For years, millions of Americans climbed into their General Motors vehicles, accepted the turn-by-turn navigation and roadside emergency features of OnStar, and drove on — never knowing that their precise GPS coordinates, braking habits, and acceleration patterns were being packaged and sold to data brokers who then sold driving “scores” to their insurance companies.
That arrangement, which GM reportedly used to generate roughly $20 million in revenue over four years, came to a costly end last week.
On May 8, California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors and OnStar, resolving allegations that the automaker had illegally sold the location and driving data of hundreds of thousands of California residents to two data brokers — LexisNexis Risk Solutions and Verisk Analytics — without adequate notice or consent. The settlement, which is subject to court approval, is the largest penalty ever assessed under the California Consumer Privacy Act, a 2018 law requiring companies to disclose how they share data and to honor consumer requests to stop.
“General Motors sold the data of California drivers without their knowledge or consent,” Bonta said at a news conference, “and despite numerous statements reassuring drivers that it would not do so.”
It is a remarkable line. GM’s own privacy policy had stated that it did not sell driving or location data, and that any disclosure for insurance purposes would occur only at a customer’s direction. Investigators found that neither promise was kept.
A Scandal Years in the Making
The backstory of how GM’s data practices came to light is almost as striking as the practices themselves.
GM began collecting driving behavior data through OnStar — speed, hard braking, acceleration, location — starting around 2015. For years, the program operated largely in the shadows. Then, in April 2024, The New York Times published an exposé that changed the conversation. The article described how a Chevrolet Bolt driver’s telematics data had been used, without their knowledge, to raise their insurance premiums. It was a concrete illustration of a system that had been operating invisibly, with real financial consequences for real people.
The response was swift. GM discontinued its Smart Driver data-sharing program shortly after the Times article ran. But discontinuing the program did not make the legal exposure disappear. The Federal Trade Commission, state attorneys general, and privacy regulators had already begun moving.
In January 2026, the FTC finalized an order against GM and OnStar, settling allegations that the companies had collected, used, and sold driver geolocation and behavior data from millions of vehicles without properly notifying consumers or obtaining consent. The FTC described the conduct as an “egregious betrayal of consumers’ trust” and imposed a five-year ban on sharing that data with consumer reporting agencies.
The California settlement announced last week is an extension of that reckoning, and it goes further in at least one respect: it is the first California enforcement action brought under the CCPA’s data minimization requirements, provisions added to the law in 2023 that restrict how long businesses may retain data and for what purposes they may use it. Investigators found that GM had held onto driving and location data well beyond its operational use for OnStar before selling it to the brokers — a practice California law explicitly prohibits.
What the Data Actually Revealed
To understand why regulators reacted so forcefully, it helps to understand what the data brokers were actually buying.
The information GM sold included names, contact details, GPS coordinates of where subscribers drove and parked, and granular records of driving behavior. LexisNexis and Verisk used that information to build what the industry calls “driving scores” — algorithmic risk profiles that insurance companies then purchased to set premiums or determine coverage. Drivers who were unaware their data had been shared found themselves facing higher insurance rates, or in some cases coverage denials, with no explanation they could trace back to the source.
According to a Consumer Rights Wiki summary of the controversy, GM shared driving data from more than 14 million vehicles — including 1.8 million in Texas alone — with the data brokers during the period in question. That figure illuminates the scale of a business that, from GM’s perspective, was a modest revenue line. For the drivers whose insurance bills went up, it was something else.
A separate and equally troubling detail emerged in reporting on the controversy: GM reportedly responded to law enforcement requests for customer location data via simple subpoenas rather than requiring warrants — a practice that the company’s public privacy commitments did not appear to authorize.
GM issued a statement addressing the settlement: “This agreement addresses Smart Driver, a product we discontinued in 2024, and reinforces steps we’ve taken to strengthen our privacy practices. Vehicle connectivity is central to a modern and safe driving experience, which is why we’re committed to being clear and transparent with our customers about our practices and the choices and control they have over their information.”
