GM Pays $12M in Largest CCPA Settlement for Driver Data Violations

General Motors has agreed to pay a $12.75 million settlement to the State of California for collecting and sharing sensitive driver data without proper consent, marking the largest fine issued under the California Consumer Privacy Act (CCPA) since its enactment in 2020. The settlement, announced Friday by California Attorney General Rob Bonta, resolves allegations that the automaker collected extensive telemetry data—including vehicle location history, driving behavior patterns, and personal information—through its connected vehicle services and shared this data with third-party brokers without providing consumers with the required opt-out mechanisms or adequate disclosure.

The investigation, conducted jointly by the California Department of Justice and the California Privacy Protection Agency (CPPA), revealed that GM's OnStar Smart Driver program and related telematics systems gathered granular data points including VIN numbers, GPS coordinates, acceleration patterns, braking behavior, and trip duration logs. These details were subsequently sold to insurance companies, data aggregation firms, and marketing analytics companies through GM's data monetization partnerships, violating multiple provisions of the CCPA that require explicit consent before sharing sensitive personal information.

"This settlement demonstrates California's commitment to holding corporations accountable for how they handle consumer data," said Attorney General Bonta during the announcement. "Vehicle manufacturers increasingly collect vast amounts of sensitive data through connected car technologies, and they must ensure this information is protected and not exploited without informed consent." Under the terms of the settlement, GM must implement comprehensive data governance reforms, provide affected California consumers with the ability to request deletion of their data, and submit to annual audits of its data practices for the next three years.