VYPR
breachPublished May 11, 2026· Updated May 17, 2026· 1 source

GM to Pay $12.75M in California Privacy Settlement Over Unauthorized Data Sales

General Motors has agreed to a record $12.75 million settlement with California regulators over allegations that it illegally sold the location and driving data of its customers to third-party brokers without proper consent.

General Motors (GM) has agreed to a $12.75 million settlement with the California Attorney General to resolve allegations that the automaker illegally collected and sold the driving and location data of its customers. The settlement, which marks a record civil penalty for the state, concludes an investigation into practices occurring between 2020 and 2024 involving the company’s OnStar subsidiary and its "Smart Driver" system BleepingComputer.

The investigation centered on the unauthorized sharing of granular driver behavior data with third-party data brokers, specifically Verisk Analytics and LexisNexis Risk Solutions. According to California Attorney General Rob Bonta, GM failed to provide adequate notice or obtain the necessary consent from drivers before harvesting this information. The data, which included precise location tracking capable of mapping a user's daily habits and movements, was reportedly repurposed for insurance-related driver-scoring products BleepingComputer.

The scope of the unauthorized activity was significant, with authorities noting that GM generated approximately $20 million in revenue from these data sales nationwide. Beyond the lack of transparency, regulators highlighted that the company retained the collected information for longer than was necessary for its stated purposes. While the data was intended for insurance scoring, California officials noted that state law effectively shielded local drivers from seeing their insurance premiums rise as a direct result of these specific data sales BleepingComputer.

As part of the settlement, GM is subject to several stringent requirements. The company must cease selling driving data to consumer reporting agencies and brokers for a period of five years. Furthermore, GM is mandated to delete all previously retained driving data within 180 days, unless a consumer provides explicit consent for its continued storage. The automaker must also request that Verisk and LexisNexis delete any data they previously received from GM and implement a more robust privacy compliance program subject to regular regulatory assessments BleepingComputer.

This enforcement action is notable as the first in California to focus specifically on data minimization rules. The U.S. Federal Trade Commission (FTC) had previously criticized GM for these same practices, leading to a separate five-year ban on the sale of driver data. In response to the settlement, a GM spokesperson stated that the agreement addresses the "Smart Driver" product, which the company discontinued in 2024, and emphasized that the firm is committed to transparency regarding customer data control BleepingComputer.

The settlement highlights a growing regulatory focus on the intersection of connected vehicle technology and consumer privacy. As modern vehicles increasingly function as data-gathering platforms, the case underscores the tension between vehicle connectivity features and the legal requirements for data minimization and informed consent. Industry observers will likely watch how automakers adjust their data-sharing agreements and privacy disclosures in the wake of such significant financial and operational penalties BleepingComputer.

Synthesized by Vypr AI
GM to Pay $12.75M in California Privacy Settlement Over Unauthorized Data Sales · VYPR