Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
from Harry JohnsonCalMatters
This story was originally published by CalMatters. Sign up for their newsletters.
General Motors has agreed to pay $12.75 million in civil penalties for selling the driving data of hundreds of thousands of California drivers to data brokers, allegedly without their consent.
The settlement announced Friday is the largest yet for violations of the California Consumer Privacy Act, a 2018 law that requires companies to tell consumers how their data is being shared and honor requests to stop the sharing.
It stems from an investigation by California Attorney General Rob Bonta, several district attorneys and the California Privacy Agency, which enforces the privacy law. They said General Motors misled drivers who paid for the OnStar emergency roadside and navigation service and made an estimated $20 million from the illegal sale of their data between 2020 and 2024. The information included names, location information, driving behavior and contact information, said Bonta, who went to data brokers LexisNexis Risk Solutions and Verisk Analytics.
“This collection of information included accurate and personal location data that could identify the daily habits and movements of Californians,” Bonta said in a press release.
The settlement also requires GM to stop selling data to consumer reporting agencies for five years and submit privacy assessments to the state. among other provisions. Followed by a a similar agreement between the Federal Trade Commission and GM earlier this year and the California settlements with Honda and Ford in the past 14 months for its own breaches of privacy law.
The California investigation into GM began after A 2024 New York Times investigation found that GM was collecting data on millions of drivers nationwide and selling it to insurance companies to charge drivers higher premiums. Californians were not affected by these premium increases because state law prohibits insurers from using driving data to determine insurance rates, Bonta said.
Bonta told CalMatters at a news conference Friday that it was unclear whether location data collected by General Motors was being used by other companies to make predictions about the prices people were willing to pay for goods. This practice is better known as monitoring pricing and may use location data. Target paid $5 million to settle a lawsuit by the San Diego County District Attorney regarding the alleged use of a location for the technique. Bonta’s office launched an investigation into the business’ surveillance pricing practices in January.
“I understand there may be some overlap and maybe we’ll find something in our investigation into surveillance pricing, but that wasn’t the focus of this case,” he said.
Los Angeles County District Attorney Nathan Hochman said the case began when a man found location data in a report they requested about data collected on him. That discovery, he added, led to investigations by journalists, prosecutors and regulators
“This case shows more than anything that one user can make a huge difference,” he said.
Although the settlement is not much compared to $2.7 billion in net income which General Motors did last yearHochmann called it an indication that companies should expect higher penalties in the future. California reached a $2.75 million privacy settlement with Disney in February, previously the largest of its kind.
In a statement shared with CalMatters, General Motors spokeswoman Charlotte McCoy said, “This agreement applies to Smart Driver, a product we discontinued in 2024, and reinforces the steps we’ve taken to strengthen our privacy practices. Connected vehicles are central to modern and safe driving, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information.”
Californians will soon have new protections against companies that use their data without their consent. As of Aug. 1, more than 500 data brokers registered in the state must fulfill requests that California residents can make with an online tool known as the Delete Request and Opt-out Platform, or DROP. The Privacy Agency introduced the tool earlier this year.
This article was originally published on CalMatters and is republished under Creative Commons Attribution-NonCommercial-No Derivatives license.