GM to Pay $12.75 Million Settlement for Selling Driver Data Without Consent

California Attorney General Announces Landmark Settlement with General Motors

General Motors has agreed to a $12.75 million proposed settlement with the state of California over allegations that the automaker unlawfully collected and sold drivers' personal data, Attorney General Rob Bonta announced today. The settlement, which must still be approved by a court, addresses violations of the California Consumer Privacy Act (CCPA) and marks one of the largest penalties ever levied under the state's landmark privacy law.

The case centers on GM's data practices between 2015 and 2022, when the company allegedly installed tracking devices in millions of vehicles without properly informing drivers. According to the complaint, GM then sold this data—including precise location, driving behavior, and vehicle diagnostics—to third-party data brokers and insurance companies, often without obtaining explicit consent from vehicle owners.

How the Data Was Collected and Sold

The investigation revealed that GM embedded telematics systems in vehicles equipped with its OnStar service and other connected features. These systems continuously transmitted data such as speed, hard braking, acceleration patterns, and GPS coordinates back to GM's servers. The company then packaged and sold this information to data aggregators, who in turn provided it to insurers to adjust premium rates or deny coverage based on driving habits.

Key details of the data sale operation:

• GM shared data with at least three major data brokers, including LexisNexis Risk Solutions and Verisk Analytics.
• Drivers were not given clear, opt-in choices before their data was shared; instead, consent was buried in lengthy terms-of-service agreements.
• The data was used to create risk profiles for insurance underwriting, resulting in higher premiums for thousands of California residents.
• GM continued collecting data even after customers ended their OnStar subscriptions, unless they manually disabled the telematics unit.

CCPA Violations: What GM Did Wrong

The California Consumer Privacy Act gives residents the right to know what personal data is collected, the right to opt out of its sale, and the right to have it deleted. The attorney general's office alleged that GM failed to:

1. Provide adequate notice: GM did not clearly disclose that driving data would be sold to third parties for non-vehicle-related purposes such as insurance risk assessment.
2. Honor opt-out requests: Even when drivers attempted to limit data collection through settings, the company continued to transmit information.
3. Obtain explicit consent: The CCPA requires that sale of sensitive data like geolocation must have affirmative authorization; GM relied on passive acceptance of bundled terms.
4. Implement reasonable security: Lax controls made it easier for unauthorized parties to access and repurpose driver data.

For a deeper look at how the CCPA defines the "sale" of personal information, see our FAQ on CCPA data sales.

Financial Penalties and Corrective Actions

Under the proposed settlement, GM will pay $12.75 million to the California Department of Justice, which will be distributed to fund consumer privacy enforcement and education programs. Additionally, the automaker must:

• Implement a centralized data privacy dashboard that allows all California vehicle owners to easily view and control what data is collected and shared.
• Provide clear, plain-language notices about data selling practices at the point of sale and within the vehicle's infotainment system.
• Establish a process for purging all previously collected driver data that was obtained without proper consent, within 180 days of court approval.
• Submit to independent auditing of its data practices for the next five years.

Impact on Consumers and the Automotive Industry

This settlement sends a strong signal to automakers that driver privacy cannot be treated as a secondary concern. California is often a bellwether for consumer protection laws, and other states may follow with similar actions. The case also underscores the risks of connected vehicle technology: while features like real-time navigation and emergency services rely on data, companies must ensure they do not exploit that trust.

Consumers who believe their driving data was misused may be eligible for compensation as part of the settlement. A claims process will be announced once the court gives final approval. For more information on how to protect your privacy in connected cars, visit our guide to vehicle data privacy.

What This Means for the Future of Data Privacy

Attorney General Bonta emphasized that the settlement is a clear warning: "Companies that collect personal data must respect the rights of Californians. We will not tolerate deceptive practices that put privacy at risk." The action comes amid growing scrutiny of data monetization by automakers, with class-action lawsuits pending in several states.

GM, for its part, stated that it is committed to enhancing driver transparency and has already begun rolling out updated privacy controls in newer models. However, critics argue that more fundamental reforms are needed, such as federal legislation to set uniform standards for connected vehicle data.

Frequently Asked Questions

What counts as a 'sale' under the CCPA?

Under California law, the term "sale" includes any exchange of personal information for monetary or other valuable consideration. This covers sharing data with brokers, even if no money changes hands—a critical point in the GM case.

How can I protect my privacy in a connected car?

Check your vehicle's privacy settings regularly, opt out of data sharing for non-essential services when possible, and read the privacy policy before enabling connected features. You can also request deletion of previously collected data under the CCPA.

Next Steps for the Settlement

The proposed settlement will be filed in Sacramento County Superior Court. A public comment period will open before the judge decides whether to approve it. If approved, GM must begin implementing the corrective actions within 90 days.

This case serves as a reminder that the rapid growth of vehicle connectivity must be matched by robust privacy safeguards. For ongoing updates, check the California AG's official press release page.