ComplianceData Protection

GM Faces $12.75M Penalty for Illicit Driver Data Sales

Analyst 207||Source: BleepingComputer
General Motors vehicle drives down California road with smartphone screen displaying abstract data in foreground.

"General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so," Attorney General Rob Bonta said.

Rob Bonta and California's record civil penalty

California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors (GM) resolving allegations that the automaker violated the California Consumer Privacy Act (CCPA). The announced civil penalty is, according to Californian authorities, a record in the state’s history and the first enforcement action centered specifically on data minimization rules.

Allegations tied to OnStar and the "Smart Driver" system

The state’s investigation concluded that between 2020 and 2024 GM, via its OnStar subsidiary and the “Smart Driver” system, collected precise driving and location data and sold it to consumer data brokers. The named buyers were Verisk Analytics and LexisNexis Risk Solutions. The data was allegedly intended for driver-scoring products related to insurance.

The settlement terms and required remedies

Under the settlement, GM has agreed to a set of specific remedies in addition to paying $12.75 million in civil penalties. The obligations spelled out by California officials include:

  • Stopping the sale of driving data to consumer reporting agencies and brokers for five years.
  • Deleting retained driving data within 180 days unless consumers explicitly consent to its retention.
  • Asking LexisNexis and Verisk to delete the driving data they previously received.
  • Implementing a stronger privacy compliance program and submitting regular assessments to regulators.

California officials also said GM had retained the data longer than necessary, re-purposed it for sale, and failed to properly notify consumers or obtain their consent.

Verisk, LexisNexis, and the $20 million figure

State officials reported that GM made roughly $20 million nationwide from selling drivers’ data. Part of the settlement’s remit is to require the two named data recipients—Verisk Analytics and LexisNexis Risk Solutions—to delete the data they received. The announcement places the brokers explicitly in the chain of custody the state challenged.

Insurers, California drivers, and regulatory overlap with the FTC

California authorities said drivers were unlikely to have faced higher insurance premiums as a result of GM’s data sales, pointing to state law that prohibits insurers from using driving data to set rates. The announcement also noted that the U.S. Federal Trade Commission (FTC) previously criticized GM for unlawful data collection and banned the company from selling drivers’ data for five years—an action referenced alongside the state settlement.

What this means for California drivers, regulators, and data brokers

  • For California drivers: The settlement requires deletion of retained driving data without explicit consent and includes a prohibition, for five years, on GM selling driving data to consumer reporting agencies and brokers—measures the state says are meant to protect precise location and behavior records that could identify everyday movements.
  • For regulators: The case is described by California officials as the first enforcement action focused on data minimization rules in the state, and it reinforces overlapping federal and state scrutiny—illustrated by both the state settlement and the earlier FTC action referenced in the announcement.
  • For data brokers (Verisk Analytics and LexisNexis Risk Solutions): The settlement explicitly requires GM to ask those firms to delete the previously received data, placing deletion obligations on both the data source and the intermediaries named in the probe.

BleepingComputer sought comment from GM about California’s announcement but had not received a response by publication time.

The settlement closes a state-level enforcement chapter tied to alleged data sales that occurred from 2020 through 2024, imposes a record civil penalty, and prescribes a mix of deletion, prohibition, and compliance measures—while leaving in plain view the practical question of how quickly and verifiably the brokers will remove the data they received.

Source: BleepingComputer — GM agrees to $12.75M California settlement over sale of drivers’ data

Data MinimizationEmerging ThreatsAutomotive IndustryCalifornia Consumer Privacy ActGeneral MotorsOnstarSmart DriverData Privacy ViolationRecord Civil PenaltyCCPA
Related Intelligence

Continue Reading

Multi-layered city infrastructure with payment terminal in foreground.

Fraud Prevention Strategies Target Multiple Elevation Levels

Fraudsters are constantly evolving, and a single-layer defense just won't cut it - that's why IPQS advocates for a layered approach to fraud prevention, because what may seem like a secure transaction to you might be just the tip of the iceberg to a sophisticated scammer. By monitoring at multiple levels, you can stay one step ahead of even the most cunning attackers.

Analyst 207
Government building with empty plaque, person walking away in background.

UK Information Commissioner Resigns Amid Workplace Misconduct Probe

UK Information Commissioner John Edwards has resigned amid allegations of workplace misconduct, including the use of vulgar and highly sexualized language towards staff, which he initially dismissed as misplaced humour. His resignation comes after an internal HR investigation concluded there was a case to answer, with evidence revealing a disturbing pattern of behaviour.

Analyst 207
Formal office setting with desk, chair, and out-of-focus computer.

UK Privacy Watchdog Resigns Amid Poor Judgment Admission

UK Privacy Watchdog John Edwards has resigned with immediate effect, admitting his position had become untenable after being under investigation since February. He announced his decision on LinkedIn, bringing a sudden end to a months-long probe.

Analyst 207
Laptop screen shows retail website checkout page with multiple scripts loading in the background.

New PCI DSS Rules Target Script Security on Checkout Pages

Did you know that over 100,000 sites have fallen victim to web skimming and supply-chain attacks, with Magecart-style attacks often sneaking in through third-party scripts on crowded checkout pages? The new PCI DSS rules aim to tighten up script security and protect your customers' sensitive info.

Analyst 207