General Motors Pays $12.75M to Settle California Privacy Violations Over OnStar Data Sales

California Attorney General Rob Bonta secured a $12.75 million settlement with General Motors over allegations the automaker illegally sold hundreds of thousands of Californians' location and driving data to third-party data brokers without proper disclosure or consent mechanisms.

The settlement, announced alongside Napa County District Attorney Allison Haley and Sonoma County District Attorney Carla Rodriguez, resolves claims that GM violated the California Consumer Privacy Act (CCPA) and California's Unfair Competition Law through its handling of OnStar telematics data. California Attorney General's Office The California Privacy Protection Agency provided support for the enforcement action.

The Core Allegations

The lawsuit, filed by district attorneys from Los Angeles, Napa, San Francisco, and Sonoma counties, centered on GM's OnStar connectivity service and its data monetization practices. Prosecutors alleged that GM sold customer driving and location data to LexisNexis Risk Solutions and Verisk Analytics without adequately disclosing these transfers to consumers or providing meaningful opt-out mechanisms.

According to the complaint, GM failed to clearly inform OnStar subscribers that their driving behavior data—including location information, acceleration patterns, and other vehicle metrics—would be packaged and sold to data brokers. Los Angeles County District Attorney's Office The alleged deception violated CCPA requirements for transparent data collection notices and consumer control over personal information sharing.

The data sales involved two major players in the risk assessment ecosystem: LexisNexis Risk Solutions, which operates extensively in insurance and financial services risk modeling, and Verisk Analytics, a data analytics company serving insurance carriers. Both companies use driving behavior data to build risk profiles that can influence insurance premiums and coverage decisions.

Settlement Terms and Restrictions

The agreement imposes significant operational constraints on GM's data practices going forward. The automaker is now prohibited from selling consumer driving data to data brokers, effectively shuttering what had been a revenue stream tied to its connected vehicle capabilities.

Beyond the financial penalty, the settlement establishes new requirements for GM's data handling procedures, though specific technical compliance measures were not detailed in the public announcement. The restrictions apply specifically to the types of granular behavioral data that OnStar and similar telematics systems routinely collect from connected vehicles.

The settlement remains subject to court approval, following standard procedure for negotiated resolutions in consumer protection cases of this scope.

Broader Context for Connected Vehicle Privacy

This enforcement action arrives as automotive telematics have become standard across most new vehicle models, creating vast data streams that automakers are still learning to monetize responsibly. The automotive industry's data collection capabilities have expanded dramatically over the past decade, with modern vehicles generating multiple gigabytes of operational data daily through embedded sensors, GPS systems, and connectivity modules.

We have seen this pattern before, when smartphone platforms initially struggled to establish clear boundaries around location data sharing with third-party developers. The mobile ecosystem eventually settled into more structured consent frameworks after regulatory pressure, and the automotive sector appears to be following a similar trajectory toward more explicit consumer controls.

CCPA has provided enforcers with specific tools to challenge data broker relationships that lack sufficient consumer transparency. The law's "right to know" provisions require businesses to disclose categories of personal information sold to third parties, while its opt-out requirements give consumers control over such sales.

Looking at what this means for the connected vehicle landscape, automakers now face clearer regulatory expectations around telematics data monetization. The settlement sends a signal that revenue models built on opaque data sharing arrangements may not survive enhanced privacy scrutiny, particularly in California's regulatory environment.

Industry Implications

The GM settlement establishes precedent for how privacy enforcers will evaluate automotive data practices under existing consumer protection frameworks. Other automakers with similar telematics monetization strategies may need to reassess their compliance postures, particularly regarding disclosure practices and consumer choice mechanisms.

The financial penalty—while substantial for a single state enforcement action—represents a fraction of GM's annual revenue but carries broader reputational and operational costs. The ongoing restrictions on data broker sales may have more lasting impact on the company's connected services business model than the immediate financial settlement.

For the data broker ecosystem, this action highlights regulatory risk around automotive data sourcing. LexisNexis and Verisk, while not named as defendants in this case, operate in a market where source data transparency is becoming increasingly important for compliance and business continuity.

The enforcement also demonstrates coordination between state-level privacy agencies, with CalPrivacy's support role showing how California's layered privacy enforcement structure can amplify individual actions. This multi-agency approach may become more common as privacy enforcement matures.

The connected vehicle market continues expanding rapidly, with most major automakers now offering telematics services as standard equipment. How this sector adapts its data practices in response to privacy enforcement will likely influence broader IoT and connected device compliance approaches across industries that collect granular behavioral data from consumers.