California reaches settlement with GM on data privacy, sharing violations

California regulators and the state’s Privacy Protection Agency (CalPrivacy) have reached a settlement agreement with General Motors regarding the illegal sale of Californians’ location and driving data to two data brokers.

A press release from the agency states that the sale violated the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law.

In 2023, CalPrivacy announced investigations into the privacy practices of connected vehicles and began engaging with GM and other car manufacturers.

In 2024, while those investigations were underway, the New York Times reported that automakers, including GM, were sharing consumers’ driving behavior with insurance companies.

The reporting noted that some insurers had raised consumers’ rates based on this data.

Shortly after, the California Department of Justice (DOJ) partnered with the District Attorneys of Los Angeles, Napa, San Francisco, and Sonoma, with support from CalPrivacy’s Enforcement Division, to investigate reports like these and to determine whether any data was used to increase Californians’ insurance rates.

The settlement, which is subject to court approval, includes $12.75 million in civil penalties and injunctive terms, including restrictions on its use of consumer driving data and a ban on selling such data to data brokers.

“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so,” said Attorney General Rob Bonta in the release. “This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians.”

He added that the settlement underscores the importance of data minimization in California’s privacy law.

“Companies can’t just hold on to data and use it later for another purpose,” Bonta said. “I am proud to go to bat for the privacy rights of Californians and to collaborate with state and local partners who share the same commitment to consumer protection.”

San Francisco District Attorney Brooke Jenkins added that “modern cars are rolling data collection machines” and Californians must have confidence that they know what data is being collected, how it is being used, and what their opt-out rights are.

“Those duties fall on the automobile companies,” she said. “This case sends a strong message that law enforcement will take action when California privacy laws are not scrupulously followed.”

Los Angeles County District Attorney Nathan J. Hochman said the settlement should serve as a warning: “No matter how big of a company you are, you will be held accountable in California.”

Napa District Attorney Allison Haley noted there are legitimate reasons that California drivers would want to share such information with car companies, like receiving emergency roadside assistance.

“But Californians are entitled to know exactly what kind of data is being collected, how such data will be used, and whether they have the right to not share that information,” she said. “When companies misrepresent their data collection practices to consumers, as GM did here, my office will take enforcement action.”

“This settlement reflects the power of coordinated enforcement, and CalPrivacy appreciates the close collaboration with the other enforcement agencies in bringing this case to a strong resolution,” said Tom Kemp, Executive Director of CalPrivacy. “California’s privacy laws are clear: Companies must collect only what they need, use it responsibly, and be forthright with consumers about how their data is handled.”

The proposed settlement also requires GM to:

• • Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.
  • Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers.
  • Requests that Lexis and Verisk delete driving data.
  • Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar and ensure that GM complies with the CCPA.
  • Report its privacy assessments to DOJ, the aforementioned DAs, and CalPrivacy.

In January, the Federal Trade Commission (FTC) finalized a 20-year order with General Motors and OnStar to settle allegations that they collected, used, and sold geolocation data and driving behavior data from millions of vehicles without consumer consent and notification.

Under the order, General Motors LLC, General Motors Holdings LLC, and OnStar, LLC, collectively GM, are prohibited from sharing certain consumer data with consumer reporting agencies and required to take steps to provide greater transparency and choice to consumers over the collection, use, and disclosure of their connected vehicle data.

Lawsuits have been filed by attorneys general in Arkansas, Nebraska, and Texas against GM, as well as by a Florida consumer over the same alleged activity.

CalPrivacy has developed a new way for Californians to protect their personal data.

Through the Delete Request and Opt-out Platform (DROP), residents can submit an online request to more than 575 registered data brokers to delete their personal data.

Images

Featured image provided by GM