General Motors (GM) has agreed to pay $12.75 million to settle allegations brought by California Attorney General Rob Bonta that the automaker violated the California Consumer Privacy Act (CCPA) by collecting detailed driving behavior data from millions of connected vehicles and selling it to data brokers — without obtaining meaningful consumer consent.
The proposed settlement, announced on May 11, 2026, follows a high-profile investigation into GM's OnStar Smart Driver program and represents one of the largest CCPA enforcement actions to date.
What GM Did
GM enrolled millions of customers in its OnStar Smart Driver program, which used telematics sensors embedded in modern GM vehicles to collect detailed driving behavior data. The data collected included:
- Acceleration and braking patterns
- Speeding events and hard-stop incidents
- Trip frequency, distance, and timing
- Location data tied to specific driving behaviors
- Overall driving scores and safety ratings
This data was then shared with or sold to insurance data broker companies, including LexisNexis Risk Solutions and Verisk, which compiled it into consumer risk profiles. Those profiles were subsequently sold to auto insurance companies, who used the behavioral data to set — or in many cases, significantly increase — drivers' insurance premiums.
The California AG alleged that GM:
- Failed to obtain meaningful consent — Enrollment disclosures were buried in terms of service language that most consumers did not read or understand
- Did not give consumers adequate control — Opting out of data sharing was non-obvious and difficult to accomplish
- Did not disclose the insurance use case — Consumers were not clearly informed that their driving behavior data would be shared with insurers and could affect their rates
- Violated CCPA opt-out rights — The program did not comply with California consumers' right to opt out of the sale of their personal information
Why This Matters
The GM settlement is significant beyond its dollar amount for several reasons:
Connected Vehicle Data Is Personal Data
Modern vehicles generate vast quantities of behavioral data. Under the CCPA — and increasingly under other privacy frameworks — driving behavior data tied to an individual constitutes personal information subject to privacy protections. This case establishes a clear precedent that automakers cannot treat telematics data as proprietary business analytics exempt from consumer privacy law.
Data Brokers as an Extension of the Collector
The AG's action targets not just the initial collection but the entire downstream chain — GM's responsibility extends to how it contracts with and provides data to third-party brokers. Automakers cannot disclaim responsibility for downstream data use by citing arm's-length broker relationships.
Insurance Rate Impact on Real Consumers
The practical harm to consumers was concrete and financial. Drivers who had enrolled in OnStar Smart Driver reported receiving higher insurance premium quotes after their data was shared with insurers — without having been meaningfully informed that this would occur. The settlement requires GM to provide remedies to affected California consumers.
Settlement Terms
Under the proposed settlement, GM agrees to:
- Pay $12.75 million — to be distributed to affected California consumers and to fund enforcement activities
- Stop sharing data with LexisNexis Risk Solutions and Verisk for insurance underwriting purposes
- Implement enhanced consent mechanisms — Clear, prominent opt-in consent before enrolling consumers in telematics data programs
- Improve transparency — Plain-language disclosures about what data is collected, with whom it is shared, and how it may affect insurance rates
- Honor CCPA opt-out rights — Establish a straightforward, accessible opt-out process for data sale
The settlement is subject to court approval.
The Broader Connected Vehicle Privacy Picture
GM is not the only automaker that has collected and monetized telematics data. Investigative reporting — most notably by the New York Times in 2024 — revealed that multiple major automakers operated similar programs, often with similarly opaque consent mechanisms.
The FTC, state attorneys general, and the Consumer Financial Protection Bureau (CFPB) have all signaled increased attention to connected vehicle data practices. Key regulatory trends:
- The FTC has issued guidance warning that data broker use of sensitive consumer data (including location and behavior data) may constitute unfair or deceptive practices
- Several states beyond California are advancing vehicle data privacy legislation
- The EU's GDPR already treats telematics data as personal data requiring explicit consent for processing and third-party sharing
- The NHTSA is examining whether vehicle data practices intersect with vehicle safety regulation
What Consumers Should Know
For GM vehicle owners:
- If you have a connected GM vehicle, check whether you are enrolled in OnStar Smart Driver
- Log into your myGM or OnStar account to review your data sharing preferences
- Submit a CCPA opt-out request to GM requesting that your personal information not be sold to third parties
- If you received higher insurance quotes recently and have a connected GM vehicle, contact your insurer to ask whether driving behavior data was used in your rate calculation
For privacy-conscious consumers generally:
- Assume your connected vehicle collects detailed behavioral data
- Review your vehicle's telematics enrollment settings at purchase and periodically thereafter
- Ask your insurer whether it purchases data from telematics brokers and how that data affects your rates
Attorney General Bonta's Statement
Attorney General Rob Bonta characterized the settlement as a defense of fundamental consumer rights: "Californians have a right to know how their data is being used and to control whether it's shared. GM collected sensitive personal information from consumers' own vehicles and sold it without their meaningful consent. This settlement holds GM accountable and sends a clear message to the auto industry."
Bottom Line: The GM settlement signals that connected vehicle telematics data is firmly within the scope of consumer privacy law — and that the entire data supply chain, from automaker to broker to insurer, is subject to scrutiny. Automakers operating similar programs should treat this as a compliance wake-up call.