When It Comes to Data Privacy, Consumers Must Be in the Driver’s Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement

Largest CCPA penalty in California history to date and first data minimization case

OAKLAND - California Attorney General Rob Bonta, together with San Francisco County District Attorney Brooke Jenkins, Los Angeles County District Attorney Nathan J. Hochman, Napa County District Attorney Allison Haley, and Sonoma County District Attorney Carla Rodriguez, and with support from the California Privacy Protection Agency (CalPrivacy), today announced a settlement with General Motors (GM) regarding its illegal sale of hundreds of thousands of Californians' location and driving data to two data brokers in violation of the California Consumer Privacy Act (CCPA) and California's Unfair Competition Law. The settlement, which is subject to court approval, includes $12.75 million in civil penalties and strong injunctive terms, including restrictions on its use of consumer driving data and a ban on such data being sold to data brokers.

"General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians," said Attorney General Rob Bonta. "Today's settlement requires General Motors to abandon these illegal practices and underscores the importance of the data minimization in California's privacy law - companies can't just hold on to data and use it later for another purpose. I am proud to go to bat for the privacy rights of Californians and to collaborate with state and local partners who share the same commitment to consumer protection."

"Modern cars are rolling data collection machines," said San Francisco District Attorney Brooke Jenkins. "Californians must have confidence that they know what data is being collected, how it is being used, and what their opt-out rights are. Those duties fall on the automobile companies. This case sends a strong message that law enforcement will take action when California privacy laws are not scrupulously followed. I want to extend my appreciation to both the Attorney General's Privacy Unit and to CalPrivacy for their work in this field, and my fellow District Attorneys for taking action to enforce and protect California's privacy laws."

"It is patently illegal to secretly sell consumers' personal data," said Los Angeles County District Attorney Nathan J. Hochman. "To car companies who want to speed off with your data without your consent, these penalties should serve as a warning: No matter how big of a company you are, you will be held accountable in California. We appreciate the California Attorney General, our partner District Attorneys and the California Privacy Protection Agency for working with us to stand up for consumers."

"If you know the precise location of a person's car, then you know an enormous amount of personal, sensitive information about that person - their home, work, children's school, place of worship. There are legitimate reasons that California drivers would want to share such information with their car company, like receiving emergency roadside assistance, but Californians are entitled to know exactly what kind of data is being collected, how such data will be used, and whether they have the right to not share that information," said Napa District Attorney Allison Haley. "When companies misrepresent their data collection practices to consumers, as GM did here, my office will take enforcement action. Our office is pleased to have worked alongside our fellow district attorneys and the Department of Justice to resolve this case."

"I am proud to have partnered with the California Attorney General, CalPrivacy, and my fellow District Attorneys, to bring this important action to protect the privacy rights of California consumers," said Sonoma County District Attorney Carla Rodriguez.

"This settlement reflects the power of coordinated enforcement, and CalPrivacy appreciates the close collaboration with the other enforcement agencies in bringing this case to a strong resolution," said Tom Kemp, Executive Director of CalPrivacy. "California's privacy laws are clear: companies must collect only what they need, use it responsibly, and be forthright with consumers about how their data is handled."

BACKGROUND

In 2023, CalPrivacy announced investigations into the privacy practices of connected vehicles and began engaging with GM and other car manufacturers. In 2024, while those investigations were underway, the New York Times reported that automakers, including GM, were sharing consumers' driving behavior with insurance companies. The reporting noted that some insurers had raised consumers' rates based on this data. Shortly after, the California Department of Justice (DOJ) partnered with the District Attorneys of Los Angeles, Napa, San Francisco, and Sonoma, with support from CalPrivacy's Enforcement Division, to investigate reports like these and to determine whether any data was used to increase Californians' insurance rates.

As alleged in the complaint filed today, the investigation revealed that from 2020 to 2024, GM sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians to two data brokers, Verisk Analytics, Inc. (Verisk) and LexisNexis Risk Solutions (Lexis). Between Lexis and Verisk, GM reportedly made approximately $20 million nationwide from these data sales. General Motors collected this data through consumers' use of OnStar, which can provide directions or summon an ambulance in the case of a crash, among other functions. Both data brokers purchased this data intending to use it to develop a driver-rating product that could be marketed to auto insurers for use in setting rates. The investigation determined that California drivers were not directly impacted by GM's sales of data, likely because under California's insurance laws, insurers are prohibited from using driving data to set insurance rates. As a result, California drivers had not been subject to increased premiums because of GM's data sales, unlike drivers in other states.

However, the investigation determined GM failed to give consumers any notice of the sales to Lexis and Verisk and misled consumers by implying that data would only be used to provide OnStar subscribers with requested services. In its privacy policy, GM even stated that it did not sell any driving or location data and that if it did disclose any such data for insurance purposes, it would be at the consumer's express direction. Additionally, GM sold consumers' data to Lexis and Verisk without customers' knowledge or consent, despite an internal privacy compliance program that required GM to inform consumers how their personal information would be used and the third parties that may receive it.

Additionally, even though it is prohibited by California law, GM retained Californians' driving and location data long after being used to operate OnStar and then sold this retained data to Lexis and Verisk who were intending to sell the data for insurance rate-setting. These practices violated the CCPA's purpose limitation and data minimization requirements, added in 2023, that impose common sense limitations on when and how businesses use, retain, and share data with third parties. Today's settlement represents DOJ's first action enforcing the data minimization principle.

Today's settlement, subject to court approval, requires GM to:

• Pay $12.75 million in civil penalties.
• Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.
• Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers.
• Request Lexis and Verisk delete driving data.
• Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar and ensure that GM complies with the CCPA.
• Report its privacy assessments to DOJ, the aforementioned DAs, and CalPrivacy.

California Consumer Privacy Act

The CCPA vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. Learn more about opting out.

Attorney General Bonta is committed to the robust enforcement of California's nation-leading privacy law. Today's settlement represents the eighth enforcement action under the CCPA. Attorney General Bonta has also announced settlements with Sephora, DoorDash, and Disney as well as mobile app gaming company, Jam City; streaming service, Sling TV; website publisher, Healthline.com; and entertainment company, Tilting Point Media. In order to monitor businesses' compliance with the CCPA, Attorney General Bonta has conducted investigative sweeps related to location data, streaming apps and devices, employee information, and surveillance pricing.

For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

Stop, DROP, and Secure Your Data

Californians can now send one request to more than 575 registered data brokers to delete their personal data using a new, easy-to-use online tool. The Delete Request and Opt-out Platform (DROP), developed by CalPrivacy, gives Californians more control over their personal information and helps limit the information that data brokers sell. For more information about DROP and how Californians can submit a deletion request, visit: privacy.ca.gov/drop.