Critical Shifts:
-
Massive Data Privacy Violations: General Motors (GM) illegally sold the precise location and driving data of hundreds of thousands of California drivers to data brokers (LexisNexis and Verisk) without their knowledge or consent, violating the California Consumer Privacy Act (CCPA).
-
Real-World Consequences: The leaked driving behavior data was shared with insurance companies, which used the information to increase insurance premiums for some consumers.
-
$12.75 Million Penalty: The settlement forces GM to pay $12.75 million in civil penalties, subject to court approval.
-
Five-Year Data Sale Ban: GM is banned from selling consumer driving data to any data brokers or consumer reporting agencies for five years.
-
Data Deletion Mandate: GM must delete all retained driving data within 180 days (unless given explicit consumer consent) and must formally request that LexisNexis and Verisk delete the data they already received.
-
Strict Future Oversight: GM is required to build a robust privacy compliance program for its OnStar system, conduct risk assessments, and submit regular privacy reports to the California DOJ and the California Privacy Protection Agency (CalPrivacy).
______________________________________
California Attorney General Rob Bonta, together with area district attorneys, and with support from the California Privacy Protection Agency (CalPrivacy), announced a settlement with General Motors (GM) regarding its illegal sale of hundreds of thousands of Californians’ location and driving data to two data brokers in violation of the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law. The settlement, which is subject to court approval, includes $12.75 million in civil penalties and strong injunctive terms, including restrictions on its use of consumer driving data and a ban on such data being sold to data brokers.
“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians,” said Bonta. “Today’s settlement requires General Motors to abandon these illegal practices and underscores the importance of the data minimization in California’s privacy law — companies can’t just hold on to data and use it later for another purpose. I am proud to go to bat for the privacy rights of Californians and to collaborate with state and local partners who share the same commitment to consumer protection.”
In 2023, CalPrivacy announced investigations into the privacy practices of connected vehicles and began engaging with GM and other car manufacturers. In 2024, while those investigations were underway, the New York Times reported that automakers, including GM, were sharing consumers’ driving behavior with insurance companies. The reporting noted that some insurers had raised consumers’ rates based on this data. Shortly after, the California Department of Justice (DOJ) partnered with the District Attorneys of Los Angeles, Napa, San Francisco, and Sonoma, with support from CalPrivacy’s Enforcement Division, to investigate reports like these and to determine whether any data was used to increase Californians’ insurance rates.
Today’s settlement, subject to court approval, requires GM to:
- Pay $12.75 million in civil penalties.
- Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.
- Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers.
- Request Lexis and Verisk delete driving data.
- Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar and ensure that GM complies with the CCPA.
- Report its privacy assessments to DOJ, the aforementioned DAs, and CalPrivacy.
