General Motors to Pay $12.75 Million Over Selling Driver Data Without Permission

General Motors is paying $12.75 million to settle claims that it sold driving and location information about hundreds of thousands of Californians to third-party companies without their knowledge or permission.

California's Attorney General Rob Bonta announced the settlement, along with district attorneys from four counties. The case centers on GM's OnStar service, a system built into vehicles that tracks location and driving patterns. California Attorney General's Office California's Privacy Protection Agency also supported the enforcement action.

What GM Did Wrong

OnStar collects detailed information about how and where people drive—things like acceleration patterns, braking habits, and exact locations. Prosecutors found that GM sold this data to two companies: LexisNexis Risk Solutions and Verisk Analytics.

These companies use driving data to calculate insurance risk. That information can directly affect how much you pay for car insurance or whether you qualify for coverage at all.

The main problem: GM did not clearly tell OnStar customers that their driving data would be sold, and the company did not give them a real way to opt out. California law requires companies to be transparent about this kind of data sharing and to let people say no. Los Angeles County District Attorney's Office

What Changes Now

GM is now banned from selling customer driving data to data brokers. The settlement also requires the company to follow new rules about how it handles this information, though the details were not made public.

The settlement needs court approval before it becomes final.

Why This Matters

Modern cars collect enormous amounts of information. Every time you drive, sensors and GPS systems record data about speed, location, and how you operate the vehicle. For years, car companies saw this as a potential source of money—they could package it and sell it to insurance companies and other businesses.

This is not the first time we have seen a technology industry struggle with how to handle personal data responsibly. When smartphones first became popular, app developers wanted access to location information too. After regulators stepped in, the mobile industry eventually built clearer rules around who could access that data and when. It looks like the car industry is now following a similar path.

California's consumer privacy law gives regulators specific power to challenge these kinds of secret data deals. The law says companies must tell you what information they are collecting and selling, and you have the right to say no.

The bigger picture here is that car companies are learning they cannot quietly monetize personal driving data the way they once thought they could. When regulators find opaque data-sharing arrangements, they are increasingly willing to challenge them—and enforce penalties.

What Comes Next

This settlement sends a clear message to GM and other automakers: telematics data (the information your car collects about how you drive) needs to be handled with transparency and real consumer choice. Other car manufacturers with similar practices may need to review how they disclose data sales and whether they are giving customers genuine opt-out options.

The $12.75 million is significant, but what may matter more to GM is the operational change. The ban on selling to data brokers affects a revenue stream the company built around its connected services business. That is a real cost beyond the settlement itself.

For companies like LexisNexis and Verisk, this case highlights a new compliance risk: they now face scrutiny over where their data comes from. Businesses are paying closer attention to whether the source of that data was obtained transparently and with proper consent.

California's enforcement structure—with multiple agencies and county prosecutors working together—shows how privacy oversight is becoming more coordinated. This kind of teamwork may become more common as regulators everywhere get better at enforcing privacy protections.