General Motors has agreed to pay $12.75 million to resolve a civil lawsuit alleging the automaker unlawfully sold the personal information and driving data of hundreds of thousands of OnStar subscribers to third-party data brokers. The settlement, announced Friday, follows allegations that the company violated California’s privacy, false advertising, and unfair competition laws between 2020 and 2024.
The legal action was initiated by the California Attorney General and the District Attorneys of Los Angeles, Napa, San Francisco, and Sonoma counties, with additional support from the California Privacy Protection Agency. The lawsuit alleges that from 2016 to 2024, General Motors collected and retained extensive driver-related data from hundreds of thousands of Californians who subscribed to OnStar, the company’s vehicle connectivity service.
This case highlights a growing tension between the convenience of connected vehicle technology and the fundamental right to data privacy. As cars become increasingly integrated with software and sensors, the volume of telemetry data generated—from where a driver parks to how hard they brake—has become a valuable commodity for data brokers and insurance entities.
The Scope of the Data Breach and Alleged Deception
According to the lawsuit, the data collected by General Motors was not limited to basic account information. The information allegedly sold to third parties included names, phone numbers, and home addresses, as well as highly specific behavioral driving data. This included vehicle speeds, instances of rapid acceleration, hard braking, and GPS locations detailing where OnStar subscribers drove and parked their vehicles.
The core of the legal dispute centers on the gap between General Motors’ public assurances and its actual business practices. The company allegedly told OnStar subscribers that it did not sell driving or location data, claiming such information was used exclusively for OnStar services—such as providing driving directions, improving driver skills, or summoning emergency services like ambulances.
However, officials allege that in 2020, General Motors began selling this sensitive data to two prominent data brokers: LexisNexis Risk Solutions and Verisk Analytics, Inc. The lawsuit contends that GM deceived consumers by failing to adequately disclose these sales and by denying subscribers the opportunity to opt out of the information-sharing arrangement.
The financial incentive for these sales was significant. General Motors reportedly earned approximately $20 million nationwide from the sale of this subscriber data, far exceeding the civil penalties now being paid in the California settlement.
Legal Consequences and Settlement Mandates
Under the terms of the settlement, which remains subject to court approval, General Motors must pay civil penalties totaling $12.75 million. Beyond the monetary fine, the agreement imposes strict operational mandates to protect California OnStar customers moving forward.
General Motors is now required to adhere to the following conditions:
- Cease Data Sales: The company must stop selling driving data to any consumer reporting agencies, including brokers like LexisNexis and Verisk, for a period of five years.
- Data Deletion: GM must delete any retained driving data within 180 days, except for limited internal uses or in cases where consumers have provided affirmative, express consent.
- Third-Party Remediation: The automaker must formally request that LexisNexis and Verisk delete the driving data previously acquired from GM.
- Privacy Program Overhaul: The company is mandated to develop and maintain a robust privacy program designed to assess, mitigate, and document the risks associated with OnStar data collection. This program must ensure full compliance with the California Consumer Privacy Act (CCPA).
- Regulatory Reporting: GM must report its privacy assessments to the California Department of Justice, the California Privacy Protection Agency, and the district attorneys’ offices of Los Angeles, Napa, San Francisco, and Sonoma counties.
Los Angeles County District Attorney Nathan J. Hochman emphasized the importance of the ruling in a statement, noting, “This settlement makes clear that car companies cannot secretly speed off with your personal data for profit. Consumers have a fundamental privacy right to control their personal information, and this right does not stop at a car door.”
Why This Matters: The Rise of Automotive Telematics
This settlement underscores the risks inherent in “telematics”—the convergence of telecommunications and informatics in vehicles. While features like automatic crash notification and remote diagnostics provide safety and convenience, they also create a digital footprint of a person’s movements and habits.
Data brokers like LexisNexis and Verisk often aggregate this information to create risk profiles. For consumers, this can have real-world financial implications, as “hard braking” or “rapid acceleration” data is frequently used by insurance companies to determine premiums or eligibility. When this data is sold without consent or under false pretenses, consumers lose the ability to manage their own financial and privacy risks.
Hochman further cautioned consumers to be vigilant about the terms of service they sign, stating, “Your data isn’t free, and no one has the right to sell it without your consent. I encourage California consumers to read the fine print and exercise your right to stop companies from collecting, sharing or selling your data.”
Key Takeaways from the GM Settlement
- Financial Penalty: $12.75 million in civil penalties for violating California privacy and consumer protection laws.
- Data Types: GPS locations, braking habits, and personal identifiers were among the data sold.
- Third-Party Involvement: Data was sold to LexisNexis Risk Solutions and Verisk Analytics, Inc.
- Compliance: GM must now align its OnStar data practices with the California Consumer Privacy Act (CCPA).
- Consumer Recourse: The settlement mandates the deletion of previously collected data unless express consent is provided.
The next critical checkpoint for this case is the formal court approval of the settlement terms. Once approved, the 180-day window for data deletion and the five-year ban on selling driving data to consumer reporting agencies will take effect.
We invite our readers to share their thoughts on automotive data privacy in the comments below. Do you believe current privacy laws are sufficient for the era of connected cars?