In a high-profile privacy case, General Motors has agreed to pay $12.75 million to resolve a California investigation into allegations that it improperly sold location and driving data from OnStar subscribers to data brokers. The settlement, announced by California regulators, marks one of the largest penalties for automotive data privacy violations in the state. Here are key questions and answers about the case and its implications for drivers.
What was the settlement between GM and California?
General Motors agreed to pay $12.75 million to settle a California investigation into claims that it illegally sold the location and driving data of OnStar subscribers to third-party brokers. The payment resolves allegations that the automaker violated state privacy laws by failing to obtain proper consent before sharing sensitive geolocation and behavioral data. The settlement includes an injunction requiring GM to implement stronger data governance practices and to notify affected California subscribers. The money will be used to fund privacy enforcement and consumer education efforts in the state.
Why did California investigate GM over OnStar data?
California's investigation stemmed from complaints and regulatory reviews suggesting that GM, through its OnStar connected vehicle service, collected and sold subscribers' location and driving behavior data to data brokers without transparent disclosure or explicit consent. Under California's privacy laws, companies must clearly inform consumers about data collection and sales, and obtain opt-in consent for sensitive information like geolocation. The state argued that GM's practices violated these requirements, potentially exposing drivers to unwanted marketing, insurance risk scoring, or even surveillance. The probe began after consumer advocacy groups raised concerns and regulators found evidence of unauthorized data sharing.
What specific data did GM sell from OnStar users?
According to the investigation, GM sold data that included precise GPS location information, driving speed, acceleration patterns, braking habits, and other telematics data captured by OnStar's onboard systems. This information was aggregated and packaged for sale to data brokers, who then resold it to companies in sectors like insurance, advertising, and risk assessment. The data could reveal not only where a driver traveled but also how they drove, enabling profiling for purposes such as adjusting insurance premiums or targeting ads for auto-related products. GM did not disclose to subscribers that their real-time driving behavior was being monetized in this way.
Who were the data brokers that received GM's data?
The investigation did not publicly name all the brokers, but typical recipients included firms that specialize in aggregating automotive data and selling it to insurers, marketers, and vehicle history services. Examples of such brokers in the industry include companies like Verisk, Arity (a subsidiary of USAA), and others that provide driver risk scores. These brokers often receive data through API feeds from automakers like GM, then analyze and repackage it for their clients. The California investigation focused on GM's failure to obtain valid consent before sharing this data with these brokers, regardless of the specific firms involved.
How did the investigation into GM's data sales come to light?
The California investigation was prompted by a combination of whistleblower reports, consumer complaints, and proactive audits by the California Privacy Protection Agency (CPPA). Media reports, including an earlier Reuters investigation by David Shepardson, had also highlighted that automakers were selling connected car data without clear consumer awareness. California regulators launched a formal inquiry after receiving evidence that GM's OnStar privacy policies were misleading and that data sales continued despite consumer opt-out requests. The CPPA announced the settlement in a press release, detailing the findings and the $12.75 million payment.
What is OnStar and how does it collect driver data?
OnStar is a subscription-based telematics service offered by General Motors in most of its vehicles. It provides features like roadside assistance, emergency response, stolen vehicle tracking, and turn-by-turn navigation. To deliver these services, OnStar continuously collects real-time data from the vehicle's onboard sensors, including GPS location, engine diagnostics, speed, and braking events. This data is transmitted to GM's servers via cellular networks. While GM states that data is used for service improvement and safety, the investigation found that it was also being sold to brokers for commercial purposes, often without the explicit permission required by California law.
What are the broader implications of this settlement for other automakers?
The GM settlement serves as a strong warning to all automakers and connected vehicle service providers that selling driver data without transparent consent is legally risky. California is a trendsetter in privacy regulation, and its enforcement actions often influence federal and state-level policies. Other manufacturers like Ford, Toyota, and BMW, which also offer telematics services, may now face increased scrutiny from regulators and consumer lawsuits. The case highlights the need for automakers to adopt clear opt-in mechanisms for data collection and sale, and to regularly audit their data-sharing partnerships. It could also accelerate the push for federal legislation governing automotive data privacy.