The Settlement’s Terms — and What Comes Next
The California settlement, beyond the $12.75 million civil penalty, imposes significant operational restrictions. GM is prohibited for five years from transferring driving data to consumer reporting agencies, a category that includes both Verisk and LexisNexis. The company must delete any retained driving data within 180 days, except in certain limited circumstances. It must ask LexisNexis and Verisk to delete what they collected. And it must develop and maintain a formal privacy compliance program designed to assess and document the risks of collecting data through OnStar going forward.
The settlement is also notable for what it signals about the direction of enforcement. The California AG brought the action in coordination with the district attorneys of San Francisco, Los Angeles, Napa, and Sonoma Counties, and with support from the California Privacy Protection Agency — a degree of interagency coordination that suggests consumer data enforcement in the automotive sector is no longer a niche concern.
California is unlikely to be the last jurisdiction to reach a resolution. Texas Attorney General Ken Paxton filed suit against GM over the same data collection practices, and that case remains pending. The Texas complaint alleged that GM unlawfully collected drivers’ private data and shared it without consent — practices that Paxton’s office argued violated the Texas Data Privacy and Security Act.
An Industry at a Turning Point
The GM case is extreme in its specifics, but it reflects a broader dynamic that is rapidly becoming an industry-wide reckoning. By 2026, an estimated 91 percent of new cars have embedded telematics, according to reporting on connected vehicle trends. McKinsey projects that 95 percent of new vehicles sold globally will be connected by 2030. The global vehicle telematics market was valued at more than $93 billion in 2025 and is expected to approach $200 billion by 2034, according to Fortune Business Insights.
Data is, in other words, built into the future of the automobile. The question the GM settlement forces into the open is who that data belongs to, and what rights drivers have over how it is used.
Federal regulators have been making their position clear. The FTC has stated that companies do not have “free license to monetize people’s information beyond purposes needed to provide their requested product or service.” A Nelson Mullins analysis of automotive privacy trends warned that 2026 would mark a turning point, with vehicle-generated data increasingly treated as “a category of highly sensitive consumer information warranting strict regulatory oversight” rather than a byproduct of technological innovation.
A 2023 study by the Mozilla Foundation found that all 25 major car brands it reviewed failed basic privacy tests, with some openly acknowledging they could share data with law enforcement or marketing partners without additional consumer consent.
Automotive and mobility companies may collect data from more than 100 different points on a vehicle, including personal identifiers, driving history, biometric data such as voice or facial recognition, and precise geolocation — information that can, in aggregate, reveal visits to medical facilities, places of worship, and domestic violence shelters.
The Price of Getting Caught
The $12.75 million California settlement is, by any measure, a record. It is nearly five times the previous largest CCPA penalty, which was imposed on Disney earlier this year. But measured against the revenue GM generated from the data — an estimated $20 million nationally — and against the company’s overall scale, it represents a manageable cost of doing business rather than an existential threat.
That arithmetic, regulators and privacy advocates argue, is precisely the problem. Until the penalties for unauthorized data monetization consistently exceed the revenues it generates, the incentive structure for automakers, data brokers, and their insurance industry partners will remain difficult to change.
What the GM case may accomplish, at least in the near term, is a shift in consumer awareness. The combination of the Times exposé, the FTC order, and now the California settlement has created a paper trail comprehensive enough to make the mechanics of automotive surveillance difficult to ignore. Drivers who want to understand their exposure can request their LexisNexis CLUE report and their Verisk driving records — both available free under federal law. They can, in many states, opt out of telematics data collection.
Whether they will do so in large numbers remains to be seen. But the legal architecture for holding automakers accountable is, piece by piece, being built.
“When it comes to data privacy,” Bonta said at last week’s news conference, invoking the driving metaphor that is difficult to resist, “consumers must be in the driver’s seat.”
General Motors, for now, is paying the price for having disagreed.