General Motors (GM) has agreed to pay $12.75m to settle a California lawsuit alleging it sold OnStar subscribers’ personal and driving data without proper disclosure or consent.
OnStar is GM’s subscription-based offering for in-vehicle safety and security.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
The lawsuit was brought by the California Attorney General and district attorneys representing Los Angeles, Napa, San Francisco and Sonoma counties, with support from the California Privacy Protection Agency.
Authorities alleged that between 2016 and 2024, GM gathered driver and vehicle-related data from hundreds of thousands of California OnStar subscribers.
The information allegedly included names, telephone numbers, home addresses, vehicle speeds, rapid acceleration and hard braking events, alongside GPS location data showing where customers drove and parked.
Los Angeles County District Attorney Nathan Hochman said: “This settlement makes clear that car companies cannot secretly speed off with your personal data for profit.
“Consumers have a fundamental privacy right to control their personal information, and this right does not stop at a car door. We appreciate the California Attorney General, the California Privacy Protection Agency and our partner District Attorneys for holding companies who do business in California accountable.”
According to the complaint, GM had told subscribers their data would only support OnStar services, including emergency response, navigation and driver coaching.
The company also allegedly stated it did not sell driving or location information, the press statement added.
However, from 2020 onwards, GM allegedly sold the data to LexisNexis Risk Solutions and Verisk Analytics without sufficiently disclosing the practice or allowing customers to opt out.
The lawsuit stated GM generated about $20m nationwide from the data sales arrangement.
Under the proposed settlement, which still requires court approval, GM will pay $12.75m in civil penalties and undertake several corrective measures affecting California OnStar customers.
The agreement includes a five-year prohibition on selling driving data to consumer reporting agencies, including LexisNexis and Verisk.
GM must also delete retained driving data within 180 days, except where limited internal uses apply and consumers have provided express consent.
In addition, the company must ask LexisNexis and Verisk to erase any driving data they possess.
The settlement further requires GM to establish a privacy programme aimed at identifying, reducing and documenting risks linked to OnStar data collection practices and ensuring compliance with the California Consumer Privacy Act.
The company must submit its privacy assessments to the California Department of Justice, the California Privacy Protection Agency and the relevant district attorneys’ offices.
The matter was handled for the Los Angeles County District Attorney’s Office by Assistant Head Deputy District Attorney Steven Wang and Deputy District Attorney Louis Morin from the Consumer Protection Division.
