GM to pay $12.75 million in California driver data privacy settlement

At a glance:

• General Motors has agreed to pay $12.75 million in civil penalties and to stop selling driving data to consumer reporting agencies for five years, settling with a coalition of law enforcement agencies led by California Attorney General Rob Bonta.
• The settlement alleges that GM shared the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians through its OnStar program, selling that data to data brokers Verisk Analytics and LexisNexis Risk Solutions.
• GM must delete any retained driver data within 180 days unless customers provide consent to keep it, and must also request that Verisk and LexisNexis delete the data they received—though Bonta's office noted the data did not result in higher insurance rates in California.

What the settlement requires

General Motors will pay $12.75 million in civil penalties and is barred from selling driving data to any consumer reporting agency for a period of five years. In addition, the company must delete all driver data it still retains within 180 days of the settlement, unless individual customers have given explicit consent to keep their information. GM is also required to contact both LexisNexis Risk Solutions and Verisk Analytics and request that those data brokers delete the records they obtained.

California Attorney General Rob Bonta led the enforcement action on behalf of a group of law enforcement agencies. Bonta said in a statement that General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. He added that the settlement requires GM to abandon these illegal practices and underscores the importance of data minimization in California's privacy law—companies cannot simply hold on to data and use it later for another purpose.

How GM collected and sold driver data

The data at the center of the settlement was gathered through GM's OnStar platform, specifically a feature known as Smart Driver, which tracked driving behavior including speed, braking patterns, and mileage. That information, along with names, contact details, and geolocation histories, was then sold to third-party data brokers—Verisk Analytics and LexisNexis Risk Solutions—who made it available to other businesses, including insurance companies.

According to Bonta's office, GM generated roughly $20 million in revenue from these data sales. The New York Times first reported in 2024 that automakers including GM were sharing customer driving-behavior data with insurers, and that some policyholders had seen their rates increase as a result. However, Bonta's office concluded that in California specifically, the data did not lead to higher insurance prices, largely because state law prohibits insurers from using driving data to set insurance rates.

Prior regulatory action and the road to this settlement

This California settlement is not GM's first regulatory consequence for its data practices. The company had previously reached a settlement with the Federal Trade Commission, which issued a final order banning General Motors and OnStar from selling certain categories of data with consumer reporting agencies. The California action builds on that earlier enforcement and extends the restrictions with a five-year sales ban and mandatory data deletion.

GM told Reuters that the settlement addresses Smart Driver, a product the company discontinued in 2024, and reinforces steps it has already taken to strengthen its privacy practices. The company did not admit wrongdoing but agreed to the terms of the settlement.

What this means for drivers and the auto industry

For California drivers, the settlement means that GM must stop monetizing their driving data and must actively work to erase records already shared with data brokers. It also sets a precedent for how automakers can handle the vast quantities of telematics data modern vehicles generate—particularly as connected-car features become standard across the industry.

More broadly, the case highlights the tension between the data-rich capabilities of modern vehicles and consumer expectations of privacy. With dozens of automakers now operating connected services similar to OnStar, regulators in other states may look to California's approach as a model. The outcome signals that selling driver behavior data without transparent consent is no longer a gray area—it is an enforceable violation.