General Motors has reached a significant settlement with the state of California, agreeing to pay $12.75 million in civil penalties for illicitly selling driver data. This landmark agreement, awaiting court approval, marks California as the first state to successfully challenge the automaker's practices of sharing sensitive customer information. The settlement not only mandates a financial penalty but also imposes a five-year ban on GM providing driving data to consumer reporting agencies. Furthermore, the company is required to ensure that data brokers like LexisNexis Risk Solutions and Verisk Analytics delete any previously acquired information.
The automotive giant's actions came under scrutiny following a New York Times exposé revealing that GM, alongside other car manufacturers, was transmitting driver location and behavior data to third-party data brokers. This unauthorized dissemination of personal information allegedly contributed to higher insurance premiums for some drivers. Although California's robust privacy laws protected its residents from direct insurance rate hikes due to this data, the investigation by the California Privacy Protection Agency confirmed that GM had indeed sold the names, contact details, geolocation data, and driving patterns of hundreds of thousands of Californians. Despite the substantial volume of data sold, GM reportedly generated only $20 million nationwide from these transactions through its OnStar service.
California Takes Action Against GM's Data Practices
California has secured a $12.75 million settlement from General Motors for its unauthorized sale of driver data, a move that establishes the state as a pioneer in holding automakers accountable for privacy breaches. This agreement not only imposes a significant financial penalty but also includes stringent measures to prevent future misuse of personal driving information. As part of the settlement, GM is explicitly prohibited from sharing driving data with consumer reporting agencies for a five-year period. Additionally, the automaker must ensure the deletion of all previously collected data by third-party brokers, such as LexisNexis Risk Solutions and Verisk Analytics, thereby reinforcing driver privacy rights.
The state's investigation into GM's data practices was prompted by a New York Times report that highlighted the widespread issue of automakers selling sensitive driver information. It was found that GM had been collecting and selling specific personal data, including names, contact information, precise geolocation, and detailed driving behaviors, from hundreds of thousands of California residents via its OnStar system. While California's existing legal framework protected its drivers from direct increases in insurance rates due to this data, the attorney general emphasized that GM had betrayed customer trust by selling this information without knowledge or consent, directly contradicting previous reassurances regarding data privacy.
Broader Implications and Industry Response to Data Sales
The settlement between General Motors and California highlights a growing legal and ethical challenge facing the automotive industry concerning data privacy. This resolution reinforces the critical need for explicit consent and transparency in how vehicle-generated data is collected, used, and shared. Following the California agreement, GM has acknowledged the issue, stating that the settlement addresses its "Smart Driver" product, which was discontinued in 2024, and reaffirms its commitment to enhancing privacy practices. This development underscores the increasing pressure on automakers to prioritize customer data security and adhere to robust privacy regulations across all jurisdictions.
Beyond California, the scrutiny of GM's data handling practices has expanded, with several other states, including Texas, Nebraska, Indiana, and Arkansas, launching their own investigations. These probes reflect a broader national concern over unauthorized data collection and its potential impact on consumers. Furthermore, the U.S. Federal Trade Commission (FTC) took decisive action in early 2025, banning GM from selling sensitive driving data for five years and requiring the company to obtain explicit customer consent for future data collection and sharing. These concerted efforts by state and federal authorities signal a clear shift towards greater accountability for automotive manufacturers in safeguarding consumer privacy, prompting a reevaluation of data monetization strategies within the industry.
