GM Settles Over Driver Data Sales: $12.75 Million Fine for CCPA Violations

General Motors (GM) has agreed to a $12.75 million settlement with the state of California over allegations of illegal sale of driver behavior and location data. Announced by California Attorney General Rob Bonta, it represents the most substantial penalty to date under the California Consumer Privacy Act (CCPA). The settlement mandates that GM refrain from selling driver data to consumer reporting entities, including data brokers, for five years, while ensuring data deletion within 180 days unless retained for specific internal purposes.

Attorney General Bonta detailed the sensitive nature of the data, which could reveal personal driving habits and locations. Between 2020 and 2024, GM allegedly sold information like names, contact details, geolocation, and driving behavior of Californians without compliance with CCPA. This act requires businesses to disclose their privacy practices and grants consumers the option to opt out of data sharing. Allegations include GM generating approximately $20 million in revenue from these data sales.

A GM spokesperson clarified that the settlement pertains to the discontinued Smart Driver program, affirming enhancements in their privacy protocols. They emphasized the importance of vehicle connectivity in modern driving, along with GM's commitment to transparency regarding data usage and customer control.

Investigations and Consumer Impact

The investigation was triggered by media reports suggesting automakers shared driving data with insurers, potentially impacting premiums. However, California drivers were protected due to state regulations preventing the use of driving data in insurance rate calculations. Drivers in states without such protections may not have fared as well.

The lawsuit began after a driver discovered detailed driving data in their credit report, leading to probes by federal and state agencies. Under the settlement's terms, GM must instruct Verisk Analytics and LexisNexis Risk Solutions to purge the driving data they received. These data brokers did not respond to requests for comment.

Attorney General Bonta suggests that data brokers used the information to develop a driver rating system for sale to auto insurers, impacting underwriting decisions. The data was part of GM's OnStar service, which boasts a 12 million strong global membership.

Moreover, a related Federal Trade Commission (FTC) order restricts GM and OnStar from distributing certain consumer data. The California Privacy Protection Agency (CPPA)'s investigations into connected car data collection practices have also led to settlements with other car companies, including Honda and Ford, over similar regulatory compliance breaches.