GM Agrees USD 12.5 Million Settlement Over California Driver Data Privacy Claims

General Motors has agreed to pay USD 12.5 million to resolve allegations from California regulators claiming the automaker improperly sold personal and driving-related information belonging to hundreds of thousands of drivers between 2020 and 2024. The announcement was made on May 8 by California Attorney General Rob Bonta, who stated that the company violated privacy commitments made to consumers regarding the handling of location and driving data collected through connected vehicle services.

The case centers on data gathered through GM’s OnStar subscription platform and its Smart Driver product. According to regulators, the information was later sold to Verisk Analytics and LexisNexis Risk Solutions, both of which provide analytical data services used by insurance companies for risk assessment and premium calculations. Authorities alleged that GM’s privacy policies assured users that sensitive driver information would not be sold, creating a conflict between customer expectations and the company’s data-sharing practices.

The data transferred reportedly included customer names, contact details, GPS-based location records, vehicle speed information, and events involving rapid acceleration. Regulators argued that such information could be used to build detailed behavioral profiles of drivers. The settlement amount of USD 12.5 million is notably lower than the nearly USD 20 million that authorities claim GM generated through these data transactions during the investigated period.

Key Settlement Conditions Imposed on GM

The agreement introduces several operational and compliance obligations that GM must follow moving forward. These measures are intended to strengthen consumer privacy protections and limit the company’s future handling of driving-related personal information.

The California settlement is also linked to a previous agreement involving GM, OnStar, and the U.S. Federal Trade Commission. Regulators indicated that both actions were connected through concerns surrounding consumer consent and transparency in the handling of connected vehicle data. The latest settlement remains subject to court approval but represents another major development in the growing scrutiny surrounding automotive data privacy and telematics-based insurance profiling in the United States.

Frequently Asked Questions

Why did GM agree to the California driver data settlement?
GM agreed to settle claims after California regulators alleged the company improperly sold personal and driving-related data collected through OnStar and Smart Driver services. Authorities stated that the company shared customer information with data brokers despite privacy assurances suggesting such data would not be sold. The settlement allows GM to resolve the allegations while also introducing new privacy controls, mandatory data deletion timelines, and restrictions on future sales of driving data to consumer reporting agencies.

What type of driver information was reportedly shared by GM?
The data involved in the case reportedly included customer names, contact details, GPS location history, speed information, and records of rapid acceleration events. Regulators claimed the information could be used to analyze driver behavior and support insurance risk modeling. The data was reportedly provided to Verisk Analytics and LexisNexis Risk Solutions, which supply analytical products and services commonly used by insurers for pricing and behavioral assessment purposes.

What operational changes must GM implement under the settlement?
Under the settlement terms, GM must delete retained driver data within 180 days unless customers provide consent for continued retention. The company is also required to establish an internal privacy compliance framework focused on assessing OnStar-related data collection risks. In addition, GM faces a five-year restriction on selling personal driving information to consumer reporting agencies, reflecting broader regulatory concerns around connected vehicle privacy practices.