GM Pays $12.75 Million Over Selling Driver Data Without Permission

General Motors agreed to pay $12.75 million to settle a California investigation into claims that the automaker sold detailed driving information about hundreds of thousands of Californians to data brokers without proper consent, according to an announcement from the California Attorney General's Office.

The settlement includes not just a fine but also new rules for how GM can handle customer data going forward. It was announced jointly by California's state attorney general, district attorneys from San Diego, Los Angeles, Napa, and Sonoma counties, and the California Privacy Protection Agency.

What GM Did Wrong

California prosecutors said GM violated two laws protecting consumers: the California Consumer Privacy Act (CCPA), which began in 2020, and California's Unfair Competition Law. The CCPA gives California residents rights over their own data — including the right to know what information companies are collecting and the right to say no to selling it.

The investigation found that GM collected detailed driving behavior data through its connected vehicles — cars that have internet connections and send information back to the company. This data included things like how hard drivers accelerated, how often they braked, their typical speeds, and where they drove. Insurance companies, marketing firms, and others found this information valuable for assessing risk or understanding consumer behavior.

GM then sold this data to data brokers — companies that buy and resell personal information. That's where the violation occurred: California law says companies need explicit permission before selling consumer data in this way.

What Changes Now

Beyond the $12.75 million payment, the settlement includes restrictions on GM's future data practices. Most importantly, GM is now banned from selling driving behavior data to data brokers at all.

For perspective, $12.75 million is a noticeable expense for most companies but relatively small for an automaker that generates billions in annual revenue. The real impact is the ban itself. GM appears to have made real money from this data-selling arrangement, and closing that off is a bigger loss than the fine.

The settlement still needs to be approved by a court, which is standard procedure for agreements of this size.

Why Automakers Care About Data

Modern cars produce enormous amounts of data. They track where you drive through GPS, record how you use the accelerator and brakes, capture what you do through the infotainment system (the dashboard screen), and collect signals from dozens of sensors. Automakers see this as valuable because insurance companies want it to assess driver risk, and marketers want it to build customer profiles.

For the automotive industry, data monetization — turning data into money — has become an important business strategy. Car sales are facing shrinking profit margins, and the shift to electric vehicles is expensive. Data licensing and connected services offer a way to generate steady income from each vehicle over many years.

But this business model runs into a changing legal landscape. States like California are passing tougher privacy laws and actually enforcing them. When violations are caught, penalties can be substantial.

The Bigger Picture

This situation has happened before in tech history. When the internet became commercial in the 1990s, companies treated user data as a free resource to exploit. It took regulations and consumer complaints to establish what actually acceptable practice looked like. We are seeing a similar pattern now in the automotive industry.

Connected vehicles are becoming sophisticated data-collection systems. They can track your location history, log your communications through integrated systems, measure biometric signals from driver monitoring cameras, and record detailed driving patterns that go far beyond simple trip information. That level of data collection creates both opportunities and genuine privacy risks.

The settlement should reshape how other automakers think about data licensing. The fact that enforcement came from California's state attorney general, the California Privacy Protection Agency, and district attorneys from multiple counties signals coordinated regulatory pressure. Other states are likely watching closely and may pursue similar investigations with their own companies.

Automakers will probably need to develop new ways to make money from vehicle data — direct partnerships with insurance companies, services they keep in-house, or platforms they run themselves — rather than selling data to brokers. They will also need to invest in compliance systems: better tools for managing customer consent, tracking where data goes, and deleting information when customers request it.

For anyone building the software systems that run connected cars, this settlement is a reminder that privacy is not a feature you bolt on later. Systems need to be designed from the ground up with consent and data protection in mind. That makes the engineering more complex, but it also lowers legal risk and, ultimately, builds customer trust.