California regulators have announced a major privacy settlement with General Motors (GM) over allegations that the company unlawfully sold the location and driving data of hundreds of thousands of Californians to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The settlement, subject to court approval, requires GM to pay $12.75 million in civil penalties and imposes significant restrictions on how the company may use, retain, and share consumer driving data. According to the complaint, GM collected the data through OnStar and allegedly failed to provide adequate notice to consumers, despite statements suggesting that driving and location data would not be sold or would only be disclosed for insurance purposes at the consumer’s direction.

The settlement highlights the growing privacy risks associated with connected vehicles. As San Francisco District Attorney Brooke Jenkins stated, “Modern cars are rolling data collection machines.” Location data can reveal highly sensitive details about a person’s daily life, including where they live, work, worship, receive medical care, or take their children to school. California officials alleged that GM retained driving and location data longer than necessary and then sold it to data brokers that intended to use it for driver-rating products marketed to auto insurers. Although investigators determined that California drivers were likely not subject to increased premiums because California law restricts the use of driving data for insurance rates, the alleged conduct still raised serious concerns under the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law.

The settlement is especially notable because it is the California Department of Justice’s first enforcement action focused on the CCPA’s data minimization principle. Under the settlement terms, GM must stop selling driving data to consumer reporting agencies for five years, delete retained driving data within 180 days except for limited internal uses or where consumers provide affirmative, express consent, request deletion from LexisNexis and Verisk, and maintain a robust privacy compliance program. For companies collecting connected device data, the message is clear: collect only what is needed, explain data practices clearly, honor consumer rights, and do not repurpose sensitive data without proper notice and consent. To read the full settlement click here.