Your car knows where you live, where you work, how fast you take corners, and exactly how hard you slam the brakes when that cyclist appears out of nowhere. General Motors thought it could sell all that intimate driving data without telling you—and just paid the largest privacy fine in California history to learn otherwise.
California Cracks Down on Automotive Surveillance
GM secretly monetized hundreds of thousands of OnStar subscribers’ driving habits and locations.
Between 2020 and 2024, GM collected a staggering trove of personal information from OnStar users: names, phone numbers, home addresses, GPS coordinates, vehicle speeds, rapid acceleration events, and hard braking incidents. The company then sold this data to LexisNexis Risk Solutions and Verisk Analytics—data brokers who compile reports for insurance companies—generating approximately $20 million nationwide.
Here’s the kicker: GM explicitly promised OnStar subscribers it wouldn’t sell their driving or location data. The service was supposed to help with emergencies and navigation, not become a surveillance revenue stream. California Attorney General Rob Bonta didn’t mince words: “General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so.”
What the $12.75M Settlement Actually Gets You
The penalty comes with concrete protections that go beyond just writing a check.
The settlement—nearly five times larger than the previous CCPA record set by Disney—forces GM to halt data sales to consumer reporting agencies for five years. The company must delete all retained driver data within 180 days unless users give explicit consent to keep it.
GM also faces enhanced oversight requirements:
- Developing robust privacy programs
- Submitting regular compliance reports to California authorities
- Retraining dealership staff to properly explain OnStar’s data collection before enrollment
The company must even ensure that LexisNexis and Verisk delete the data they already purchased.
Fortunately for California drivers, state insurance laws prevented this data from actually affecting insurance rates. But the violation still represents a massive breach of trust in an era when your car increasingly functions like a smartphone on wheels.
The Bigger Picture for Connected Vehicle Privacy
GM joins Ford and Honda in facing regulatory consequences for data overreach.
This settlement marks the first major enforcement of California’s 2023 data minimization requirements—the principle that companies can’t just hoover up information and repurpose it later for profit. It follows similar privacy penalties against Ford ($375,703) and Honda ($632,500), suggesting regulators are finally taking automotive data seriously.
For anyone shopping for connected vehicles or using telematics services, the message is clear: read those privacy notices carefully and demand explicit control over your data. Your daily commute shouldn’t become someone else’s business opportunity.
Affected consumers can request their data reports at consumer.risk.lexisnexis.com and fcra.verisk.com, or use California’s Delete Request and Opt-out Platform at privacy.ca.gov/drop.
