GM to Pay Over $12 Million in Largest-Ever CCPA Fine Over Driver Data

Summary

General Motors (GM) has agreed to pay over $12 million to settle a California privacy enforcement action over the unauthorized collection and sharing of detailed driver behavior data through its OnStar connected vehicle service. Announced on May 8, 2026, the settlement is the largest fine ever issued under the California Consumer Privacy Act (CCPA) in its more than five-year history.

The California Privacy Protection Agency (CPPA) alleged that GM collected precise driving data — including hard braking events, acceleration patterns, GPS routes, and mileage — from millions of vehicles and sold this information to insurance companies and data brokers without adequately disclosing these practices or obtaining meaningful consumer consent.

What Data Was Shared

OnStar, GM's in-vehicle connectivity service, has broad telemetry capabilities. According to California investigators, the shared data included:

Driving behavior scores — aggregated metrics from braking, acceleration, and cornering data
Trip data — start/end locations, distances, and timestamps
Vehicle diagnostics — information tied to individual driver profiles
Risk scores — data shared directly with auto insurers including LexisNexis Risk Solutions and Verisk

Drivers who opted into OnStar's "Smart Driver" feature — marketed as a way to get personalized tips on driving efficiency — reportedly had this data shared with third parties without adequately understanding the insurance implications.

Regulatory Action

The CPPA opened its investigation following a 2023 New York Times investigation that revealed how connected car manufacturers were systematically sharing driver behavior data with insurers, leading to rate increases for drivers who were unaware their vehicles were reporting their habits.

California's action focused on violations of:

CCPA Section 1798.100 — Right to know about data collection and use
CCPA Section 1798.120 — Right to opt-out of sale of personal information
CCPA Section 1798.135 — Requirements for disclosures and opt-out mechanisms

The CPPA found that GM's disclosures were buried in lengthy terms of service agreements, opt-out mechanisms were difficult to locate, and consumers were not meaningfully informed that their driving data would be sold to insurers and potentially used to raise their premiums.

GM's Response

GM did not admit wrongdoing as part of the settlement but agreed to:

Pay $12 million in civil penalties
Discontinue the data-sharing practices subject to the complaint
Implement enhanced privacy disclosures for OnStar and connected vehicle services
Provide consumers with clear, accessible opt-out mechanisms for data sharing
Submit to compliance monitoring for a defined period

GM discontinued its data-sharing program with LexisNexis and Verisk in mid-2023 following the initial media scrutiny.

Industry Implications

The settlement signals a significant escalation in CCPA enforcement and sets precedents for the connected vehicle and automotive data industry:

In-vehicle telemetry is personal data — California regulators have now explicitly treated driving behavior as sensitive personal information subject to CCPA protections
Buried consent is not valid consent — Terms-of-service disclosures are insufficient for data sales with significant consumer impact
Data broker relationships are in scope — Sharing with LexisNexis and Verisk constitutes a "sale" under CCPA, triggering opt-out rights
Other automakers face scrutiny — Toyota, Honda, Ford, and others with similar connected services are likely under review

What Consumers Should Do

California residents who used OnStar or similar connected vehicle features should:

Review privacy settings on connected vehicle apps (OnStar, MyChevrolet, MyCadillac, etc.)
Opt out of data sharing — most manufacturers now offer this in vehicle apps or account settings
Check insurance history — request your LexisNexis consumer disclosure report to see if driving data appears
File CPPA complaints if you believe your data was shared without proper consent

Context: CCPA Enforcement Ramps Up

This $12 million settlement dwarfs prior CCPA enforcement actions. The previous record was approximately $1.2 million against cosmetics retailer Sephora in 2022. The GM fine represents a tenfold increase and reflects the CPPA's stated intent to pursue large-scale enforcement actions against major corporations.

The California Privacy Rights Act (CPRA), which enhanced CCPA enforcement mechanisms effective January 2023, gave the CPPA independent enforcement authority and broader investigative powers — capabilities now clearly being exercised.

References

Summary

What Data Was Shared

OnStar, GM's in-vehicle connectivity service, has broad telemetry capabilities. According to California investigators, the shared data included:

Driving behavior scores — aggregated metrics from braking, acceleration, and cornering data
Trip data — start/end locations, distances, and timestamps
Vehicle diagnostics — information tied to individual driver profiles
Risk scores — data shared directly with auto insurers including LexisNexis Risk Solutions and Verisk

Regulatory Action

California's action focused on violations of:

CCPA Section 1798.100 — Right to know about data collection and use
CCPA Section 1798.120 — Right to opt-out of sale of personal information
CCPA Section 1798.135 — Requirements for disclosures and opt-out mechanisms

GM's Response

GM did not admit wrongdoing as part of the settlement but agreed to:

Pay $12 million in civil penalties
Discontinue the data-sharing practices subject to the complaint
Implement enhanced privacy disclosures for OnStar and connected vehicle services
Provide consumers with clear, accessible opt-out mechanisms for data sharing
Submit to compliance monitoring for a defined period

GM discontinued its data-sharing program with LexisNexis and Verisk in mid-2023 following the initial media scrutiny.

Industry Implications

The settlement signals a significant escalation in CCPA enforcement and sets precedents for the connected vehicle and automotive data industry:

In-vehicle telemetry is personal data — California regulators have now explicitly treated driving behavior as sensitive personal information subject to CCPA protections
Buried consent is not valid consent — Terms-of-service disclosures are insufficient for data sales with significant consumer impact
Data broker relationships are in scope — Sharing with LexisNexis and Verisk constitutes a "sale" under CCPA, triggering opt-out rights
Other automakers face scrutiny — Toyota, Honda, Ford, and others with similar connected services are likely under review

What Consumers Should Do

California residents who used OnStar or similar connected vehicle features should:

Review privacy settings on connected vehicle apps (OnStar, MyChevrolet, MyCadillac, etc.)
Opt out of data sharing — most manufacturers now offer this in vehicle apps or account settings
Check insurance history — request your LexisNexis consumer disclosure report to see if driving data appears
File CPPA complaints if you believe your data was shared without proper consent

GM to Pay Over $12 Million in Largest-Ever CCPA Fine Over Driver Data

Summary

What Data Was Shared

Regulatory Action

GM's Response

Industry Implications

What Consumers Should Do

Context: CCPA Enforcement Ramps Up

References

Hims & Hers Breach Exposes the Most Sensitive Kinds of Patient PHI

Nissan Says Stolen Data Came from Third-Party Vendor After Hacking Group Claims Breach

Mazda Discloses Security Breach Exposing Employee and Partner Data

GM to Pay Over $12 Million in Largest-Ever CCPA Fine Over Driver Data

Summary

What Data Was Shared

Regulatory Action

GM's Response

Industry Implications

What Consumers Should Do

Context: CCPA Enforcement Ramps Up

References

Hims & Hers Breach Exposes the Most Sensitive Kinds of Patient PHI

Nissan Says Stolen Data Came from Third-Party Vendor After Hacking Group Claims Breach

Mazda Discloses Security Breach Exposing Employee and Partner Data