California Attorney General **Rob Bonta** announced a $12.75 million settlement agreement with **General Motors (GM)** over allegations that the company violated the **California Consumer Privacy Act (CCPA)**. ### Data Collection and Sale The violations stem from accusations that the car manufacturer illegally collected and sold driving and location data of California residents to data brokers **Verisk Analytics** and **LexisNexis Risk Solutions** between 2020 and 2024. The investigation was initiated in 2024, prompted by media reports highlighting the practice of automakers, including **GM**, sharing driver behavior data with insurance companies. The data was reportedly gathered through **GM's** **OnStar** subsidiary and its "Smart Driver" system, purportedly for driver-scoring products related to insurance. ### Previous FTC Scrutiny **GM**, which owns brands like GMC, Cadillac, Chevrolet, and Buick, had previously faced criticism from the **U.S. Federal Trade Commission (FTC)** for similar data collection practices. The **FTC** even banned **GM** from selling drivers’ location data for five years. California authorities stated that **GM** failed to adequately notify consumers or obtain their consent for this data collection. Furthermore, the company allegedly retained the data longer than necessary, repurposing it for sale and generating $20 million nationwide. ### Official Statements "**General Motors** sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so," stated Attorney General **Rob Bonta**. "This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians." ### Record Fine and Data Minimization The $12.75 million in civil penalties marks a record in California's history and represents the first enforcement action focused on data minimization rules. ### Settlement Terms In addition to the fine, **GM** is required to: * Stop selling driving data to consumer reporting agencies and brokers for five years. * Delete retained driving data within 180 days unless consumers explicitly consent to retention. * Request **LexisNexis** and **Verisk** to delete the data they previously received. * Implement a more robust privacy compliance program and submit regular assessments to regulators. Officials clarified that California drivers were unlikely to have experienced higher insurance premiums due to **GM's** data sales, thanks to state laws prohibiting insurers from using driving data to set rates. BleepingComputer reached out to **GM** for comment but had not received a response at the time of publication. ### GM's Response Update 5/12 - A **GM** spokesperson sent BleepingComputer the following comment: "This agreement addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices. Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information."  ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)