GM to pay $12.75 million record penalty under California privacy law

GM pays record penalty as California ties driving-data sales to privacy law

General Motors agreed to pay $12.75 million in civil penalties after California accused the automaker of selling driving data from hundreds of thousands of motorists to data brokers without their consent, in what California said is the largest settlement ever under the California Consumer Privacy Act. The settlement, announced Friday, follows a joint investigation led by California Attorney General Rob Bonta’s office, with involvement from several county district attorneys and the California Privacy Protection Agency.

California said GM’s investigation centered on data collected through the company’s OnStar emergency roadside and navigation service and later sold to data brokers. The state alleged that the company misled drivers who paid for that service and then generated revenue from the unlawful sale of their data between 2020 and 2024, including names, location information, driving behavior, and contact information.

Bonta said in a press release that the data included “precise and personal location data that could identify the everyday habits and movements of Californians.” He also pointed to the potential risk of location data being used beyond simple marketing, including for pricing-related predictions, during remarks to CalMatters.

The California case identified LexisNexis Risk Solutions and Verisk Analytics as the data brokers that received the information, according to the state’s allegations. The settlement also requires GM to stop selling data to any consumer reporting agencies for five years and to submit privacy assessments to the state as part of its compliance obligations.

The investigation began after a 2024 New York Times investigation reported that GM collected data about millions of drivers nationwide and sold it to insurance companies to help charge some drivers higher premiums. California said those Californians were not affected by the reported premium hikes because state law prohibits insurers from using driving data to set insurance rates.

Bonta told CalMatters at a press conference Friday that it was unclear whether the location data GM collected was used by other companies to predict what prices people are willing to pay for goods, a practice he said is better known as surveillance pricing. He said the investigation into those practices was not the focus of the GM case, and California’s office began a separate investigation into surveillance pricing practices of businesses in January.

Los Angeles District Attorney Nathan Hochman said the case began after one person found location data in a report they requested about information collected on them. Hochman said the discovery led to investigations by journalists, prosecutors, and regulators, and he called the settlement a sign that individual consumer action can prompt broader scrutiny.

Hochman also said the settlement’s size may be modest compared with GM’s recent earnings, but that it signals companies should expect higher penalties in the future. California reached a privacy law violation settlement with Disney in February for $2.75 million, previously described as the largest of its kind, and the GM resolution follows similar California settlements with Honda and Ford over violations dating to the past 14 months.

In a statement shared with CalMatters, GM spokesperson Charlotte McCoy said, “This agreement addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices. Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information.”

California officials said the GM settlement also fits into a broader enforcement push that includes federal action earlier this year. The AP report said the GM settlement followed a similar agreement between the Federal Trade Commission and GM earlier this year, and it comes as California prepares to give residents additional tools to limit data brokerage.

Starting Aug. 1, California said more than 500 data brokers registered with the state must comply with delete and opt-out requests that residents can make using an online tool known as the Delete Request and Opt-out Platform, or DROP. California’s privacy protection agency introduced the tool earlier this year.