GM Pays $12.75M Over Hidden OnStar Data Sales to Data Brokers

California's Attorney General Rob Bonta reached a $12.75 million settlement with General Motors over claims that the automaker sold the driving and location data of hundreds of thousands of Californians to data brokers without clearly telling customers or letting them opt out. California Attorney General's Office

The case involved GM's OnStar telematics service—the connected technology that tracks a vehicle's location, speed, acceleration, and other driving patterns. Prosecutors alleged that GM sold this detailed behavioral data to LexisNexis Risk Solutions and Verisk Analytics, two major companies that use driving histories to assess insurance risk and set premiums, without adequate disclosure or consumer choice.

What GM Actually Did

OnStar subscribers had no way to know their driving data was being packaged and sold to insurers and risk assessment firms. When customers signed up for OnStar, GM did not clearly explain that their location, acceleration patterns, and other metrics would be passed to third parties. Los Angeles County District Attorney's Office

California's Consumer Privacy Act (CCPA) requires companies to tell people what personal data they collect and sell, and to let consumers say no. By failing to disclose these sales or provide meaningful opt-out options, GM violated those requirements, according to the lawsuit filed by district attorneys from Los Angeles, Napa, San Francisco, and Sonoma counties.

LexisNexis and Verisk are essential players in the insurance ecosystem. They collect driving behavior data from many sources and use it to build profiles that influence whether you get a policy, how much you pay, and what coverage you qualify for. For GM, selling this data was a revenue stream—a way to monetize the information its connected cars naturally generate.

What Changes Now

GM is now prohibited from selling consumer driving data to data brokers, effectively ending this revenue stream. The settlement also imposes new restrictions on how GM handles telematics data going forward, though the public announcement did not detail the specific technical requirements.

The automaker must still seek court approval for the settlement, a standard procedural step for agreements of this size and scope.

Why This Matters Beyond GM

Modern cars generate enormous amounts of data. A single vehicle can produce multiple gigabytes of information daily through its GPS, sensors, and internet connection. As telematics have become standard across nearly all new cars, automakers have had the ability—and the incentive—to monetize this behavioral data. What was less clear was whether they could do so without explicit customer consent.

We have seen this pattern before. When smartphones first became ubiquitous, they collected location data from users, and companies initially shared that information with third-party developers with minimal disclosure. Regulators and privacy advocates pushed back. Over time, mobile platforms established clearer consent frameworks. The auto industry appears to be following the same trajectory: a period of opaque data practices, followed by regulatory enforcement and stricter rules.

The broader context here is that California's privacy law gives enforcers specific levers to challenge data broker arrangements that lack transparency. The CCPA requires companies to tell people what data they sell and to whom. It also gives consumers the right to opt out of sales. When companies don't follow those rules, they can be held accountable.

For automakers, this settlement sends a signal: revenue models built on hidden data sharing are likely to face legal trouble, especially in California. Other automakers with similar telematics programs may now need to rethink how they disclose and manage these practices.

The financial penalty—while substantial—is only part of the cost. The operational restriction on selling driving data to brokers may have a larger long-term impact on GM's connected services business model. And there is a reputational cost that comes with enforcement actions of this kind.

The data broker industry should also take notice. LexisNexis and Verisk depend on sourcing data from connected devices and vehicles. As regulators become more focused on how that data flows and who consents to it, data brokers will face pressure to verify where their information comes from and ensure transparency throughout the supply chain.

This case also reflects a shift in how California enforces privacy law. Multiple state agencies and district attorneys from different counties coordinated on the investigation and settlement. That kind of multi-agency approach—pooling resources and enforcement authority—may become more common as privacy regulation matures. It makes enforcement more powerful and harder to evade.

The connected vehicle market is still expanding. Most major automakers now include telematics as standard. How the industry adapts to clearer privacy rules—and what new business models emerge that respect consumer control—will shape not just automobiles but how connected devices and IoT systems handle personal data across all industries.