This story was originally published by CalMatters. Sign up for their newsletters.
General Motors agreed to pay $12.75 million in civil penalties for selling driving data of hundreds of thousands of California motorists to data brokers, allegedly without their consent.
The settlement, announced Friday, is the largest ever for violations of the California Consumer Privacy Act, a 2018 law that requires companies to tell consumers about how their data is shared and to respect requests to stop the sharing.
It stemmed from an investigation by California Attorney General Rob Bonta, several county district attorneys, and the California Privacy Protection Agency, which enforces the privacy act. They said General Motors misled drivers who paid for the emergency roadside and navigation service OnStar and made approximately $20 million from the unlawful sale of their data between 2020 and 2024. The information included names, location information, driving behavior, and contact information, Bonta said, which went to the data brokers LexisNexis Risk Solutions and Verisk Analytics.
“This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians,” Bonta said in a press release.
The settlement also requires GM to stop selling data to any consumer reporting agencies for five years and submit privacy assessments to the state, among other provisions. It followed a similar agreement between the Federal Trade Commission and GM earlier this year and California settlements with Honda and Ford over the past 14 months for their own violations of the privacy act.
California’s investigation of GM began after a 2024 New York Times investigation found GM collected data about millions of drivers nationwide and sold it to insurance companies in order to charge the drivers higher premiums. Californians were not impacted by those premium hikes because a state law prohibits insurers from using driving data to set insurance rates, Bonta said.
Bonta told CalMatters at a press conference Friday that it’s unclear if location data collected by General Motors was used by other companies to make predictions about the prices people are willing to pay for goods. That practice is better known as surveillance pricing and can leverage location data. Target paid $5 million to settle a suit from San Diego County’s district attorney over its alleged use of location for the technique. Bonta’s office began an investigation into the surveillance pricing practices of businesses in January.
“I understand that there could be some overlap and maybe we’ll discover something in our investigation in surveillance pricing, but that wasn’t the focus of this case,” he said.
Los Angeles District Attorney Nathan Hochman said the case started with one person finding location data in a report they requested about the data collected on them. That discovery, he added, led to investigations by journalists, prosecutors, and regulators
“This case shows more than anything that one consumer can make a huge difference,” he said.
Though the settlement isn’t much compared to the $2.7 billion in net income that General Motors made last year, Hochman called it an indication that companies should expect higher penalties in the future. California reached a privacy law violation settlement with Disney in February for $2.75 million, previously the largest of its kind.
In a statement shared with CalMatters, General Motors spokesperson Charlotte McCoy said, “This agreement addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices. Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information.”
Californians will soon have a new protection against companies that use their data without their consent. Starting August 1, the more than 500 data brokers registered with the state must comply with requests California residents can make using an online tool known as the Delete Request and Opt-out Platform, or DROP. The privacy protection agency introduced the tool earlier this year.
