GM to Pay $12.75M in Landmark California Settlement Over Secret Sale of Driver Data to Insurers
Breaking: GM Agrees to $12.75 Million Settlement Over Alleged Illegal Sale of Driver Data
General Motors has agreed to a proposed $12.75 million settlement with California authorities over accusations that it secretly collected and sold drivers’ personal data to insurers without consent, state Attorney General Rob Bonta announced Tuesday.
The settlement, if approved by a judge, would resolve claims that GM violated the California Consumer Privacy Act (CCPA) by sharing detailed driving behavior information — including speed, braking, and mileage — with third-party data brokers and insurance companies for marketing and risk-assessment purposes.
Allegations: 'A Clear Violation of Trust'
The California Attorney General’s investigation found that GM’s OnStar connected-vehicle service and its Marketplace platform transmitted driver data to firms that then sold it to insurers, often without consumers’ knowledge or explicit permission.
“This is a clear violation of the trust that consumers place in automakers when they buy a connected car,” Bonta said in a statement. “GM took people’s driving data and sold it — for profit — without being transparent or obtaining the legally required consent.”
The settlement includes a $12.75 million penalty — one of the largest ever under the CCPA — and requires GM to implement stricter data-sharing controls and obtain affirmative consent before collecting or selling any driving data collected from its vehicles.
Expert Reaction: 'A Warning Shot for the Auto Industry'
Privacy experts say the case marks a significant enforcement action that could reshape how automakers handle connected-car data.
“This settlement sends a strong signal that regulators are watching how car companies monetize driver data,” said Jennifer Lynch, surveillance litigation director at the Electronic Frontier Foundation. “Automakers can’t just bury data-sharing terms in fine print and expect to get away with it.”
Lynch noted that the CCPA — and California’s more stringent California Privacy Rights Act (CPRA) — give consumers the right to know what data is collected, to opt out of its sale, and to sue companies that violate those rights.
Background: The Rise of Connected-Vehicle Data Monetization
Modern vehicles — from GM’s Chevrolet, Buick, GMC, and Cadillac brands — often collect a continuous stream of telemetry data: GPS location, driving speed, acceleration patterns, and even seatbelt usage.
Automakers have increasingly partnered with insurance companies and data brokers to analyze this data, using it to offer usage-based insurance policies or to flag risky drivers — sometimes without drivers realizing their own car is reporting on them.
The California investigation began after consumer complaints and a 2023 report by the New York Times revealed that GM’s OnSmart Driving program (a telematics service) shared driver scores with insurers via third-party data aggregators like LexisNexis and Verisk.
CCPA Violations Alleged
Under the CCPA, consumers have the right to opt out of the sale of their personal information. The Attorney General alleged that GM did not provide a clear opt-out mechanism and that its privacy disclosures were misleading.
“GM’s practices fell far short of the CCPA’s requirements,” Bonta said. “Companies that collect sensitive data — location, driving habits — must be especially careful to respect consumer rights.”
What This Means: Precedent for Data Privacy Enforcement
The settlement is one of the first major CCPA enforcement actions against an automaker, potentially setting a precedent for how similar cases are handled nationwide.
It underscores that connected vehicle data is considered highly sensitive, and that companies cannot assume they have implied consent to share it merely because a driver accepts a terms-of-service agreement.
For consumers, the settlement means that GM must now clearly disclose what data it collects, obtain explicit permission before selling it, and allow in-car opt-out controls. If a judge approves the settlement, GM will also pay a penalty that goes into a fund to support California’s privacy enforcement efforts.
What’s Next
The proposed settlement is subject to a 30-day public comment period and final court approval. GM has denied any wrongdoing but agreed to the settlement to avoid protracted litigation.
“We are committed to protecting customer privacy and believe this settlement is a fair resolution,” a GM spokesperson said in a statement. “We have already made changes to our data practices to ensure full compliance with the CCPA.”
Consumers who believe their data was improperly sold may have options under the CCPA’s private right of action, though that provision is limited to data breaches. For now, Bonta urged anyone with concerns to file a complaint with the California Attorney General’s office.
This is a breaking story. Updates will follow as more details emerge.
Related Articles
- Signal Privacy Guide: Everything You Need to Know
- Reclaim Your Digital Privacy: A Step-by-Step Guide to Spring Cleaning Your Online Data
- 10 Critical Lessons from the Hugging Face Supply Chain Attack That Mimicked OpenAI
- The Legal Showdown Between Musk and Altman Over OpenAI's Transformation Heats Up
- 8 Crucial Reasons Why the Open Social Web Depends on Section 230
- Rave vs. Apple: A Q&A on the Antitrust Battle Over Co-Viewing Apps
- EU Softens AI Act: Extended Deadlines and Refined Rules for High-Risk Systems
- The Dissolution of Purdue Pharma: A Step-by-Step Guide to Company Transformation through Legal Settlement