In this digital age, data is an asset that car and insurance companies use to frame policies and make decisions. However, trading customer data without their knowledge and consent can attract penalties worth millions of dollars.
General Motors has allegedly landed in trouble for selling the data of thousands of customers to data brokers for a massive fee, without its customers’ knowledge or consent.
The California Privacy Protection Agency, CalPrivacy, initiated investigations into the privacy practices of several automakers in 2023. The New York Times reported in 2024 that vehicle manufacturers, including GM, were selling customers’ driving behavior data to insurance companies.
Following the report, the California Department of Justice (DOJ), in partnership with the District Attorneys of Los Angeles, Napa, San Francisco, and Sonoma, and with support from CalPrivacy’s Enforcement Division, investigated to determine whether any data was used to increase Californians’ insurance rates.
GM Sold Customer Data From 2020 to 2024 for $20 Million
According to a report by CalPrivacy, GM allegedly sold the names, contact information, driving behavior, and geolocation data “of hundreds of thousands of Californians to two data brokers, Verisk Analytics, Inc. (Verisk) and LexisNexis Risk Solutions (Lexis).”
GM is said to have made approximately $20 million nationwide by selling data, which data brokers used to develop a driver-rating product. The plan was to pitch this product to insurance companies, helping them set insurance rates based on the customers’ data.
Courtesy of California’s insurance laws, insurers are prohibited from using driver data to set insurance rates. As a result, California drivers were not affected by the sale of data, but drivers in other states may have faced increased insurance premiums.
CalPrivacy’s investigation found that GM allegedly misled customers by implying that their data would only be used to provide OnStar subscribers with requested services, with no mention that the data would be sold to Lexis and Verisk.
GM even stated in its privacy policy that it would not sell driving and location data for insurance purposes without customer consent.
These practices reportedly violate the California Consumer Privacy Act’s (CCPA) purpose limitation and data minimization requirements.
The settlement on 8 May, 2026, subject to court approval, requires GM to pay a civil penalty and adopt certain measures. The report outlines GM’s requirements as follows:
- Pay $12.75 million in civil penalties.
- Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.
- Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers.
- Request Lexis and Verisk delete driving data.
- Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar and ensure that GM complies with the CCPA.
- Report its privacy assessments to DOJ, the aforementioned DAs, and CalPrivacy.
Attorney General Rob Bonta revealed in a statement that GM is required to follow privacy laws:
“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians.
“Today’s settlement requires General Motors to abandon these illegal practices and underscores the importance of the data minimization in California’s privacy law — companies can’t just hold on to data and use it later for another purpose. I am proud to go to bat for the privacy rights of Californians and to collaborate with state and local partners who share the same commitment to consumer protection.”
Tom Kemp, Executive Director of CalPrivacy, added:
“This settlement reflects the power of coordinated enforcement, and CalPrivacy appreciates the close collaboration with the other enforcement agencies in bringing this case to a strong resolution.
“California’s privacy laws are clear: Companies must collect only what they need, use it responsibly, and be forthright with consumers about how their data is handled.”
What about Californians who want to ensure their data is erased from the brokers’ databases? CalPrivacy enables them to send one request to more than 575 registered data brokers to delete their personal data by using a new, easy-to-use online tool – the Delete Request and Opt-out Platform (DROP), offering customers more control over how their data is used.