California Attorney General Rob Bonta and a coalition of state prosecutors have secured a $12.75 million settlement with General Motors over the automaker’s collection and sale of drivers’ location and behavior data.
This marks the largest California Consumer Privacy Act (CCPA) penalty to date and the state’s first enforcement action centered on data minimization violations.
The settlement resolves allegations that GM illegally sold sensitive driving data from hundreds of thousands of Californians to data brokers LexisNexis Risk Solutions and Verisk Analytics between 2020 and 2024 without adequate notice or consent.
The action expands on earlier federal enforcement efforts by the Federal Trade Commission, which in January finalized a separate order banning GM and its OnStar subsidiary from sharing driver data with consumer reporting agencies for five years. California regulators now argue that GM also violated state privacy laws by retaining data longer than necessary and repurposing it for commercial sale.
According to the complaint filed by the California Department of Justice, GM collected detailed telematics information through its OnStar connected vehicle platform, including geolocation data, driving behavior metrics, names, and contact information. The data was then reportedly sold to LexisNexis and Verisk, which intended to use it to create driver risk profiles for insurance companies.
Regulators said GM earned roughly $20 million nationwide from these data-sharing arrangements.
General Motors, headquartered in Detroit, is one of the world’s largest automakers and operates connected vehicle services through its OnStar platform across Chevrolet, GMC, Cadillac, and Buick vehicles. OnStar provides navigation assistance, crash response services, diagnostics, and remote vehicle features.
California authorities alleged that GM misled consumers by stating in its privacy policy that it did not sell driving or location data and that any disclosures for insurance purposes would occur only at the customer’s direction. Investigators also found that GM’s own internal privacy compliance policies required the company to disclose how customer information would be used and shared with third parties.
Although California officials stated they found no evidence that insurers used the data to raise rates for California residents due to state insurance restrictions, regulators argued that the collection, retention, and sale practices themselves violated the CCPA and California’s Unfair Competition Law.
A major focus of the settlement is California’s data minimization requirement, added to the CCPA in 2023. The rule limits businesses to collecting and retaining only the personal information necessary for a disclosed purpose.
Authorities said GM violated those provisions by continuing to retain location and driving data after it was no longer needed to operate OnStar services and later monetizing that information through third-party sales.
Under the proposed settlement, GM must:
- Pay $12.75 million in civil penalties
- Stop selling driving data to consumer reporting agencies and data brokers for five years
- Delete retained driving data within 180 days unless consumers explicitly consent to retention
- Request that LexisNexis and Verisk delete previously shared driving data
- Implement a comprehensive privacy compliance program governing OnStar data collection and retention
- Submit ongoing privacy assessment reports to California regulators
Consumers concerned about connected vehicle privacy should review vehicle telematics settings, disable optional driving behavior programs where possible, carefully examine consent prompts during vehicle setup, and regularly exercise available data access and deletion rights under state privacy laws.
Leave a Reply