GM to Pay over $12 Million in California Privacy Settlement Involving Driver Data

The California Consumer Privacy Act, enacted in 2018, has become the benchmark for state‑level data protection in the United States. General Motors’ $12.75 million settlement marks the steepest penalty ever imposed under the CCPA, underscoring the agency’s willingness to enforce consent requirements on large technology‑enabled manufacturers. The case centers on OnStar, GM’s telematics service that collected precise location, speed and driver identifiers from millions of vehicles between 2020 and 2024. Prosecutors allege the automaker sold that information to Verisk and LexisNexis without informing owners, violating both disclosure and data‑retention rules.

The fallout extends beyond GM’s balance sheet. By halting data sales for five years, the settlement curtails a growing pipeline that insurers and third‑party analytics firms have used to build risk‑scoring products. Although California law bars insurers from pricing policies with such data, other states lack comparable safeguards, meaning the practice contributed to premium hikes elsewhere. The forced deletion of records after 180 days also raises operational challenges for automakers that rely on long‑term telemetry for vehicle diagnostics, over‑the‑air updates, and safety recalls.

Looking ahead, the agreement signals a tightening regulatory climate for connected‑car ecosystems. GM must now institute a documented privacy program, conduct regular risk assessments, and submit reports to the California Privacy Protection Agency, setting a template other manufacturers are likely to follow. Consumers can expect clearer opt‑in mechanisms and shorter data‑retention windows, while data brokers will face heightened scrutiny over purchases. As more states contemplate CCPA‑style statutes, the automotive sector may need to redesign its data architecture to stay compliant.