GM to Pay $12.75 Million in Record California Privacy Settlement Over Driver Data Sales
General Motors will pay $12.75 million to settle California state charges that it sold millions of drivers' personal location and behavior data to third-party brokers without their consent.

General Motors has agreed to a $12.75 million settlement with the state of California to resolve allegations that the automaker improperly collected, stored, and sold the driving data of millions of consumers without their consent. The settlement, which marks the largest fine ever issued under the California Consumer Privacy Act (CCPA), addresses a multi-year scheme involving the unauthorized sharing of sensitive location and behavioral information with third-party data brokers The Record.
The investigation centered on GM’s "OnStar" service, which is marketed to consumers as an emergency assistance and navigation tool. According to California officials, GM collected precise geolocation data, driving behavior, names, and contact information from its vehicles between 2020 and 2024. The company then sold this information to data brokers, specifically Verisk and LexisNexis Risk Solutions, generating approximately $20 million in revenue nationwide The Record.
The technical mechanism of the privacy violation involved GM misleading consumers about how their data was being utilized. While the company publicly claimed that data would only be used to provide requested services or shared for insurance purposes at the consumer's express direction, it was simultaneously feeding this data to brokers to create driver-rating products for insurers The Record. California investigators noted that GM’s internal privacy compliance program was bypassed, and customers were never informed that their personal movements and habits were being monetized.
The impact of this data-sharing scheme was significant. While California law prohibited insurers from using this specific data to set premiums—preventing direct financial spikes for California drivers—the practice had broader consequences. Millions of consumers in other states reportedly faced increased insurance rates as a direct result of the data sold by GM to brokers The Record.
Under the terms of the settlement, which awaits final court approval, GM must implement several corrective measures. The company is required to pause all sales of driving data to consumer reporting agencies for five years and must delete any existing driving data after 180 days unless it obtains affirmative consumer consent. Furthermore, GM must request that Verisk and LexisNexis delete the data previously sold to them and establish a formal privacy program to analyze and document risks associated with its OnStar product The Record.
This settlement highlights the growing regulatory scrutiny surrounding the "connected car" ecosystem and the monetization of driver telemetry. As automakers increasingly rely on data-driven revenue streams, the case serves as a precedent for how state regulators intend to enforce transparency and consent requirements under privacy frameworks like the CCPA. The outcome underscores a shift toward holding manufacturers accountable for the lifecycle of the data they collect from modern, internet-connected vehicles The Record.