General Motors has agreed to pay $12.75 million to settle California privacy claims after the automaker secretly sold the location and driving behavior data of hundreds of thousands of OnStar subscribers to data brokers - while publicly denying it. The settlement, announced May 8, 2026, marks the largest CCPA fine in California history and sends a stark warning to any company treating personal data as a hidden revenue stream.
How GM Sold Your Driving Data Without Telling You
From 2020 to 2024, General Motors and its OnStar subsidiary collected precise geolocation, speed, braking, acceleration, and other behavioral data from enrolled subscribers - then sold it to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The data was used by the brokers to build driver risk profiles sold to insurance companies.
GM reportedly earned approximately $20 million nationwide from these data sales. Subscribers were never clearly informed that their driving data was being packaged and sold. In some cases, users who attempted to opt out found the process confusing or ineffective. California Attorney General Rob Bonta, joined by district attorneys from San Francisco, Los Angeles, Napa, and Sonoma Counties, filed the action under the CCPA, the Unfair Competition Law, and the False Advertising Law.
Record Settlement: Nearly Five Times the Previous CCPA Fine
At $12.75 million, the penalty is by far the largest CCPA enforcement action in the law's history - nearly five times the prior record set by a Disney settlement earlier this year. The settlement covers alleged violations spanning data collected between 2016 and 2024.
- Data sold: Names, contact details, precise geolocation, and driving behavior data of hundreds of thousands of Californians.
- Buyers: Verisk Analytics and LexisNexis Risk Solutions - both major suppliers to the insurance industry.
- GM revenue from sales: Approximately $20 million nationwide (2020-2024).
- Penalty: $12.75 million - largest CCPA fine in history.
Beyond the fine, the settlement requires GM to stop selling driving data to any consumer reporting agencies for five years, delete specific driving data collected within the last 180 days, and request that Verisk and LexisNexis delete the consumer data they received from GM.
Your Car Is a Surveillance Device - Whether You Know It or Not
The GM case is a landmark example of a broader and rapidly accelerating trend: connected vehicles have become rolling data collection platforms. Modern cars with telematics systems like OnStar track far more than navigation - they monitor braking habits, acceleration patterns, seatbelt use, trip frequency, and precise GPS coordinates. That data has become a lucrative product, sold to insurers, advertisers, and government agencies without drivers' meaningful consent.
Insurance companies have long sought granular driving behavior data to adjust premiums. What the GM settlement confirms is that this data pipeline was operating in the shadows - subscribers enrolled in convenience features like roadside assistance had no idea their driving habits were being monetized and shared.
The case also highlights how standard privacy tools fall short for vehicle data. A VPN protects your internet traffic but cannot prevent your car's telematics system from reporting location and behavior data directly to the manufacturer's servers. Protecting vehicle privacy requires pushing back at the legislative and contractual level - demanding clear opt-out mechanisms and strong data minimization rules from automakers.
What the GM Fine Signals for CCPA Enforcement
California's privacy regulators have been criticized for years for underenforcing the CCPA. A $12.75 million penalty - five times the previous record - signals a meaningful escalation. Legal analysts note that the settlement's data minimization provisions may be its most impactful element: forcing GM to stop selling this data entirely for five years creates a precedent that raw driving data is not a freely tradeable commodity.
The case was coordinated between the California AG and four district attorneys, suggesting California is building a multi-agency enforcement infrastructure designed to take on large corporate defendants. Similar automaker data practices at Toyota, Ford, Hyundai, and others remain under scrutiny by privacy researchers and regulators in the US and EU.
