Key Points:
- General Motors will pay a $12.75 million penalty for secretly selling Californians’ personal driving data to third-party data brokers.
- Investigators discovered the automaker collected location details, speeds, and braking habits through its OnStar service from 2020 to 2024.
- The legal agreement forces the car company to stop selling driver data to consumer reporting agencies for five full years.
- California secured the largest fine in the history of its strict consumer privacy law, demanding GM delete driver records after 180 days.
General Motors agreed to pay $12.75 million to end a major California investigation into its data privacy practices. State officials accused the Detroit automaker of illegally selling the location and driving records of hundreds of thousands of Californians to a pair of data brokers. California Attorney General Rob Bonta announced the financial settlement on Friday, marking a significant victory for consumer privacy rights. The agreement brings an end to a multi-year probe into how car companies handle the sensitive information they collect from modern vehicles.
The trouble started with OnStar, the popular vehicle connectivity service that GM offers to drivers. Customers typically use OnStar to call an ambulance, get driving directions, or request roadside assistance. When drivers signed up for the service, GM promised them it would not sell their location or driving habits. However, state investigators found that the company broke that promise. Between 2020 and 2024, GM quietly gathered massive amounts of personal information and sold it for profit.
The information collected went far beyond simple mileage numbers. The automaker tracked the exact GPS locations where drivers traveled and parked their cars. The systems also recorded how fast people drove, how quickly they accelerated, and how hard they hit their brakes. GM took this highly detailed behavioral profile and sold it to two major data brokers, LexisNexis Risk Solutions and Verisk Analytics. Those brokers then packaged the information into consumer reports.
Attorney General Bonta held a press conference to explain the severity of the privacy breach. He told reporters that companies cannot simply hold onto data and decide later to use it for a completely different purpose. He pointed out that the massive collection of personal location data could easily identify the everyday habits and private movements of ordinary citizens. The data reveals highly sensitive routines, including when people drop their kids off at school or visit the doctor.
Los Angeles County District Attorney Nathan Hochman joined the investigation and shared his frustration with the automaker’s actions. He stated firmly that car companies cannot secretly use consumer data to make extra profit. Hochman reminded the public that people have a fundamental right to control their personal information, and that this legal right does not end when they close their car door. Several other district attorneys across California also helped build the case against the massive car manufacturer.
The $12.75 million penalty stands out as the largest fine ever issued under the California Consumer Privacy Act. State lawmakers passed this strict law more than five years ago to give residents control over their digital footprints. Under the rules, companies must clearly tell consumers exactly how they use personal data. Businesses can collect only the information they need to run their services. If a resident asks a company to stop sharing or selling their information, the business must obey immediately.
Beyond the heavy financial penalty, the legal settlement forces GM to make major changes to its business operations. The state completely banned the automaker from selling driving data to any data brokers or consumer reporting agencies for the next five years. The company must also reach out to LexisNexis and Verisk and formally request that they delete all California driver data they previously purchased. This step ensures that the brokers cannot continue to profit from the illegal sales.
GM also faces strict new rules on how long it can hold onto customer information. The settlement requires the company to delete driving data after 180 days automatically. If the automaker wants to keep the records for more than six months, it must obtain clear, affirmative consent directly from the consumer. Furthermore, the state ordered the company to develop a brand-new privacy program. This internal team must continually analyze and mitigate risks associated with collecting information through the OnStar system.
The situation shows a growing problem in the car industry. Today’s car operates like a large computer on wheels, constantly gathering millions of data points. While some states allow data brokers to sell this information directly to auto insurance companies to raise premium rates, California law strictly protects drivers. The state legally bans insurance providers from using driving behavior data to set monthly coverage rates. However, the secret sale of the information still violated basic privacy rules.
A spokesperson representing General Motors released a brief statement regarding the legal situation. The representative noted that the company completely stopped offering the specific data-sharing product in 2024. The spokesperson also claimed that the automaker has strengthened its internal privacy practices since the state started asking questions. While GM agreed to pay the massive penalty, the company will wait for a judge to review the paperwork. The settlement only becomes official once a court signs off on the final deal.
