GM to Pay $12.75 Million in California Privacy Settlement Over Driver Data Sales

What happened

General Motors has agreed to pay $12.75 million to settle charges brought by California authorities that it violated millions of consumers’ privacy by collecting and selling driving data without their consent, the largest fine issued under the California Consumer Privacy Act since the law took effect more than five years ago. The settlement was announced Friday by California Attorney General Rob Bonta and the California Privacy Protection Agency. It requires court approval before becoming final.

California’s investigation, which began in 2023, found that between 2020 and 2024 GM sold hundreds of thousands of consumers’ geolocations, driving behavior, names, and contact information to data brokers Verisk and LexisNexis Risk Solutions, earning approximately $20 million nationwide from the sales. The data was collected through GM’s OnStar connected vehicle service, marketed to consumers as an emergency assistance and navigation feature. Verisk and LexisNexis purchased the data to build driver rating products for sale to insurance companies.

California authorities found that GM actively misled consumers, telling them their data would only be used to provide OnStar services they requested, and at one point explicitly stating it did not sell driving or location data. GM’s own internal privacy compliance program required it to inform consumers how their data would be used and which third parties might receive it, requirements the company did not follow. GM also retained consumer data well beyond the period needed to operate OnStar, in violation of California’s data minimization requirements.

Beyond the financial penalty, GM must pause sales of driving data to consumer reporting agencies for five years, delete driving data after 180 days without explicit consumer consent, request that Verisk and LexisNexis delete the data they received, and establish a privacy program for OnStar with regular reporting to California prosecutors and the CPPA. GM stated it stopped offering the relevant product in 2024 and has strengthened its privacy practices.

Who is affected

California consumers who used GM’s OnStar service between 2020 and 2024 had their location and driving data sold without their knowledge. Consumers in other US states faced a more direct financial impact, with insurance premiums reportedly rising in states that do not bar insurers from using driving data in rate-setting, unlike California.

Why CISOs should care

The CCPA’s largest-ever fine being issued against an automotive manufacturer for connected vehicle data practices signals that California regulators are actively pursuing enforcement in sectors where data collection is embedded in physical products rather than digital services. For security and privacy leaders at organizations with connected devices, telematics, or IoT infrastructure, the GM settlement establishes several principles that are now backed by enforcement action: consent obtained for one purpose does not cover secondary uses, data must be deleted when the operational need expires, and internal privacy programs create legal obligations rather than just aspirational policies.

The five-year data sales prohibition and mandatory broker deletion requirements also demonstrate that regulators are willing to impose operational remedies that affect business models, not just financial penalties.

3 practical actions

1. Audit secondary data use against the consent obtained at collection: The GM case turned on the gap between what consumers were told OnStar data would be used for and what it was actually used for. Review whether data collected under one stated purpose is being used, shared, or sold for any secondary purpose not disclosed at collection, and treat any such gap as a regulatory liability under CCPA and equivalent state laws.
2. Implement and enforce data retention schedules tied to operational necessity: GM retained consumer data beyond the period needed to operate OnStar. Establish retention schedules that define a specific operational purpose for each data category, set deletion timelines tied to that purpose, and implement automated deletion controls with compliance reporting rather than relying on manual processes.
3. Review third-party data sharing agreements for consent and disclosure compliance: GM sold data to Verisk and LexisNexis without consumer knowledge despite an internal program requiring disclosure of third-party recipients. Audit all current data sharing and data sale arrangements against the consent language provided to consumers at collection, and ensure that any third-party recipient is explicitly disclosed in consumer-facing privacy notices.

Also in the news today:

• ShinyHunters Defaces Canvas Login Portals at 330 Schools in Escalating Extortion Campaign
• Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware
• JDownloader Website Hacked to Replace Installers With Python RAT Malware
• German Police Shut Down Crimenetwork Reboot, Arrest Administrator in Spain
• Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware
• Škoda Online Shop Security Incident Exposes Customer Data