When you signed up for OnStar, you were paying for roadside assistance and navigation. You were not agreeing to have your daily movements sold to data brokers. According to California investigators, GM did it anyway.
California just secured a record settlement against General Motors, the largest penalty ever issued under the California Consumer Privacy Act, over allegations that the company sold the location and driving data of hundreds of thousands of California drivers without meaningful consent. From 2020 to 2024, that data, including names, contact information, precise location, and driving behavior, was passed to LexisNexis Risk Solutions and Verisk Analytics, which used it to build driver-risk profiles. Nationwide, GM reportedly earned around $20 million from those sales.
This is exactly the kind of data pipeline that rarely gets discussed when people think about privacy. Your car knows where you drop your kids off, when you go to the doctor, and what time you leave for work. That information has real value, and companies have been quietly monetizing it.
GM is not alone. California has also reached settlements with Honda and Ford over similar violations in the past year. The auto industry has a data problem, and it is only now facing real consequences for it.
The settlement requires GM to stop selling driving data to consumer reporting agencies for five years and to delete retained data within 180 days. That is meaningful. But it covers one company, in one state, for one discontinued product. LexisNexis and Verisk still have the data they have already collected. And the broader market for vehicle driving data remains largely unregulated at the federal level.
;
