GM pays record $12.75M penalty for selling driver data without consent

The settlement, announced Friday by California Attorney General Rob Bonta alongside several county district attorneys and the California Privacy Protection Agency, marks the first time the state has imposed a penalty of this size under the 2018 California Consumer Privacy Act. The law requires companies to disclose how they share consumer data and to honor requests to stop the sharing.

Investigators said General Motors collected data from motorists who subscribed to its OnStar emergency roadside and navigation service, then sold the information — including precise location, driving behavior, names, and contact details — to the data brokers LexisNexis Risk Solutions and Verisk Analytics. The sales, which generated roughly $20 million for GM between 2020 and 2024, occurred without adequately informing customers or obtaining their consent, according to the attorney general’s office.

“This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians,” Bonta said in a statement.

Beyond the $12.75 million civil penalty, the settlement compels GM to cease selling any consumer data to consumer reporting agencies for five years and to submit regular privacy assessments to the state. The agreement follows a similar resolution between the Federal Trade Commission and GM earlier this year, as well as California settlements with Honda and Ford over the past 14 months for their own violations of the state privacy law.

The investigation traces back to a 2024 New York Times report that found GM collected driving data from millions of drivers nationwide and sold it to insurance companies, which used the information to set higher premiums. Bonta noted that California motorists were not affected by those premium increases because a separate state law prohibits insurers from using driving data to set rates.

Los Angeles County District Attorney Nathan Hochman said the case began with a single consumer who uncovered their own location data in a report they requested about the data collected on them. That discovery, he added, triggered investigations by journalists, prosecutors, and regulators.

“This case shows more than anything that one consumer can make a huge difference,” Hochman said during a press conference.

Bonta also acknowledged an ongoing inquiry into “surveillance pricing” — the practice of using location data to predict what prices consumers are willing to pay for goods. He said GM’s data could potentially overlap with that investigation, though it was not the focus of the settlement.

In a statement, GM spokesperson Charlotte McCoy said, “This agreement addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices. Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information.”

The penalty eclipses the previous record of $2.75 million, which California extracted from Disney in February for a privacy law violation. Hochman called the new figure an indication that companies should expect higher penalties in the future.

Californians will soon gain a new tool to push back against unauthorized data collection. Starting August 1, the more than 500 data brokers registered with the state must comply with requests residents can submit through the Delete Request and Opt-out Platform, or DROP, an online tool the privacy protection agency introduced earlier this year.