California Imposes Historic $12.75 Million CCPA Settlement on General Motors for Illegally Selling Driver Data

California Attorney General Rob Bonta, alongside a coalition of state and local enforcement agencies, has reached a landmark settlement with General Motors (GM) amounting to $12.75 million. This settlement arises from allegations that GM unlawfully collected and sold drivers’ personal data without obtaining proper consent, thereby violating the California Consumer Privacy Act (CCPA). This case marks the largest penalty imposed under the CCPA to date and represents California’s inaugural enforcement action focused on data minimization requirements as stipulated by state privacy laws.

Allegations of Data Misuse

The allegations against GM center on claims that the automaker shared sensitive driver information—including geolocation data and driving behavior—with data brokers Verisk Analytics and LexisNexis Risk Solutions from 2020 to 2024. According to the complaint, GM utilized its OnStar connected vehicle platform, which provides services such as emergency assistance and navigation, to collect this data. Investigators assert that GM sold names, contact details, precise location information, and driving behavior data of hundreds of thousands of Californians to these brokers.

Authorities indicated that the data was intended for the development of driver-risk scoring products, which could be leveraged by insurance companies in determining premiums. The investigation was a collaborative effort involving the California Department of Justice, the California Privacy Protection Agency (CalPrivacy), and district attorneys from San Francisco, Los Angeles, Napa, and Sonoma counties.

Attorney General Bonta emphasized that the settlement serves as a clear message regarding consumer control over personal data, stating, “General Motors sold the data of California drivers without their knowledge or consent.” He noted that such data could disclose sensitive aspects of consumers’ daily routines and movements.

CCPA Violations and Data Minimization Concerns

A significant focus of the case was on alleged violations of the CCPA’s data minimization and purpose limitation requirements, which were incorporated into California law in 2023. Under these provisions, companies are mandated to collect and retain only the data necessary for a specified purpose. Investigators claimed that GM retained driving and location data long after it was necessary for operating OnStar services and subsequently sold that retained data to third parties.

Additionally, authorities alleged that GM did not adequately inform consumers about how their information would be utilized. The complaint indicated that GM’s privacy policies suggested that driver data would solely be used to provide requested OnStar services and even asserted that the company did not sell driving or location information. Investigators contended that GM’s practices contradicted these statements.

San Francisco District Attorney Brooke Jenkins characterized modern vehicles as “rolling data collection machines,” asserting that consumers deserve transparency regarding the information collected and how it is shared. Los Angeles County District Attorney Nathan J. Hochman reiterated that companies managing consumer data would be held accountable under California privacy laws, irrespective of their size.

Growing Scrutiny of Connected Vehicle Privacy

This settlement occurs amid increasing regulatory scrutiny surrounding connected vehicle privacy and automotive data collection practices. In 2023, CalPrivacy initiated investigations into how connected car manufacturers handle consumer information. Public attention intensified in 2024 following a report by The New York Times, which revealed that automakers were sharing driving behavior data with insurance companies. The report indicated that some consumers outside California had experienced increased insurance premiums linked to such data-sharing practices.

California investigators later concluded that drivers in the state were likely not directly affected by insurance rate increases, as state insurance laws prohibit insurers from using driving behavior data to set premiums. However, regulators maintained that the collection, retention, and sale of the data itself contravened California privacy requirements.

Terms of the Settlement with General Motors

As part of the settlement, GM is required to implement several privacy-related measures over the coming years. The company must:

• Pay $12.75 million in civil penalties.
• Cease selling driving data to consumer reporting agencies for five years.
• Delete retained driving data within 180 days unless consumers provide explicit consent for limited uses.
• Request the deletion of driver data already shared with LexisNexis and Verisk.
• Establish and maintain a comprehensive privacy compliance program.
• Submit privacy assessments and compliance reports to California regulators and prosecutors.

This settlement reinforces California’s broader initiative to enhance consumer control over personal information under the CCPA. CalPrivacy Executive Director Tom Kemp stated that California privacy laws necessitate that businesses collect only the information they genuinely require and maintain transparency regarding data handling practices.

In conjunction with the settlement announcement, regulators also highlighted the state’s Delete Request and Opt-out Platform (DROP), which enables Californians to submit requests for the deletion of personal information held by numerous registered data brokers.

Source: thecyberexpress.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.