U.S. automaker General Motors (GM) has agreed with California regulators to pay a $12.75MN settlement over claims that it illegally sold hundreds of thousands of Californians’ location and driving data to two data brokers, marking the largest penalty under the California Consumer Privacy Act (CCPA) and the state’s first enforcement action centered on data minimization.
The settlement, announced by California Attorney General Rob Bonta alongside four district attorneys and the California Privacy Protection Agency (CalPrivacy), indicates intensifying scrutiny over how automakers monetize connected-vehicle data.
Related articles
How Automotive Cyberattacks Are Disrupting B2B Customer Experience
Automakers Face Growing Questions Over Driver Data Collection
Internet-connected cars are becoming a major point of focus in the data privacy debate. Vehicles can collect a wider range of information than ever before, including location history, driving habits, braking patterns, voice commands, infotainment activity and even some in-cabin data.
Privacy advocates and regulators say many drivers still do not fully understand how much of that information is being gathered, how long companies keep it, or how widely it may be shared with insurers, advertisers, analytics providers and data brokers.
As automakers expand connected services and subscription features, regulators are paying closer attention to whether consumers are receiving clear and meaningful consent options, and limits on how their data is used and retained.
“Modern cars are rolling data collection machines,” San Francisco District Attorney Brooke Jenkins said in the settlement announcement. She added that consumers must understand what information automakers collect, how it is used, and their opt-out rights.
According to the complaint, GM collected names, contact information, geolocation data and driving behavior data through its OnStar platform between 2020 and 2024, then sold that information to data brokers Verisk Analytics and LexisNexis Risk Solutions. The automaker earned roughly $20MN nationwide from the data-sharing arrangements, according to the state. Attorney General Bonta stated:
“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians.”
The OnStar platform can provide directions or summon an ambulance in the case of a crash, among other functions. The data brokers purchased the data to develop a driver-rating product that automotive insurance companies could use to set rates. The investigation determined that while California’s insurance laws prohibit the use of driving data to set rates, “GM failed to give consumers any notice of the sales to Lexis and Verisk and misled consumers by implying that data would only be used to provide OnStar subscribers with requested services,” according to the statement.
“In its privacy policy, GM even stated that it did not sell any driving or location data and that if it did disclose any such data for insurance purposes, it would be at the consumer’s express direction. Additionally, GM sold consumers’ data to Lexis and Verisk without customers’ knowledge or consent, despite an internal privacy compliance program that required GM to inform consumers how their personal information would be used and the third parties that may receive it.”
In addition, the regulators argued that GM retained Californians’ driving and location data beyond what was necessary to operate OnStar services and later repurposed the retained data for commercial sales. That violated the CCPA’s purpose limitation and data minimization requirements, added in 2023, that impose limitations on when and how businesses use, retain, and share data with third parties.
The settlement, which is subject to court approval, includes restrictions on GM’s use of consumer driving data and a ban on selling that data to brokers.
GM is required to stop selling driving data to any consumer reporting agencies for five years, including brokers like Lexis and Verisk, and delete any driving data it retains within 180 days, unless it has express consent from consumers. It needs to request Lexis and Verisk to delete its driving data.
GM must also develop and maintain a robust privacy program that assesses, mitigates and documents the risks of collecting data through OnStar and ensures that it complies with the CCPA. The company must then report its privacy assessments to the Department of Justice, the District Attorneys and CalPrivacy.
The settlement follows an order by the U.S. Federal Trade Commission (FTC) in January tied to claims involving GM and OnStar’s collection and sale of location data without adequately notifying consumers and obtaining their affirmative consent.
The FTC requires GM to “obtain affirmative express consent from consumers prior to collecting, using, or sharing connected vehicle data (including sharing data with consumer reporting agencies), with some exceptions such as for providing location data to emergency first responders.”
The automaker also needs to allow all U.S. consumers to request a copy of their data and request its deletion, give consumers the ability to disable the collection of precise geolocation data from their vehicles if the vehicle has that capability and provide a way for consumers to opt out of the data collection.
GM Settlement Reflects Broader Crackdown on Mobility Data Practices
The settlement comes as consumer concerns around connected vehicles grow. Recent investigations into automaker telemetry practices have focused on how driving patterns, location histories and behavioral data can shape insurance pricing, marketing profiles, and risk scoring.
For customer experience leaders, the case illustrates how privacy compliance is becoming inseparable from customer trust strategy. Connected services, personalization features, roadside assistance and predictive maintenance programs all rely heavily on consumer data collection.
Regulators increasingly expect brands to clearly define how that information will be used and to give consumers meaningful control over secondary uses.
On the same day as the GM settlement was announced, Dutch, Finnish and Norwegian regulators imposed a €100MN fine on the European operator of ride-hailing app Yango over claims that it transferred taxi customer and driver data to Russia without adequate GDPR safeguards.
The Dutch Data Protection Authority, the Finnish Data Protection Authority, the Office of the Data Protection Ombudsman and the Norwegian Data Protection Authority said the platform stored sensitive information such as precise location data, driver license scans, addresses and bank account information on Russian servers.
According to Netherlands-based MLU BV, which is part of the Yandex Group, Yango ceased operating in Finland and Norway in October 2025. But the app is still available in app stores in Finland and Norway. According to a statement by Finland’s Office of the Data Protection Ombudsman:
“The decision orders MLU BV to stop transferring personal data of European Yango users to Russia. This is the first decision by European data protection authorities to assess data transfers to Russia.”
The Yango case reflects growing regulatory concern over cross-border transfers of mobility data, especially as connected transportation ecosystems increasingly rely on cloud infrastructure and third-party analytics providers.
Automotive and mobility companies now face a dual compliance challenge, ensuring transparency and gaining users’ explicit consent while also limiting how much data they retain in the first place.
For customer experience and privacy executives, the regulatory direction is becoming clearer: consent banners and lengthy policies alone may no longer satisfy regulators if underlying data practices exceed what consumers reasonably expect.
