California Attorney General Rob Bonta and a coalition of state and local enforcement agencies have announced a $12.75 million settlement with General Motors over allegations that the automaker illegally collected and sold drivers’ personal data without proper consent, in violation of the California Consumer Privacy Act (CCPA). The California privacy settlement marks the largest CCPA penalty in California history so far and represents the state’s first enforcement action focused on data minimization requirements under California privacy law.
The case centers on allegations that General Motors shared sensitive driver information, including geolocation data and driving behavior, with data brokers Verisk Analytics and LexisNexis Risk Solutions between 2020 and 2024.
California Privacy Settlement Targets Driver Data Sales
According to the complaint, GM collected data through its OnStar connected vehicle platform, which offers emergency assistance, navigation, and crash response services. Investigators alleged that the company sold names, contact details, precise location information, and driving behavior data of hundreds of thousands of Californians to the two data brokers.
Authorities said the data was intended to help create driver-risk scoring products that could be used by insurance companies when setting premiums.
The investigation was conducted jointly by the California Department of Justice, the California Privacy Protection Agency (CalPrivacy), and district attorneys from San Francisco, Los Angeles, Napa, and Sonoma counties.
Attorney General Rob Bonta said the settlement sends a clear message about consumer control over personal data.
“General Motors sold the data of California drivers without their knowledge or consent,” Bonta said in the announcement, adding that the data could reveal sensitive details about consumers’ daily routines and movements.
CCPA Violations and Data Minimization Concerns
A major part of the case focused on alleged violations of the CCPA’s data minimization and purpose limitation requirements, which were added to California law in 2023.
Under these provisions, companies are required to collect and retain only the data necessary for a disclosed purpose. Investigators alleged that GM retained driving and location data long after it was needed to operate OnStar services and later sold that retained data to third parties.
Authorities also alleged that GM failed to clearly inform consumers about how their information would be used. The complaint stated that GM’s privacy policies suggested driver data would only be used to provide requested OnStar services and even claimed the company did not sell driving or location information.
Investigators said the company’s practices contradicted those statements.
San Francisco District Attorney Brooke Jenkins described modern vehicles as “rolling data collection machines” and said consumers deserve transparency about what information is collected and how it is shared.
Los Angeles County District Attorney Nathan J. Hochman said companies handling consumer data would be held accountable under California privacy laws, regardless of their size.
Connected Vehicle Privacy Under Scrutiny
The settlement follows growing regulatory scrutiny around connected vehicle privacy and automotive data collection practices.
In 2023, CalPrivacy launched investigations into connected car manufacturers and their handling of consumer information. Public attention increased further in 2024 after a report by The New York Times highlighted how automakers were sharing driving behavior data with insurance companies. The reporting indicated that some consumers outside California had experienced increased insurance premiums tied to such data-sharing practices.
California investigators later determined that California drivers were likely not directly affected through insurance rate increases because state insurance laws prohibit insurers from using driving behavior data to set premiums.
However, regulators maintained that the collection, retention, and sale of the data itself violated California privacy requirements.
Settlement Terms for General Motors
Under the proposed California privacy settlement, General Motors must implement several privacy-related measures over the coming years.
The company will be required to:
- Pay $12.75 million in civil penalties.
- Stop selling driving data to consumer reporting agencies for five years.
- Delete retained driving data within 180 days unless consumers provide express consent for limited uses.
- Request the deletion of driver data already shared with LexisNexis and Verisk.
- Establish and maintain a comprehensive privacy compliance program.
- Submit privacy assessments and compliance reports to California regulators and prosecutors.
The settlement also reinforces California’s broader push to strengthen consumer control over personal information under the CCPA.
CalPrivacy Executive Director Tom Kemp said California privacy laws require businesses to collect only the information they genuinely need and to be transparent about how that data is handled.
Alongside the settlement announcement, regulators also highlighted the state’s Delete Request and Opt-out Platform (DROP), which allows Californians to submit requests to delete personal information held by hundreds of registered data brokers.
