California Hits General Motors With Record Privacy Settlement Over Driver Data Sales

Key Takeaways

• Record Privacy Settlement: General Motors agreed to a proposed $12.75 million settlement over allegations it unlawfully sold Californians’ driving and location data.
• Connected Car Data Under Fire: California regulators said GM shared sensitive OnStar data with data brokers without properly informing or obtaining consent from consumers.
• First Data Minimization Enforcement: Officials described the case as California’s first enforcement action centered on the CCPA’s data minimization and purpose limitation rules.
• Five-Year Restrictions Imposed: The settlement would bar GM from selling driving data to consumer reporting agencies and data brokers for five years.

Deep Dive

California Attorney General Rob Bonta announced Friday that General Motors has agreed to a proposed $12.75 million settlement over allegations the company illegally sold the driving and location data of hundreds of thousands of Californians to third-party data brokers without consumers’ knowledge or consent.

The agreement, reached alongside district attorneys from Los Angeles, San Francisco, Napa, and Sonoma counties with support from the California Privacy Protection Agency, marks the largest penalty secured under the California Consumer Privacy Act (CCPA) to date and what officials described as the state’s first enforcement action focused on data minimization requirements.

At the center of the case is OnStar, GM’s connected vehicle platform known for services like navigation assistance, roadside help, and crash response. Investigators alleged that between 2020 and 2024, GM collected and then sold consumers’ names, contact information, geolocation data, and driving behavior data to Verisk Analytics and LexisNexis Risk Solutions. Authorities said the brokers intended to use the information to help insurers build driver-rating products tied to insurance pricing.

According to the complaint, GM allegedly earned roughly $20 million nationwide from the sale of the data.

The investigation grew out of broader concerns surrounding connected vehicle privacy. In 2023, the California Privacy Protection Agency launched investigations into how automakers were handling driver information. Public scrutiny intensified the following year after reporting revealed that several manufacturers were sharing driving behavior data with insurers, raising concerns that motorists could face higher premiums based on how and where they drove.

California officials said their investigation found that drivers in the state were likely protected from insurance rate impacts because California law prohibits insurers from using driving behavior data in rate-setting. But regulators argued the company’s conduct still violated California privacy law because consumers were allegedly never clearly informed that their data would be sold.

Authorities also accused GM of presenting misleading privacy disclosures. Regulators said GM’s privacy policy stated the company did not sell driving or location data and suggested such information would only be shared for insurance purposes at a customer’s express direction. Investigators further alleged GM retained location and driving data long after it was needed to operate OnStar services, then later monetized that retained data through sales to brokers.

Bonta framed the settlement as a major test of California’s evolving privacy framework, particularly around the principle that companies should only collect and retain data necessary for a specific purpose.

“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so,” Bonta said in a statement announcing the settlement. He added that the data included “precise and personal location data that could identify the everyday habits and movements of Californians.”

Local prosecutors echoed concerns about the increasingly expansive data collection capabilities built into connected technologies.

San Francisco District Attorney Brooke Jenkins described modern vehicles as “rolling data collection machines,” warning that consumers must understand what information is being gathered, how it is used, and whether they have meaningful opt-out rights. Los Angeles County District Attorney Nathan J. Hochman said the case should serve as a warning to companies seeking to profit from personal data without obtaining proper consent.

Under the proposed settlement, GM must stop selling driving data to consumer reporting agencies and data brokers for five years, including companies like LexisNexis and Verisk. The automaker is also required to delete retained driving data within 180 days unless consumers provide affirmative express consent for limited internal uses. Regulators said GM must additionally request that both data brokers delete any driving data obtained from the company.

The settlement also requires GM to establish and maintain a more robust privacy compliance program designed to assess and mitigate risks tied to data collected through OnStar. The company will be required to provide privacy assessments to California regulators and participating district attorneys.

The case arrives as regulators worldwide intensify scrutiny of how companies monetize behavioral, location, and telematics data, particularly as connected devices and AI-driven analytics make it easier to transform ordinary consumer activity into highly detailed risk profiles.

“This settlement reflects the power of coordinated enforcement,” said Tom Kemp, who said California’s privacy laws are designed to ensure companies collect only the data they need and remain transparent about how it is used.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.