public and updated when it changes Audit logging that's visible to the customer

You should not have to negotiate any of this. If you find yourself negotiating basic data rights into a contract, you're working with a vendor that designed their product around their own access to your data, not around your control of it.

The bigger pattern The FTC consent order, the federal legislation, the growing audit pressure on fleets to document their data-handling practices — these all point in the same direction. The era when fleet operators could outsource their data infrastructure without thinking carefully about who controls it is ending. The vendors that recognize this and design accordingly will earn the next decade of fleet contracts. The vendors that don't will be replaced. For fleet finance leaders, the implication is concrete: data sovereignty isn't a niche concern for paranoid IT departments. It's a normal part of vendor evaluation, alongside pricing, integration, and feature set. Adding three or four data-handling questions to your standard RFP — and walking away from vendors that can't answer them clearly — is one of the cheaper risk-management improvements available to you in 2026. The FTC has signaled, the legislators are moving, and the regulatory direction is clear. The fleets that move first will have done the hardest part — picking the right vendors — by the time it becomes a compliance requirement.