General Motors agreed to pay $12.75 million as part of settlement with the state of California over charges that it violated millions of consumers’ privacy by collecting and storing driving information without their consent and selling it to data brokers.
The settlement, announced by California officials Friday, is the largest fine issued under the California Consumer Privacy Act (CCPA) in its more than five-year history. Under California law, firms can only collect data they need and must tell consumers how their data is used.
In addition to the financial penalty, the settlement requires GM to pause sales of driving data to consumer reporting agencies, including data brokers, for five years.
The car manufacturer also agreed to delete driving data after 180 days without the affirmative consent of consumers and to ask two data brokers — Verisk and LexisNexis Risk Solutions — to delete the data it sold to them.
The settlement additionally requires GM to establish a privacy program to analyze, fix and document risks related to collecting data from its OnStar product, which is at the center of the data sales scheme California probed. The assessments must be reported to California prosecutors and the California Privacy Protection Agency (CPPA), according to a CPPA press release.
The settlement will not become final until a court signs off on the deal.
“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so,” California Attorney General Rob Bonta said in a statement. “This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians.”
“Companies can’t just hold on to data and use it later for another purpose.”
A spokesperson for GM said in a statement that it stopped offering the product the settlement addresses in 2024 and it has strengthened its privacy practices.
“Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information,” the statement said.
The investigation
California authorities began investigating GM in 2023, a year before the New York Times reported that the car company and other auto manufacturers were selling consumers’ driving data to brokers who in turn sold it to insurers.
The probe found evidence that from 2020 to 2024, GM peddled hundreds of thousands of consumers’ geolocations, driving behavior, names and contact information to Verisk and LexisNexis, earning about $20 million nationwide from the sales, the press release said.
The consumer data sold was collected by GM’s OnStar feature, a service which is marketed as an emergency assistant and provider of directions, according to the press release.
Verisk and LexisNexis bought the data because they planned to create a product rating drivers and sell it to insurers. Because state law bars insurers from relying on driving data to set insurance prices, no California consumers’ insurance premiums spiked due to the scheme.
Millions of people in other states, however, were impacted by skyrocketing rates that resulted from the data sales.
California investigators said that GM did not tell consumers that they would sell their data to the brokers and tricked customers by falsely informing them that their data would only be used to give those who signed up for OnStar services by request.
“GM even stated that it did not sell any driving or location data and that if it did disclose any such data for insurance purposes, it would be at the consumer’s express direction,” the press release said.
“Additionally, GM sold consumers’ data to Lexis and Verisk without customers’ knowledge or consent, despite an internal privacy compliance program that required GM to inform consumers how their personal information would be used and the third parties that may receive it.”
The auto manufacturer also kept Californians’ data well beyond when it was needed to operate OnStar, the press release said. California privacy law requires companies to limit the purposes for which they use consumer data and minimize data collection and retention time frames.
Recorded Future
Intelligence Cloud.
