The dealer-data privacy frontier

The dealer-data privacy frontier

Writing and Images generated by AI
The dealer-data privacy frontier

The Dealer Data Privacy Frontier: What's Coming After GM/OnStar

The FTC just dropped a $100M settlement with GM over OnStar geolocation tracking, and honestly? That's the canary in the coal mine for independent used-car dealers. No cap.

If you're still thinking privacy compliance is something the big OEMs handle and you don't have to sweat, you pulled the codes wrong. The fallout from this case is reshaping how state legislatures view dealer data collection—and 2025–2026 is about to be wild.

The GM/OnStar Blueprint: What Actually Went Down

General Motors got hit because OnStar kept collecting geolocation data even after owners opted out. Customers thought they'd disabled tracking. They hadn't. GM sold that location intelligence to third parties. The FTC saw that as unfair and deceptive practice under the Safeguards Rule.

Here's the real scope: the FTC proved GM had the *technical capability* to honor opt-out requests but chose not to implement it properly. That distinction matters for dealers. It means you can't hide behind "our system defaults to collection." If you can turn it off, regulators expect you *will* when customers ask.

State-Level Privacy Laws Are Getting Teeth in 2025–2026

Five states already have comprehensive data privacy statutes in place: California, Colorado, Connecticut, Utah, and Virginia. But the wave doesn't stop there.

New statutes expected to pass or go into effect:

  • Florida: HB 265 (effective July 2024, but enforcement expands 2025). Gives consumers rights to know what personal data dealers collect and why. Statute reference: Fla. Stat. § 501.171(2).
  • Texas: Privacy bills gaining traction. Texas Attorney General has been aggressive on data practices. Expect something codified by mid-2025.
  • Georgia: Proposed legislation (S.B. 394) modeled on Virginia/Colorado frameworks. If passed, dealers collecting customer location, phone, email, and vehicle purchase history will need documented consent and opt-out mechanisms.
  • Michigan: Data privacy bill likely moving in 2025 session. Given Michigan's auto industry footprint, dealer-specific exemptions are being debated.
  • North Carolina: House Commerce Committee advancing privacy legislation with explicit vehicle data protections.

What the GM Settlement Teaches Independent Dealers

The FTC's action against GM centered on three violations:

  1. Misleading consumers about data practices: OnStar marketing said tracking could be disabled. It couldn't be, not fully.
  2. Failing to maintain reasonable security: Customer location data was shared with third parties without encryption standards.
  3. Using dark patterns: Opt-out processes were buried in settings menus, making it technically possible but practically impossible for average owners to find.

For a used-car dealer in Atlanta, Memphis, or Phoenix, this means:

  • If your website collects geolocation (for trade-in appraisals, inventory alerts), be explicit about it in your privacy policy.
  • Don't default to data collection and hide the opt-out. That's what got GM fined.
  • Make sure your CRM system and any bidirectional syncing with third-party platforms (SMS vendors, email marketing, Google Ads) has clear documentation of what data flows where.

Dealer-Specific Data Risks on the Horizon

Vehicle history data: Dealers traditionally pull Carfax, AutoCheck, and title records. New state laws are asking whether this constitutes "personal data." If a dealer runs a VIN check and cross-references it with customer phone numbers, that's now a data linkage. Some states (California, Colorado) already consider this biometric-adjacent.

Trade-in appraisals: You ask for the customer's address, phone, email, vehicle photos, mileage. If you store that and later cross-sell it to a finance partner or use it for retargeting ads, you need affirmative consent. Not just a checked box on your website.

GPS-tracked loaner cars: If you offer loaner vehicles while repairs happen, and those vehicles have telematics, you're collecting location data. The Settlement language explicitly covers this.

Your 2025 Compliance Checklist

  • Audit your consent mechanisms: Do you have documented, affirmative opt-in for location tracking? Email marketing? SMS?
  • Map your data flows: Where does customer data go after initial collection? CRM → Finance partner → Insurance lead broker? Document it.
  • Review third-party integrations: Your Clover POS, DealerSocket, or whatever CRM you use—what's their privacy policy? Are they FTC-certified?
  • State-by-state privacy notices: If you operate in Florida, Texas, or Georgia, update your privacy policy to reference those specific statutes.
  • Train your team: Your sales staff shouldn't be collecting data beyond what's necessary. That's low-key the biggest liability.

Real Talk

Content creators like myself have built audiences by being transparent about how we use data—what we track, why, and how people can opt out. It's built trust. Dealers who adopt that same mentality—fr—will dodge the FTC crosshairs and convert more repeat customers.

The dealers getting crushed in 2025–2026 won't be the ones who collected data. They'll be the ones who collected it, didn't disclose it properly, and got caught.

Stay ahead of it.

Need supplies? Restock at carlotsupplies.com — bulk dealer pricing on 600+ items.

Back to blog