Investigation revealed that GM sold the names, contact information, geolocation data, and driving behavior data to two data brokers for $20 million
Oakland, Calif.—The California Attorney General office announced a settlement last week with General Motors regarding its illegal sale of hundreds of thousands of Californians’ location and driving data to two data brokers. The sale was in violation of the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law.
The settlement, which is subject to court approval, includes $12.75 million in civil penalties and strong injunctive terms, including restrictions on its use of consumer driving data and a ban on such data being sold to data brokers.
In 2023, CalPrivacy announced investigations into the privacy practices of connected vehicles and began engaging with GM and other car manufacturers. In 2024, while those investigations were underway, the New York Times reported that automakers, including GM, were sharing consumers’ driving behavior with insurance companies.
The investigation revealed that from 2020 to 2024, GM sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians to two data brokers, Verisk Analytics, Inc. and LexisNexis Risk Solutions. Between Lexis and Verisk, GM reportedly made approximately $20 million nationwide from these data sales.
General Motors collected this data through consumers’ use of OnStar, which can provide directions or summon an ambulance in the case of a crash, among other functions. Both data brokers purchased this data intending to use it to develop a driver-rating product that could be marketed to auto insurers for use in setting rates.
The investigation determined that California drivers were not directly impacted by GM’s sales of data, likely because under California’s insurance laws, insurers are prohibited from using driving data to set insurance rates. As a result, California drivers had not been subject to increased premiums because of GM’s data sales, unlike drivers in other states.
However, the investigation determined GM failed to give consumers any notice of the sales to Lexis and Verisk and misled consumers by implying that data would only be used to provide OnStar subscribers with requested services. In its privacy policy, GM stated that it did not sell any driving or location data and that if it did disclose any such data for insurance purposes, it would be at the consumer’s express direction.
Additionally, GM sold consumers’ data to Lexis and Verisk without customers’ knowledge or consent, despite an internal privacy compliance program that required GM to inform consumers how their personal information would be used and the third parties that may receive it.
The settlement, subject to court approval, requires GM to:
- Pay $12.75 million in civil penalties.
- Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.
- Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers.
- Request Lexis and Verisk delete driving data.
- Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar and ensure that GM complies with the CCPA.
- Report its privacy assessments to DOJ, the aforementioned DAs, and CalPrivacy.
Comments are closed.