GM Settles for $12.75 Million in California Driver Privacy Case
General Motors (GM) has agreed to a $12.75 million settlement with California authorities over allegations of unauthorized sharing of driver data. This settlement addresses concerns that GM sold sensitive information about California drivers without their explicit consent.
Background of the Allegations
In 2024, reports emerged that GM, among other automakers, was sharing detailed driver information with insurance companies. This data included names, contact details, geolocation, and driving behaviors, collected through GM’s OnStar program. The data was sold to data brokers like Verisk Analytics and LexisNexis Risk Solutions, generating approximately $20 million in revenue for GM. While such practices raised concerns nationwide, California’s strict insurance laws prevented insurers from using this data to adjust rates, mitigating potential financial impacts on drivers.
Details of the Settlement
Under the terms of the settlement:
– Financial Penalty: GM will pay $12.75 million in civil penalties.
– Data Sharing Moratorium: GM is prohibited from selling driving data to consumer reporting agencies for the next five years.
– Data Deletion: Within 180 days, GM must delete any retained driver data unless explicit consent is obtained from customers. Additionally, GM is required to request that Verisk and LexisNexis delete any data they received.
California Attorney General Rob Bonta emphasized the importance of this settlement, stating that it underscores the necessity of data minimization and the requirement for companies to obtain clear consent before using consumer data for purposes beyond the original intent.
GM’s Response and Previous Actions
In response to the settlement, GM highlighted that the agreement pertains to its Smart Driver program, which was discontinued in 2024. The company stated that the settlement reinforces the steps it has already taken to enhance its privacy practices. Prior to this settlement, GM had also reached an agreement with the Federal Trade Commission (FTC), resulting in a ban on sharing certain consumer data with reporting agencies.
Implications for the Automotive Industry
This case serves as a significant reminder to automakers about the critical importance of consumer privacy. As vehicles become increasingly connected, the volume of data they generate grows exponentially. This data can offer valuable insights and revenue opportunities but also poses substantial privacy risks. The GM settlement highlights the necessity for transparent data practices and the importance of obtaining explicit consumer consent.
Broader Context of Data Privacy in the Automotive Sector
The GM case is part of a broader trend of increased scrutiny over data privacy practices in the automotive industry. In recent years, several incidents have brought attention to how companies handle consumer data:
– Walmart’s Settlement: In February 2026, Walmart agreed to a $100 million settlement over deceptive pay practices in its Spark Driver program, which involved misleading drivers about their earnings and the handling of customer tips.
– Google’s Fine: In September 2023, California imposed a $93 million fine on Google for deceptive location data options, highlighting the tech industry’s challenges in managing user data transparently.
– Data Broker Breach: In February 2025, a Florida data broker faced potential fines after a massive breach exposed Social Security numbers, underscoring the vulnerabilities in data handling practices.
These cases illustrate a growing emphasis on data privacy and the need for companies across industries to adopt robust data protection measures.
The Future of Data Privacy in Connected Vehicles
As the automotive industry continues to innovate, integrating advanced technologies and connectivity features, the handling of consumer data will remain a focal point. Automakers must balance the benefits of data utilization with the imperative to protect consumer privacy. This balance requires:
– Transparent Data Policies: Clearly communicating to consumers how their data is collected, used, and shared.
– Obtaining Explicit Consent: Ensuring that consumers have the opportunity to opt-in or opt-out of data collection and sharing practices.
– Implementing Robust Security Measures: Protecting collected data from breaches and unauthorized access.
– Regular Audits and Compliance Checks: Continuously reviewing data practices to ensure compliance with evolving regulations and best practices.
The GM settlement serves as a cautionary tale and a call to action for the automotive industry to prioritize consumer privacy in the age of connected vehicles.
