The $12.75M California driver privacy settlement

General Motors spent years positioning its connected vehicle ecosystems as the ultimate fortress for driver privacy. Instead, the automaker quietly treated customer telematics as a high-value asset, funneling sensitive driving data from hundreds of thousands of Californians to third-party brokers. That stark contradiction between public privacy promises and private monetization strategies has finally triggered a legal reckoning. Following intense scrutiny over the unauthorized trading of sensitive telemetry, California Attorney General Rob Bonta confirmed that General Motors has agreed to the California driver privacy settlement to resolve the allegations.

How telematics became a commodity

The convenience of modern connected cars came with an invisible toll: the relentless collection of geolocation pings and driving habits through OnStar units. While GM maintained these systems operated strictly for safety and navigation, a pivotal 2024 New York Times investigation exposed the behind-the-scenes revenue stream. The report detailed how the automaker fed this information directly to insurance and risk assessment firms, creating a feedback loop where driver monitoring directly influenced financial risk profiles.

The financial incentives were massive. According to settlement documents, the data extraction generated roughly $20 million in revenue. The primary buyers were major industry heavyweights like Verisk Analytics and LexisNexis Risk Solutions, which utilized the metrics to build comprehensive risk profiles. Much of this tracking was routed through the "Smart Driver" program, a voluntary feature that offered owners rewards in exchange for detailed pattern monitoring. Despite GM’s claims that the resolution only targets this discontinued product, the Attorney General’s office emphasized that the company sold personal data of hundreds of thousands of drivers without their knowledge or explicit consent.

To prevent future violations, the agreement mandates a strict overhaul of how the automaker handles vehicle data:

  • Five-Year Data Ban: GM is prohibited from selling drivers' personal information to consumer reporting agencies for the next five years.
  • Mandatory Data Deletion: The company must purge any retained driver data within 180 days of the settlement's finalization, unless fresh, explicit customer consent is obtained.
  • Third-Party Cleanup: GM is legally required to formally request that Verisk and LexisNexis delete all acquired data, attempting to scrub the compromised information from the market.

The regulatory paradox and what’s next

Perhaps the most surprising element of the Attorney General’s announcement is the unexpected financial outcome for consumers. While selling sensitive driving data without proper authorization violates California’s Consumer Privacy Act, the settlement explicitly notes that the practice did not trigger increased insurance premiums for state residents. This anomaly stems from California’s strict regulatory environment, which currently prohibits insurers from using driving telemetry to calculate rates.

This legal nuance creates a complex landscape for consumer advocates reviewing the California driver privacy settlement. The unauthorized hoarding of data remains a severe privacy violation that demands accountability, even when immediate financial harm is neutralized by existing state laws. Attorney General Bonta’s office stressed that the agreement reinforces the principle of data minimization, arguing that corporations cannot stockpile sensitive telemetry for future profit regardless of short-term market effects.

This resolution also highlights the evolving patchwork of digital oversight. GM had previously settled with the Federal Trade Commission regarding its data sales, establishing a federal baseline that restricted OnStar from selling certain metrics to consumer reporting agencies. The California driver privacy settlement, however, introduces targeted state-level penalties that extend beyond federal guidelines, proving that individual states are actively leading the charge on digital rights. As vehicles transition into complex, software-defined networks, the tension between seamless functionality and user autonomy will only sharpen. This agreement sends a direct warning to the automotive sector: connected vehicle data is not exempt from strict privacy enforcement, and the era of unmonitored data monetization is officially over.