GM to Pay $12.5 Million to Settle Illegal Sale of California Driver Data
General Motors has agreed to a $12.5 million settlement following allegations that the automaker illegally sold the location and driving data of hundreds of thousands of California residents. The settlement, announced Friday, marks a significant crackdown on how automakers handle sensitive consumer information and the role that data plays in the insurance industry.
The case centers on the collection of data via OnStar—GM’s suite of roadside assistance and navigation services. Between 2020 and 2024, investigators found that GM sold driver information, including names, contact details, location history, and driving behavior data, to data brokers Verisk Analytics, Inc. And LexisNexis Risk Solutions.
The Legal Battle: Data Privacy and Insurance Rates
The core of the legal dispute lies in how this data is used. While many automakers share driver behavior with insurance companies to influence coverage costs, California law specifically prohibits insurers from using such driving data to set rates. By selling this information to brokers, GM effectively bypassed protections intended to keep driver habits from impacting insurance premiums.
California Attorney General Rob Bonta emphasized the state’s commitment to data protection during a news conference, stating, “If we get word that a company is illegally collecting, storing or selling consumer data, we won’t hesitate to look under the hood and hold them accountable to the law.”
A Record-Breaking CCPA Penalty
According to Attorney General Bonta, this settlement represents the largest penalty in the history of the California Consumer Privacy Act (CCPA). The CCPA is designed to give consumers transparency and control over their personal information, granting them the right to:
- Request that businesses disclose exactly what data is being collected.
- Opt out of the sale or sharing of their personal information.
- Request the total deletion of their data.
The investigation into GM’s practices was a collaborative effort involving various district attorneys across the state, including those in San Francisco and Los Angeles.
Industry-Wide Scrutiny
GM isn’t the only automaker under the microscope. The California Privacy Protection Agency began investigating the privacy practices of connected cars in 2023, noting that data from vehicles can reveal intimate details of a person’s life, such as visits to doctors or where they drop off their children.
Other manufacturers have already faced penalties for privacy violations:
- Honda: Fined $632,500 in 2025.
- Ford Motor Company: Fined $375,703 in March.
Further reporting from The New York Times in 2024 highlighted that GM was sharing consumer driving behavior with insurance companies, with reports indicating the automaker made roughly $20 million from selling data to LexisNexis, and Verisk.
Terms of the Settlement and Federal Action
The settlement, which still requires court approval, imposes several strict requirements on General Motors:
- Data Deletion: GM must delete all retained driving data within 180 days and request that Verisk and LexisNexis do the same.
- Sale Ban: The company is prohibited from selling driving data to consumer reporting agencies for the next five years.
- Privacy Overhaul: GM must develop a comprehensive privacy program to assess and mitigate the risks associated with data collected via OnStar.
This state-level action follows a 2025 move by the Federal Trade Commission (FTC), which also barred GM and OnStar from disclosing location and driver behavior data to consumer reporting agencies for a five-year period.
- Penalty: GM will pay $12.5 million, the largest CCPA fine to date.
- Violation: Illegal sale of OnStar driving and location data to brokers between 2020 and 2024.
- Impact: Data was sold to Verisk Analytics and LexisNexis, potentially influencing insurance rates in violation of California law.
- Outcome: GM must delete the data, stop sales to reporting agencies for five years, and build a new privacy program.
Frequently Asked Questions
What is the CCPA?
The California Consumer Privacy Act is a state statute that protects the privacy rights of California residents, allowing them to know what personal data is being collected and to stop the sale of that data to third parties.
How did GM collect the data?
The data was harvested through OnStar, the connected vehicle service owned by GM that provides navigation and roadside assistance.
Will this affect my insurance rates?
California law bars insurers from using driving behavior data to set rates. This settlement aims to ensure that such data is not illegally funneled to insurers via third-party brokers.
As connected vehicle technology continues to evolve, this case sets a rigorous precedent for how the automotive industry must balance technological convenience with consumer privacy rights.