General Motors to pay $12.5 million to settle claims that it illegally sold California driver data
- General Motors has agreed to a $12.5 million settlement to resolve allegations that the company illegally sold the personal information of drivers in California.
- The legal action centered on the collection and monetization of driver data, specifically information gathered through the company's OnStar system.
- The California Consumer Privacy Act grants residents the right to know what personal information is being collected about them and the right to opt out of the sale...
General Motors has agreed to a $12.5 million settlement to resolve allegations that the company illegally sold the personal information of drivers in California. The settlement marks the largest penalty ever issued under the California Consumer Privacy Act (CCPA), signaling a significant escalation in the state’s enforcement of data privacy rights within the automotive industry.
The legal action centered on the collection and monetization of driver data, specifically information gathered through the company’s OnStar system. According to the terms of the settlement, General Motors failed to comply with state privacy laws regarding the sale of personal data, which includes location and behavioral information harvested from connected vehicles.
The California Consumer Privacy Act grants residents the right to know what personal information is being collected about them and the right to opt out of the sale of that information to third parties. The investigation into General Motors focused on whether the company ignored these requests or failed to provide the necessary transparency required for consumers to exercise their privacy rights.
The data at the center of the dispute involves highly sensitive “behavior datum,” which tracks how a driver operates a vehicle, as well as precise location data. This information allows for the creation of detailed profiles regarding a user’s daily routines, frequent destinations, and driving habits.
Under the CCPA, the definition of “personal information” is broad, encompassing any data that identifies, relates to, or could reasonably be linked with a particular consumer or household. The state’s regulators determined that the sale of this telematics data without proper disclosure or adherence to opt-out requests constituted a violation of the law.
The Role of Telematics and OnStar
The OnStar system, integrated into a vast number of General Motors vehicles, is designed to provide emergency services, navigation, and remote vehicle management. However, the system also functions as a sophisticated data collection tool, transmitting real-time telemetry to the company’s servers.

This telemetry includes the vehicle’s GPS coordinates, speed, braking patterns, and the duration of trips. When this data is aggregated and sold to third-party businesses, such as insurance companies or market research firms, it becomes a valuable commodity. The state’s case alleged that General Motors processed this information in a manner that bypassed the protections guaranteed to California drivers.
The settlement addresses claims that the company did not provide a clear and conspicuous method for users to opt out of the sale of their data, as mandated by the CCPA. For many users, the process of requesting that their personal information not be sold was either obscured or ignored, leading to the unauthorized transfer of driver data to business partners.
Legal and Regulatory Implications
The $12.5 million penalty is an unprecedented figure for a CCPA enforcement action. By securing this amount, state officials have established a higher benchmark for how privacy violations are valued, particularly when they involve the automated collection of data from hardware like connected cars.

The case highlights a growing tension between the automotive industry’s shift toward “software-defined vehicles” and the increasing demand for consumer data sovereignty. As vehicles incorporate more sensors and connectivity, the volume of personal information generated during a single trip has increased exponentially, making the enforcement of opt-out rights more complex.
Regulators have indicated that the focus of future enforcement will likely remain on the “sale” of data, which under the CCPA can include the transfer of information for “valuable consideration,” not just direct monetary payment. This means that data-sharing agreements between automakers and tech partners may face increased scrutiny.
The settlement requires General Motors to implement more stringent data handling practices and to ensure that California drivers can easily manage their privacy preferences through a simplified interface. The company must now demonstrate a verifiable process for honoring “do not sell” requests across its entire ecosystem of connected services.
This development serves as a warning to other automakers operating in the United States. As more states adopt privacy frameworks similar to the CCPA, the legal risk associated with the monetization of vehicle telematics continues to grow.
