Every modern vehicle on American roads — from a Chevy Bolt to a Freightliner Cascadia — is generating a river of data. Most of the people driving those vehicles have no idea where it goes.
By Ricardo Rodriguez-Long
Let’s start with a number: $12.75 million. That is what General Motors agreed to pay the State of California in May 2026 — the largest penalty ever levied under the California Consumer Privacy Act. The charge? GM had been quietly harvesting the driving data of hundreds of thousands of OnStar subscribers and selling it to data brokers LexisNexis Risk Solutions and Verisk Analytics, allegedly without meaningful consumer consent, from 2020 through 2024. In the process, GM pocketed an estimated $20 million. From where I sit, the math looks like this: $20 million in revenue, $12.75 million in penalties, and net profit on the surveillance of your own customers. That is not a deterrent. That is a business model with an acceptable cost of doing business baked in.
GM is not alone. California settled similar cases against Honda and Ford in the preceding fourteen months. The Federal Trade Commission finalized its own consent order with GM earlier this year. And every week, somewhere in a conference room, another automaker’s data monetization team is running the same arithmetic.
Now, those cases involve passenger cars and consumer privacy law. But if you run fleets, manage drivers, or set policy for a trucking association, I need you to lean in for a moment. Because what happened to OnStar customers is a polite preview of a conversation coming directly for this industry — and we are not nearly prepared for it.
The Cab Is Not Just a Workplace
The modern Class 8 tractor is, by any technical definition, a rolling surveillance platform. Proprietary telematics systems — Detroit Connect, Hino Edge, Mack’s GuardDog Connect — collect continuous engine diagnostics, precise GPS routing, idle-time logs, fuel economy data, and granular driver behavior metrics, including hard braking events, rapid acceleration, and lane departure patterns. Dual-facing AI cameras from vendors like Lytx, Samsara, and Motive add another layer: real-time video and audio of both the road and the driver’s face, running algorithms that flag distraction, fatigue, and emotional state.
None of that, in principle, is wrong. Safety data saves lives. Telematics reduces fuel consumption. Predictive diagnostics cut down time. I have covered this industry for four decades, and I have seen the numbers. The argument for connected commercial vehicles is legitimate.
The problem is not the collection of the data. The problem is what happens after collection. Who controls it, and who profits from this?
A long-haul driver spending 11 hours behind the wheel and 10 hours in the sleeper berth is not simply operating a company asset. That cab is, functionally, home. The AI camera does not clock out when the parking brake engages. The telematics system does not distinguish between a professional driving decision and a personal moment. And unlike the OnStar customer who at least received a privacy disclosure buried in a subscription agreement, many commercial drivers have signed broad consent language in their hiring paperwork without any clear picture of how extensively they are being monitored, how long that data is retained, or who — beyond their immediate employer — may ultimately access it.
The Third-Party Problem
Here is the specific risk I want executives and policymakers to sit with. Fleet telematics data does not stay inside a fleet. It flows to insurance underwriters calculating commercial auto premiums. It flows to fleet management software platforms that aggregate behavioral metrics across carriers. It flows to third-party safety analytics firms whose own data-sharing agreements may not have been visible to the fleet operator who signed the original vendor contract — let alone the driver.
The GM case was triggered, in part, by a 2024 New York Times investigation that found driving data was being used to calculate insurance risk scores, resulting in premium increases for consumers who never explicitly agreed to the arrangement. The commercial equivalent of that scenario — driver behavior scores flowing from a telematics vendor to a commercial insurer or a freight broker’s carrier vetting platform — is not hypothetical. It is operational today at scale.
A driver flagged by an AI camera for a “distraction event” (which was, in fact, a glance at a convex mirror in the door frame) has a notation in the system. That notation may travel with the driver’s behavior record. The algorithm does not file appeals.
The Regulatory Gap Is Real — and Narrowing
California’s CCPA applies to consumers. FMCSA’s regulatory framework governs safety and hours of service. Neither was written with the specific question of commercial driver data rights in mind. States like Illinois, Texas, and Washington have Biometric Information Privacy Acts that extend some protections to workplace biometric collection — but coverage is inconsistent, enforcement is nascent, and most fleet telematics deployments have been structured to fall between the jurisdictional lines.
That gap is closing. The FTC’s interest in vehicle data is clearly escalating. California’s Privacy Protection Agency has demonstrated both the appetite and the enforcement mechanism to move aggressively. Congressional interest in a federal data privacy standard — whatever form that eventually takes — will not exempt commercial vehicles because trucks are larger than cars.
The industry has a window to shape what that standard looks like. It is not unlimited.
What Leadership Should Do Now
This is not a call for fleets to tear out their telematics systems. It is a call for the industry to take ownership of a conversation that regulators will otherwise have without us. New or Used truck, the data collection continues. A few practical imperatives for executives and association leaders:
Audit your data flows. Know precisely which vendors receive your telematics data, under what contractual terms, for how long it is retained, and whether any resale or sublicensing is permitted. If you cannot answer those questions today, you have a liability you have not yet fully understood.
Build transparency into driver relations. A workforce that understands what is being collected, why, and how it is protected is a more stable workforce. The narrative that surveillance is purely punitive — fair or not — is already circulating in driver communities. Transparent policy is both the ethical and operationally intelligent response.
Engage the standard-setting process. ATA, UTA, and state trucking associations should be active voices in any federal or state data privacy rulemaking that touches commercial vehicles. The alternative is standards written by people who have never managed, much less driven, a truck.
Some trucking executives will look at the GM fine, file it under “passenger car problem,” and move on. That would be a mistake. GM, Honda, and Ford getting hit in rapid succession is not a coincidence — it is regulators finding their footing. They now have tools, the precedent, and clearly the appetite to pursue vehicle data cases aggressively. Commercial trucks are not exempt from that trajectory; they are simply next in line. New rules around vehicle data collection are coming. The only real decision left for this industry is whether to be at the table, helping to write them, or to sit across from an enforcement agency after they’re already written. One of those positions comes with a seat on a working group. The other costs a lot more.
