General Motors has agreed to pay $12.75 million to settle allegations that it illegally collected and sold personal data from California drivers without proper consent, in what California Attorney General Rob Bonta calls the largest penalty under the California Consumer Privacy Act (CCPA) to date. The settlement, announced by a coalition of state and local enforcement agencies, represents California's first major enforcement action targeting data minimization requirements under state privacy law. The case centers on GM's OnStar connected vehicle platform, which investigators say was used to collect and sell sensitive driver information to data brokers Verisk Analytics and LexisNexis Risk Solutions between 2020 and 2024.
The investigation was conducted jointly by the California Department of Justice, the California Privacy Protection Agency (CalPrivacy), and district attorneys from San Francisco, Los Angeles, Napa, and Sonoma counties. Authorities allege that GM collected names, contact details, precise location information, and driving behavior data from hundreds of thousands of Californians through OnStar, a service that provides emergency assistance, navigation, and crash response. This data was then sold to data brokers who used it to create driver-risk scoring products for insurance companies to reference when setting premiums.
A central issue in the case involves alleged violations of CCPA data minimization and purpose limitation requirements, which took effect in 2023. These provisions require companies to collect and retain only the data necessary for disclosed purposes. Investigators claim GM retained driving and location data long after it was needed to operate OnStar services, then sold that information to third parties. Additionally, authorities allege GM's privacy policies misled consumers by suggesting driver data would only be used to provide requested OnStar services and claiming the company did not sell driving or location information. San Francisco District Attorney Brooke Jenkins characterized modern vehicles as "rolling data collection machines" and emphasized the need for transparency in data collection practices.
The settlement follows increased regulatory scrutiny of connected vehicle privacy practices. In 2023, CalPrivacy launched investigations into connected car manufacturers, and public attention intensified after a 2024 New York Times report revealed how automakers were sharing driving behavior data with insurance companies. While California investigators determined that state drivers were likely not directly affected through insurance rate increases due to California laws prohibiting insurers from using driving behavior data to set premiums, regulators maintained that the collection, retention, and sale of the data itself violated state privacy requirements.
Under the settlement terms, GM must stop selling driving data to consumer reporting agencies for five years and delete retained driving data within 180 days unless consumers provide express consent for limited uses. The company must also request deletion of driver data already shared with LexisNexis and Verisk, establish a comprehensive privacy compliance program, and submit regular privacy assessments and compliance reports to California regulators. CalPrivacy Executive Director Tom Kemp emphasized that California privacy laws require businesses to collect only necessary information and maintain transparency about data handling practices. California regulators also highlighted the state's Delete Request and Opt-out Platform (DROP), which allows residents to submit deletion requests to hundreds of registered data brokers.
Source: https://thecyberexpress.com/california-privacy-settlement-hits-gm/