## **General Motors** to Pay Millions for Privacy Violations **General Motors** will pay $12.75 million to settle charges with California over the unauthorized collection and sale of consumer driving data. California officials announced the settlement Friday, marking the largest penalty issued under the **CCPA** in its five-year history. The state alleges that **GM** collected and stored driving information without consent, then sold it to data brokers. Under the settlement terms, **GM** must halt the sale of driving data to consumer reporting agencies and data brokers for five years. The company must also delete driving data after 180 days unless it has explicit consumer consent. Furthermore, **GM** is required to request that **Verisk** and **LexisNexis Risk Solutions**, two data brokers, delete the data previously sold to them. ## **OnStar** Data at the Center of the Controversy The settlement mandates that **GM** establish a privacy program to identify, address, and document risks related to data collection from its **OnStar** service. These assessments must be reported to California prosecutors and the California Privacy Protection Agency (**CPPA**), according to a **CPPA** press release. California Attorney General **Rob Bonta** stated, "**General Motors** sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians." A **GM** spokesperson stated that the company stopped offering the product addressed in the settlement in 2024 and has since strengthened its privacy practices. "Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information," the spokesperson said. ## Investigation Details California's investigation into **GM** began in 2023. The probe revealed that from 2020 to 2024, **GM** sold geolocation data, driving behavior, names, and contact information of hundreds of thousands of consumers to **Verisk** and **LexisNexis**, generating approximately $20 million nationwide. The data was collected through **GM's OnStar** feature, marketed as an emergency assistant and navigation service. **Verisk** and **LexisNexis** intended to use the data to create driver risk profiles for insurance companies. While California law prohibits insurers from using driving data to set insurance prices, millions of consumers in other states faced increased premiums due to these data sales. Investigators found that **GM** misled customers by claiming their data would only be used to provide **OnStar** services and explicitly stated that it did not sell driving or location data for insurance purposes without express consent. Furthermore, **GM** retained Californians’ data longer than necessary for **OnStar** operations, violating California privacy law.