General Motors reaches $12.75m settlement over California driving data privacy breach

General Motors has agreed to pay $12.75 million in civil penalties to settle a lawsuit filed by California Attorney General Rob Bonta regarding the nonconsensual sale of customers' driving data to data brokers. The settlement resolves allegations that the company violated consumer privacy by selling names, contact information, geolocation data, and driving behaviour collected through its OnStar program.

The agreement specifically addresses the sale of this information to Verisk Analytics and LexisNexis Risk Solutions, entities that could theoretically market the data to auto insurers. While California law generally prohibits insurers from using this specific type of driving data to increase rates, the complaint asserts that the nonconsensual sale itself constituted a breach of privacy rights.

As part of the deal, General Motors is prohibited from selling driving data to consumer reporting agencies for a period of five years. Furthermore, the company must delete any retained driving data within 180 days unless it has obtained express consent from the customer. This requirement applies to data held for limited internal uses, ensuring that past collection practices do not continue to impact consumer privacy without explicit approval.

The settlement also mandates that General Motors develop a new privacy programme to assess the risks associated with collecting data via OnStar. The company will be required to report the findings of this assessment to the Department of Justice and other relevant agencies. California Attorney General Rob Bonta stated that the agreement underscores the importance of data minimisation under California privacy law, noting that companies cannot retain data for later use without consent.

This development follows a separate agreement General Motors reached earlier this year with the Federal Trade Commission regarding the sale of drivers' data. The current California lawsuit stems from a 2024 New York Times report which initially revealed the company's data practices. While the data collected included geolocation and behaviour, California regulations generally shielded customers from the primary financial risk of increased insurance premiums that such data might otherwise enable.

The full text of the settlement does not specify the exact dates during which the data was collected or sold prior to the filing of the lawsuit. Additionally, it remains unclear if the $12.75 million penalty includes any restitution paid directly to affected consumers or if it is solely a civil penalty to the State of California.