General Motors will pay $12.75 million to settle a California consumer protection lawsuit that alleged the company illegally sold drivers’ behavior and location data, the state’s attorney general announced Friday.
The settlement requires GM to stop selling driver data to consumer reporting agencies, including data brokers, for five years and to delete any driving data within 180 days except for limited internal uses.
“We’re talking about data that not only shows how a person drove but also precisely where they drove, which could easily be used to paint a picture of their everyday habits and movements,” California Attorney General Rob Bonta said at a news conference announcing the largest Consumer Privacy Act penalty in the state’s history.
Bonta alleges that from 2020 to 2024, GM illegally sold the names, contact information, geolocation data and driving behavior of hundreds of thousands of Californians without their knowledge or consent, violating a provision in the California Consumer Privacy Act that voters approved in 2020 to limit the use and disclosure of sensitive personal information collected about them.
The act requires that businesses tell consumers about their privacy practices and allow consumers to opt out of their personal information being sold or shared. It also limits how sensitive personal information can be shared with third parties.
The California Department of Justice alleges General Motors made approximately $20 million from selling drivers’ data.
“This agreement addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices,” a GM spokesperson told Spectrum News in a statement. “Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information.”
California began investigating GM after 2024 news reports that automakers were sharing consumer driving behavior with insurance companies that were in turn using the information to raise their rates. Bonta noted that California drivers were not affected by higher insurance rates resulting from GM’s data sales because of a state law that prohibits insurers from using driving data to set rates.
“The same cannot be said for drivers in other states” that do not have similar protections, he said.
The California case stems from a single driver who pulled a credit report and found it included information about “when they drove their car, the distance that they drove the car and how long they were driving it for,” Los Angeles District Attorney Nathan Hochman said. “And they said to themselves, ‘Why is my credit report filled with this information?’”
That discovery led to a group chat, then a New York Times investigation, and federal, state and local prosecutions and investigations across LA, California and the country, Hochman said.
As part of a California settlement that is subject to court approval, GM is required to ask the data brokers Verisk Analytics and LexisNexis Risk Solutions to delete the driving data they received from GM.
Neither Verisk nor LexisNexis responded to requests for comment for this story.
Bonta alleges the two data brokers bought the information to develop a driver rating system to sell to auto insurance companies to help them set rates using data from drivers who subscribed to GM’s connected car service, OnStar.
OnStar is a service that lets drivers contact emergency roadside help, receive assistance with a stolen vehicle and other services for a monthly fee. GM says on its website that it provides connected services to 12 million members globally.
In January, the Federal Trade Commission finalized an order with GM and OnStar that settled allegations they collected, used and sold drivers’ geolocation and behavior data from millions of vehicles without properly notifying consumers or obtaining consent. The order prohibited GM from sharing certain consumer data with consumer reporting agencies.
In 2023, the California Privacy Protection Agency’s enforcement division began to examine how so-called connected cars with internet access and other communications systems collect, retain and share drivers’ location and behavior data. The agency settled similar data privacy violation cases with Honda last year and Ford in 2026.
In March 2025, Honda agreed to pay a $632,500 fine to California for violating the state’s Consumer Privacy Act. As part of the CPPA’s first enforcement action settlement, the car company agreed to limit excessive data collection and to simplify its opt-out practices.
In March 2026, Ford agreed to pay the CPPA $375,703 for privacy act violations that required users to verify their emails when opting out of data sharing.
Clinton Mora is a reporter for Trending Insurance News. He has previously worked for the Forbes. As a contributor to Trending Insurance News, Clinton covers emerging a wide range of property and casualty insurance related stories.