General Motors Settles for $12.75 Million Over Data Privacy Violations in California
In a landmark decision, General Motors (GM) has agreed to pay a substantial $12.75 million to resolve allegations of illegally collecting and selling personal data from drivers in California without obtaining proper consent. This settlement marks the largest penalty to date under the California Consumer Privacy Act (CCPA), as announced by California Attorney General Rob Bonta. The case signifies California’s first significant enforcement action targeting data minimization requirements mandated by state privacy laws, setting a precedent for future actions against corporations that fail to comply with these regulations.
The allegations focus on GM’s OnStar connected vehicle platform, which investigators assert was employed to gather and sell sensitive information about drivers to data brokers such as Verisk Analytics and LexisNexis Risk Solutions over a four-year period from 2020 to 2024. The investigation was a collaborative effort between several state and local enforcement agencies, including the California Department of Justice, the California Privacy Protection Agency, and the district attorneys of counties including San Francisco, Los Angeles, Napa, and Sonoma.
Authorities have alleged that GM collected an extensive array of data from hundreds of thousands of Californians using OnStar, which is designed to offer services ranging from emergency assistance to navigation and crash response. This data included names, contact information, precise location data, and driving behavior metrics. Moreover, GM allegedly sold this information to data brokers that utilized it to create driver-risk scoring products, which insurance companies relied on to determine premiums.
A pivotal issue in this case revolves around GM’s purported violations of CCPA requirements concerning data minimization and purpose limitation, which were established to take effect in 2023. These provisions entailed that companies should only collect and retain data essential for their specified purposes. Investigators allege that GM not only retained the driving and location data longer than necessary for the effective operation of OnStar services but also sold this information to third parties without adequate consumer consent.
Adding to the gravity of the matter, the California Attorney General’s office pointed out that GM’s privacy policies misled consumers, implying that the data would be used solely for providing the requested OnStar services. The company reportedly claimed that it did not sell any driving or location information, a statement that appears to contradict the findings of the investigation. Brooke Jenkins, the San Francisco District Attorney, voiced strong concerns, describing modern vehicles as "rolling data collection machines" and stressing the critical need for transparency in how companies handle consumer data.
This settlement comes amidst increasing regulatory scrutiny of connected vehicle privacy practices. In the same year, the California Privacy Protection Agency initiated investigations into connected car manufacturers. Public attention on this issue intensified significantly following a report by The New York Times in 2024, which exposed the ways in which automakers were sharing driving behavior data with insurance providers.
While California authorities have determined that drivers within the state were probably not directly impacted by increased insurance rates—thanks to California laws that prohibit insurers from using driving behavior to set premiums—the regulators maintained that the practices surrounding the collection, retention, and sale of data inadequately conformed to state privacy requirements.
As part of the settlement agreement, GM is mandated to cease selling driving data to consumer reporting agencies for a period of five years. Additionally, the automaker must delete retained driving data within 180 days unless explicit consumer consent is obtained for limited uses. GM is also required to initiate requests for the deletion of driver data already shared with LexisNexis and Verisk, and to establish a comprehensive privacy compliance program. The report outlines that these compliance measures will include regular assessments and compliance reports submitted to California regulators.
Tom Kemp, Executive Director of CalPrivacy, emphasized the importance of California’s privacy laws, which necessitate that businesses collect only the information required for their operations while maintaining transparency in their data handling practices. Furthermore, California regulators promoted the state’s Delete Request and Opt-out Platform (DROP), which enables residents to submit deletion requests to numerous registered data brokers, emphasizing the state’s commitment to protecting consumer privacy.
This high-profile settlement serves as an important warning to other companies regarding their data collection and handling practices, reinforcing California’s robust stance in defending consumer privacy rights. As technology continues to evolve, the imperative for transparency and accountability in data practices becomes increasingly vital in protecting individual privacy.