GM to Pay $12.75M in Landmark California Settlement Over Secret Sale of Driver Data to Insurers

Breaking: GM Agrees to $12.75 Million Settlement Over Alleged Illegal Sale of Driver Data

General Motors has agreed to a proposed $12.75 million settlement with California authorities over accusations that it secretly collected and sold drivers’ personal data to insurers without consent, state Attorney General Rob Bonta announced Tuesday.

GM to Pay $12.75M in Landmark California Settlement Over Secret Sale of Driver Data to Insurers
Source: www.bleepingcomputer.com

The settlement, if approved by a judge, would resolve claims that GM violated the California Consumer Privacy Act (CCPA) by sharing detailed driving behavior information — including speed, braking, and mileage — with third-party data brokers and insurance companies for marketing and risk-assessment purposes.

Allegations: 'A Clear Violation of Trust'

The California Attorney General’s investigation found that GM’s OnStar connected-vehicle service and its Marketplace platform transmitted driver data to firms that then sold it to insurers, often without consumers’ knowledge or explicit permission.

“This is a clear violation of the trust that consumers place in automakers when they buy a connected car,” Bonta said in a statement. “GM took people’s driving data and sold it — for profit — without being transparent or obtaining the legally required consent.”

The settlement includes a $12.75 million penalty — one of the largest ever under the CCPA — and requires GM to implement stricter data-sharing controls and obtain affirmative consent before collecting or selling any driving data collected from its vehicles.

Expert Reaction: 'A Warning Shot for the Auto Industry'

Privacy experts say the case marks a significant enforcement action that could reshape how automakers handle connected-car data.

“This settlement sends a strong signal that regulators are watching how car companies monetize driver data,” said Jennifer Lynch, surveillance litigation director at the Electronic Frontier Foundation. “Automakers can’t just bury data-sharing terms in fine print and expect to get away with it.”

Lynch noted that the CCPA — and California’s more stringent California Privacy Rights Act (CPRA) — give consumers the right to know what data is collected, to opt out of its sale, and to sue companies that violate those rights.

Background: The Rise of Connected-Vehicle Data Monetization

Modern vehicles — from GM’s Chevrolet, Buick, GMC, and Cadillac brands — often collect a continuous stream of telemetry data: GPS location, driving speed, acceleration patterns, and even seatbelt usage.

Automakers have increasingly partnered with insurance companies and data brokers to analyze this data, using it to offer usage-based insurance policies or to flag risky drivers — sometimes without drivers realizing their own car is reporting on them.

The California investigation began after consumer complaints and a 2023 report by the New York Times revealed that GM’s OnSmart Driving program (a telematics service) shared driver scores with insurers via third-party data aggregators like LexisNexis and Verisk.

GM to Pay $12.75M in Landmark California Settlement Over Secret Sale of Driver Data to Insurers
Source: www.bleepingcomputer.com

CCPA Violations Alleged

Under the CCPA, consumers have the right to opt out of the sale of their personal information. The Attorney General alleged that GM did not provide a clear opt-out mechanism and that its privacy disclosures were misleading.

“GM’s practices fell far short of the CCPA’s requirements,” Bonta said. “Companies that collect sensitive data — location, driving habits — must be especially careful to respect consumer rights.”

What This Means: Precedent for Data Privacy Enforcement

The settlement is one of the first major CCPA enforcement actions against an automaker, potentially setting a precedent for how similar cases are handled nationwide.

It underscores that connected vehicle data is considered highly sensitive, and that companies cannot assume they have implied consent to share it merely because a driver accepts a terms-of-service agreement.

For consumers, the settlement means that GM must now clearly disclose what data it collects, obtain explicit permission before selling it, and allow in-car opt-out controls. If a judge approves the settlement, GM will also pay a penalty that goes into a fund to support California’s privacy enforcement efforts.

What’s Next

The proposed settlement is subject to a 30-day public comment period and final court approval. GM has denied any wrongdoing but agreed to the settlement to avoid protracted litigation.

“We are committed to protecting customer privacy and believe this settlement is a fair resolution,” a GM spokesperson said in a statement. “We have already made changes to our data practices to ensure full compliance with the CCPA.”

Consumers who believe their data was improperly sold may have options under the CCPA’s private right of action, though that provision is limited to data breaches. For now, Bonta urged anyone with concerns to file a complaint with the California Attorney General’s office.

This is a breaking story. Updates will follow as more details emerge.

Tags:

Recommended

Discover More

Amazon SES Abused in Sophisticated Phishing Campaigns: Security Experts Warn of 'Legitimate' Attack VectorsDecoding the Climate Action Paradox: Why Progress Falters Despite Public BackingUnderstanding Apache Flink: From Stream Processing Fundamentals to a Real-Time Recommendation EngineZero-Day Supply Chain Attacks Neutralized: SentinelOne Blocks Three Simultaneous Breaches Without Prior Payload KnowledgeTrump Administration Fires All 22 Members of the National Science Board in Sudden Move