California driver – GM reached a $12.75M California settlement tied to alleged illegal sales of drivers’ location and behavior data to data brokers.

A $12.75 million settlement in California is putting new pressure on how automakers handle sensitive driver information, after allegations that General Motors sold data tied to driving behavior and location.

California Attorney General Rob Bonta announced the agreement with GM under claims the company violated the California Consumer Privacy Act (CCPA).. The case centers on allegations that GM collected and sold Californians’ driving and location data to data brokers Verisk Analytics and LexisNexis Risk Solutions between 2020 and 2024.

The scrutiny began in 2024 after media reports raised concerns that automakers, including GM, were sharing driver behavior with insurers.. According to the allegations. GM’s OnStar subsidiary and its “Smart Driver” system were involved in gathering the data. which was reportedly meant to feed driver-scoring products used in insurance contexts.

California’s investigation also targets how GM handled consumer notice and consent.. State officials said the company did not properly inform consumers or obtain permission for the collection described in the complaint.. They also alleged GM kept the data longer than necessary. re-purposed it for sale. and made the material available beyond what consumers expected.

The attorney general’s office said the dataset included precise and personal location information capable of identifying everyday patterns and movements of Californians.. Bonta argued that GM sold California drivers’ data without knowledge or consent. even while GM had made statements meant to reassure drivers that it would not sell such information.

Federal enforcement had already flagged GM’s data practices.. The American automaker was previously criticized by the U.S.. Federal Trade Commission for unlawful data collection, and the FTC banned GM from selling drivers’ data for five years.. In California. the new matter is framed not only as a financial penalty but also as enforcement tied specifically to how data is minimized under state rules.

California described the $12.75 million civil penalties as a record for the state and said the case is the first enforcement action focused on data minimization rules.. That distinction matters because it suggests regulators are increasingly homing in on how much data is collected and retained. and not just whether it is shared.

Under the settlement, GM is required to stop selling driving data to consumer reporting agencies and brokers for five years. It must also delete retained driving data within 180 days unless consumers explicitly consent to retention.

GM is further required to ask LexisNexis and Verisk to delete the data they previously received. The agreement also calls for GM to implement a stronger privacy compliance program and provide regular assessments to regulators, aiming to reduce the chance of similar compliance failures repeating.

Officials said California drivers were unlikely to face higher insurance premiums as a result of the data sales. pointing to state law that prohibits insurers from using driving data to set rates.. Still. the dispute highlights a broader issue for the connected-car industry: the line between what drivers think they’re sharing for navigation or assistance and what companies may later use for downstream analytics.

Meanwhile, the case underscores how “location” and “driving behavior” information can become high-value inputs for data brokers and risk modeling.. Even when consumers are not directly steering their data toward insurers. regulators argue the privacy impact can still be substantial if companies repurpose collected information for scoring and commercial sale.

For consumers and privacy advocates. the settlement is also a signal that regulators are treating consent and retention as core requirements. not optional safeguards.. The requirement to delete and to compel deletion by counterparties indicates regulators want control to extend beyond the original collector to the broader data supply chain.

For automakers, the outcome may add momentum to stricter internal governance around connected services such as telematics platforms.. In practice. compliance programs may need to map what is collected. why it is collected. how long it is held. and whether each downstream transfer is justified with clear consumer permission.

GM settlement California Consumer Privacy Act driver location data OnStar Smart Driver data brokers Verisk LexisNexis privacy compliance