Geolocation Enforcement and Multi-Device Consent: Key Takeaways from the FTC and CNIL

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The FTC published a final order requiring General Motors and OnStar to implement measures for the next 20 years (centered on affirmative, express consent and consumer controls) and imposed a five-year ban on disclosing consumer geolocation data to consumer reporting agencies. 

In Europe, CNIL’s final recommendations on multi-device consent explain how organizations should inform users, apply choices across devices, and resolve conflicts when preferences differ between a device and a logged-in account.

Keep reading to learn more and discover my takeaways.

United States

FTC Finalizes GM / OnStar Settlement Over Geolocation Data Collection

TThe Federal Trade Commission published a final order requiring General Motors and OnStar to take certain measures for the next 20 years and imposing a 5-year ban on the disclosure of consumer geolocation data to consumer reporting agencies. The measures GM and OnStar must take include: 

1. Obtaining affirmative, express consent from consumers prior to most collection, use, or sharing of connected vehicle data;
2. Creating a way for consumers to request a copy of their data and seek its deletion; 
3. Giving consumers the ability to disable the collection of precise geolocation information from their vehicles; and 
4. Providing a way for consumers to opt out of the collection of geolocation and driver behavior data.  

The underlying complaint alleged that GM and OnStar engaged in unfair or deceptive acts or practices under the FTC Act by collecting and selling precise consumer geolocation data and driver behavior data to third parties without obtaining affirmative express consent prior to collection.

TAKEAWAY

Sensitive location data was an enforcement focus for the FTC, state regulators and private plaintiffs in 2025. The following is a timeline of notable geolocation enforcement over the last year: 

• January: In the same week that the FTC filed the complaint against GM and OnStar, the FTC finalized orders with data brokers Mobilewalla and Gravy Analytics over the sale of sensitive location data to third parties without user consent, and the Texas Attorney General filed an action against Allstate over the collection of location and driving data from users of third-party apps without sufficient privacy disclosure or consent. 
• March: The California Attorney General announced an investigative sweep of the location data industry, focusing on how businesses offer and effectuate consumers’ right to limit the use of their sensitive personal information, including geolocation data. 
• July: The Nebraska AG filed a lawsuit against General Motors and OnStar alleging that they collected and sold driver data (including speed, seatbelt usage, driving habits and location) to third party data brokers without user knowledge or consent. 
• August: 37 Attorneys General joined a coalition to urge Instagram to strengthen its location privacy protections. 
• September: The FTC announced a proposed order against Apitor Technology over allegations that the toy maker enabled a third party to collect geolocation information from children without parental consent. 
• October: The Florida AG took action against Roku for failing to disclose the sale of precise geolocation information in accordance with Florida law, among other allegations. 
• And at various points in 2025, class actions in California, Massachusetts, and Idaho settled with data analytics provider Kochava over the sale of sensitive location data to third parties without user consent. The FTC’s case against Kochava is still ongoing.

EUROPE

CNIL Publishes Final Recommendations for Multi-Device Consent. 

Following a public consultation, the French Data Protection Authority (CNIL) published recommendations defining the conditions under which multi-device consent must be requested, as well as methods for organizations to inform users of their consent choices and resolve conflicts among user choices across devices. 

The CNIL also published an article educating users about their rights regarding cross-device consent. Notably, the CNIL recommends that organizations take the following actions:

If the user can give consent once for all devices, they should also be able to refuse or withdraw it within the same simplicity and scope (i.e., accepting, refusing, or changing your mind should have the same effects on all devices). 

Users should be informed before making choices (e.g., in the first layer of the CMP) if the user’s choices will apply to all devices connected to the user’s account.

When connecting from a new terminal, the CNIL recommends displaying a temporary message to remind the user of the scope of their choices. 

If the choices made on a device before logging in differ from those recorded on the user’s account, the organization should clearly inform the user and explain how that situation is handled. Conflicts can be resolved by prioritizing the user’s last choice before they log into their account (regardless of the device) or by prioritizing the preferences saved by the user in their account. 

When choices regarding cookies and other trackers apply to multiple devices, the logic must be the same for all options. 

TAKEAWAY

The final recommendations have been modified slightly from the proposed recommendations that were presented in April 2025. 

In response to a public consultation, the CNIL, for example, added the recommendation that information about multi-device consent be provided in the first layer of the CMP and clarified that the ability to revisit choices could be accessible in a preference center. 

However, the substance of the recommendations remains unchanged from the April 2025 version. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Google Settles Children’s Privacy Class Action 
• 2026 data privacy trends: Predictions from the experts
• California Invasion of Privacy Act (CIPA): The essential guide

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.