GM’s $12.75M California Settlement Puts Connected Car Data Privacy In The Spotlight

General Motors has agreed to pay $12.75 million to resolve a California privacy lawsuit over allegations that it unlawfully sold OnStar subscribers’ personal and driving data to third-party data brokers without proper disclosure or consent. The settlement, which remains subject to court approval, also places new limits on how GM can handle consumer driving data going forward.

TL;DR

• GM will pay $12.75 million in civil penalties as part of a California driver privacy settlement.
• California officials alleged GM sold OnStar users’ location and driving behavior data to LexisNexis Risk Solutions and Verisk Analytics.
• The settlement includes a five-year ban on selling driving data to consumer reporting agencies.
• GM must delete certain retained driving data within 180 days, unless it has express consumer consent.
• GM resolved the matter without admitting liability.

General Motors is facing another major connected-car privacy reckoning, this time in California. The automaker has agreed to pay $12.75 million to resolve a civil lawsuit alleging that it sold personal information and driving data belonging to hundreds of thousands of California OnStar subscribers. The case was led by California Attorney General Rob Bonta, along with the district attorneys of Los Angeles, Napa, San Francisco, and Sonoma counties, with support from the California Privacy Protection Agency.

Source

According to the California Department of Justice, the settlement is the largest California Consumer Privacy Act penalty in the state’s history so far and marks the first enforcement action focused on the law’s data minimization principle. The settlement is still subject to court approval.

The lawsuit alleged that from 2016 to 2024, GM collected and retained driver-related data from Californians using OnStar, its in-vehicle connectivity service. That data included names, phone numbers, home addresses, driving speeds, rapid acceleration, hard braking, and GPS locations showing where OnStar subscribers drove and parked their vehicles.

California officials said GM began selling the data in 2020 to two data brokers, LexisNexis Risk Solutions and Verisk Analytics, without adequately disclosing the data sale or giving consumers an opportunity to opt out. The state also alleged that GM told OnStar subscribers it did not sell driving or location data and that such data would only be used for OnStar-related services, such as directions, emergency assistance, and improving driving skills.

“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so,” said California Attorney General Rob Bonta. He added that the data could identify “the everyday habits and movements of Californians.”

Reuters reported that California said GM made about $20 million nationwide from these data sales. The same report noted that the data was intended to help build driver-rating products that could be marketed to auto insurers, although California law bars insurers in the state from using driving data to set rates.

Los Angeles County District Attorney Nathan J. Hochman said, “This settlement makes clear that car companies cannot secretly speed off with your personal data for profit.” He added that consumer privacy rights “do not stop at a car door.”

GM resolved the case without admitting liability. Reuters quoted GM as saying the settlement “addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices.”

The case adds to growing scrutiny around connected vehicles, which increasingly function as data collection platforms. Earlier coverage from TechCrunch noted that the case followed reporting that automakers, including GM, had shared driving behavior data with insurance companies, raising wider concerns about whether drivers fully understand how their vehicles collect, retain, and share personal information.