Overview
General Motors (GM) has agreed to pay over $12 million to settle allegations that it violated the California Consumer Privacy Act (CCPA) by collecting and sharing detailed driver behavior data with third-party insurers and data brokers without adequate consumer disclosure or meaningful consent.
The settlement, announced by California privacy officials, represents the largest fine ever issued under the CCPA in its more than five-year history — a milestone that signals California's intent to aggressively enforce the landmark privacy law against major corporations.
What Happened
GM operated a connected vehicle data program that collected granular telematics data from enrolled vehicles through its OnStar connected services system. This data included:
- Driving behavior scores: Hard braking events, rapid acceleration patterns, cornering behavior
- Location history: Detailed trip routes, frequently visited locations, home and work addresses inferred from parking patterns
- Vehicle usage patterns: Start/stop times, idle time, miles driven per day, time-of-day driving patterns
- Speed data: Average speeds, instances of exceeding speed limits
Without clearly disclosing this practice to consumers at enrollment or in their standard privacy notices, GM sold or shared this data with insurance companies and data aggregators, who used it to assess driver risk profiles and adjust insurance premiums accordingly.
Consumers reported discovering that their driving data had been shared after receiving unexpected insurance premium increases or outright coverage denials — in many cases, without any notification from GM or their insurer that telematics data had influenced the decision.
The CCPA Violations
California's Office of the Attorney General and the California Privacy Protection Agency (CPPA) found multiple CCPA violations:
Inadequate Disclosure
GM's privacy notices failed to adequately disclose the specific categories of sensitive personal information being collected and the identity of third parties receiving that information. CCPA requires businesses to provide specific notice at the point of data collection, not buried in lengthy terms of service.
Lack of Meaningful Opt-Out
Consumers were not provided with a clear and accessible mechanism to opt out of the sale or sharing of their personal information. The CCPA's "Do Not Sell or Share My Personal Information" right requires businesses to honor opt-out requests — GM's process was found to be inadequate and difficult to locate.
Sensitive Data Handling Failures
Precise geolocation data and data used to make inferences about consumer behavior are classified as sensitive personal information under California law, requiring heightened protections, explicit opt-in consent, and limitations on use. GM's sharing of this data with insurers for underwriting purposes did not meet these requirements.
Scale of the Data Sharing
The scope of GM's data sharing program was significant:
- Driving data from millions of California OnStar subscribers was involved
- The data was shared with at least insurance comparison platforms and data brokers, which in turn distributed it to multiple underwriters
- Some consumers' data was shared for years before the program came to light through investigative reporting in early 2024
Settlement Terms
Under the settlement agreement:
- GM will pay a $12.3 million civil penalty — the largest ever under the CCPA
- GM must delete driving behavior data that was collected and shared without proper consent under the program
- GM is required to implement enhanced privacy disclosures for all connected vehicle programs, clearly identifying data collected, how it is used, and with whom it is shared
- GM must provide an accessible and functional opt-out mechanism for data sharing for all California residents with connected vehicles
- GM will be subject to independent privacy audits for a period following the settlement to verify compliance
GM did not admit wrongdoing as part of the settlement.
Industry-Wide Implications
This settlement has significant implications beyond GM:
Connected Vehicle Data as a Privacy Frontier
Modern vehicles are sophisticated data collection platforms. Beyond telematics, newer vehicles collect data on:
- In-cabin biometrics: Driver attention monitoring, eye tracking, facial expression detection
- Passenger behavior: Seatbelt status, child seat detection, in-cabin activity
- Voice recordings: Fragments of conversations captured by always-on voice assistants
- App and device data: Information from paired smartphones synced to infotainment systems
The CCPA and similar state privacy laws are increasingly being tested against connected vehicle data programs, and this settlement establishes a high-profile enforcement precedent.
CCPA's Evolving Enforcement Posture
The CCPA, passed in 2018 and significantly strengthened by Proposition 24 (CPRA) in 2020, has historically been seen as underpowered relative to European GDPR enforcement. The $12.3 million fine signals a shift:
- CPPA is scaling up enforcement with dedicated investigative capacity
- High-profile, high-revenue targets like automotive OEMs are being prioritized to maximize deterrence
- Sensitive data categories (geolocation, health, financial profiling) are receiving focused enforcement attention
Insurance Telematics Under Scrutiny
The insurance industry's use of telematics data for underwriting — whether from dedicated dongle devices, mobile apps, or OEM partnerships — is increasingly under regulatory scrutiny:
- Several states are examining whether telematics-based underwriting disparately impacts certain communities or constitutes unfair discrimination
- The FTC has separately indicated interest in data broker practices involving consumer financial and behavioral data
- The National Association of Insurance Commissioners (NAIC) is developing guidance on telematics data governance
What Consumers Can Do
California residents with connected vehicles — regardless of manufacturer — should:
- Review your connected vehicle app (OnStar, FordPass, MyBMW, Tesla, etc.) for data sharing settings and opt-out options
- Check your vehicle's privacy policy specifically for telematics and driving behavior data
- Submit a data deletion request if you wish to have previously collected driving data removed
- Monitor your insurance premiums for unexpected changes and ask your insurer directly whether telematics data influenced your rate
- File a CPPA complaint at cppa.ca.gov if you believe your privacy rights have been violated by a connected vehicle program