General Motors has agreed to pay $12.75 million to settle a major privacy lawsuit in California after allegations that the automaker sold sensitive driver data without proper consent. The settlement, announced by California Attorney General Rob Bonta, marks the largest privacy-related penalty under the state’s Consumer Privacy Act.
The lawsuit accused GM of sharing detailed customer information, including driving habits, geolocation data, names, and contact details, with third-party data brokers between 2020 and 2024. State officials said hundreds of thousands of California drivers were affected.
According to investigators, the data was collected through GM’s connected vehicle platform, including services linked to OnStar.
California Says Drivers Were Never Properly Informed
California officials argued that GM failed to clearly inform customers that their personal driving behavior could be sold to outside companies. Under the California Consumer Privacy Act, businesses must disclose how customer information is used and provide an easy option to opt out of data sharing.
Authorities claim GM generated nearly $20 million through the sale of consumer driving data.
At the center of the controversy was information that reportedly tracked how fast people drove, how often they braked, how long they stayed on the road, and where they traveled regularly. Officials warned that such data could create a detailed picture of an individual’s daily life and routines.
“This is not just about cars,” officials said during the announcement. “It is about surveillance-level data collection without meaningful customer awareness.”
Data Brokers and Insurance Concerns Raise Alarm
The investigation gained momentum after reports revealed that driving data collected from connected vehicles was being used by insurance companies to evaluate driver risk profiles. California prosecutors said data brokers, including Verisk Analytics and LexisNexis Risk Solutions, allegedly purchased information from GM to help insurers develop driver scoring systems.
One California resident reportedly discovered their driving history embedded inside a credit report, triggering broader scrutiny and eventually multiple investigations across the country.
While California law prevents insurers from using such telematics data to raise insurance premiums, officials noted that drivers in other US states may not have the same protections.
GM Agrees to Major Restrictions
As part of the settlement, GM must stop selling driver data to consumer reporting agencies for the next five years. The company is also required to delete collected driving data within 180 days, except for limited internal operational purposes.
Additionally, GM has been directed to request the deletion of previously shared customer data from third-party brokers.
In a statement, GM said the case relates to its discontinued “Smart Driver” program and added that the company has already taken steps to improve transparency and strengthen privacy controls.
The automaker maintained that connected vehicle services remain important for safety, roadside assistance, and theft recovery features used by millions of customers globally.
Privacy Scrutiny Expands Across Auto Industry
The GM settlement comes amid growing concerns over how modern connected vehicles collect and monetize user data. Earlier this year, the Federal Trade Commission finalized a separate order restricting GM and OnStar from sharing certain driver information without explicit consent.
Other automakers have also faced regulatory action. Honda and Ford Motor Company recently settled similar privacy cases in California tied to consumer data collection and opt-out practices.
What was once marketed as convenience technology inside smart vehicles is now becoming one of the biggest privacy battlegrounds in the automotive industry.
