Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 12, 2026 · 9 min read

California Just Issued Its Largest Privacy Fine Ever—$12.75 Million—Because GM Sold Hundreds of Thousands of OnStar Drivers' Locations to Two Data Brokers

For four years GM took the GPS coordinates, hard braking events, and contact details of California OnStar subscribers and sold them to LexisNexis and Verisk Analytics. Attorney General Rob Bonta announced a $12.75 million settlement on May 8 — almost five times the previous CCPA record.

California Attorney General Rob Bonta, three county district attorneys, and the California Privacy Protection Agency announced on May 8 that General Motors agreed to pay $12.75 million to end a multi year investigation into how OnStar data left the car. The penalty is the largest ever assessed under the California Consumer Privacy Act — nearly five times the $2.75 million Disney paid in February 2026 and roughly twenty times the $632,500 Honda paid in 2024.

According to the settlement documents, between 2020 and 2024 GM sold the names, contact information, geolocation data, and granular driving behavior of hundreds of thousands of California residents to two specific data brokers: LexisNexis Risk Solutions and Verisk Analytics. GM earned approximately $20 million nationwide from those data sales. The data flowed out of OnStar's "Smart Driver" telematics product — the same one that sold itself as a coaching feature for safer driving.

"General Motors sold the data of California drivers without their knowledge or consent," Bonta said in the announcement. The settlement marks the first data minimization enforcement action California has ever brought under CCPA, and the privacy program GM has to build out reads more like a consent decree than a normal compliance commitment.

Interior of a connected car at night with the dashboard infotainment screen glowing with a navigation map, suggesting the constant data collection of OnStar telematics

What "Smart Driver" Was Actually Logging

OnStar Smart Driver launched as a feedback feature: drivers got a monthly score and a few coaching tips on how to brake more gently. What investigators found is that the program was a telemetry firehose pointed at the insurance industry.

According to the California complaint, the data GM collected through Smart Driver and shipped to brokers included:

  • GPS coordinates with timestamps. Not just trip endpoints. The data captured continuous location traces of every drive.
  • Hard braking and hard acceleration events. Each spike was logged with location, time, and severity.
  • Speeding incidents. Including the speed at which the event happened and the posted limit on that road segment.
  • Trip distance and duration. Every drive, including the late nights and the unfamiliar destinations.
  • Names, contact details, and vehicle identification numbers. All keyed to the driving record so brokers could merge the data with their existing dossiers.

GM's own privacy policy had stated, in writing, that it did not sell driving or location data. The same policy promised any disclosure for insurance purposes would happen only at the customer's direction. The Smart Driver enrollment flow did not mention either data broker by name.

Why the Brokers Wanted It

LexisNexis Risk Solutions and Verisk Analytics are not consumer brands. They are the wholesale data backends for the auto insurance industry. When you apply for a new policy or get a renewal quote, the carrier pulls a report from one of these two companies that summarizes your driving behavior, claims history, and risk profile. For decades that report was built from accident records and claims data. Now, increasingly, it is built from telematics.

The 2024 New York Times investigation that first exposed this practice documented drivers whose insurance premiums jumped by 21 percent after their LexisNexis report showed hard braking events from Smart Driver — events the drivers had no idea were being recorded, much less sold. California's complaint references those harms but stops short of claiming them as damages because state insurance laws independently bar carriers from raising rates on telematics. The harm in the California case was the unlawful sale itself.

The mechanism here is the same one the FTC went after when it permanently banned data broker Kochava from selling location data earlier this year. A consumer signs up for a service that collects detailed location traces, the operator monetizes those traces through a broker, and the broker resells them to anyone willing to pay. The only difference between Kochava and GM is that Kochava's source was free phone apps and GM's source was a car the consumer paid $50,000 for.

What GM Has to Do for the Next Five Years

The monetary penalty is the headline, but the injunctive relief is where the precedent gets set. GM has to:

  • Stop selling driving data to any consumer reporting agency for five years. Including LexisNexis and Verisk by name.
  • Delete all retained driving data within 180 days. The data minimization requirement that California is using as its enforcement hook.
  • Demand the brokers delete the data they already received. GM has to send the request and document the response.
  • Build and maintain a robust privacy compliance program. Including risk assessments for any telematics data GM collects, with documented mitigations.
  • Submit ongoing privacy assessments to the Attorney General, the CPPA, and the participating county district attorneys.

The five year ban is not just a punishment for GM. It signals that California is willing to treat the resale of behavioral telemetry as the kind of conduct that warrants structural remedies, not just fines. That changes the calculus for every connected car maker, every smart appliance vendor, and — eventually — every email marketing platform that monetizes recipient behavior the same way.

Why This Is a Privacy Story, Not Just a Car Story

If you do not own a GM vehicle, the impulse is to file this under "interesting but not mine." That is wrong for two reasons.

The first is that the same telemetry pattern is everywhere. Mozilla's 2023 review of the auto industry found that all 25 brands it tested collected more personal data than necessary, with most reserving the right to sell or share it. Honda, Hyundai, Ford, and others have all been named in subsequent class actions. GM just happened to be the one with the clearest internal record of who the brokers were and how much money changed hands. The settlement gives plaintiffs' lawyers a template.

The second is that the legal theory here — that selling behavioral data without specific, informed consent violates CCPA's data minimization rule — has nothing to do with cars. It has to do with the mechanism. A streaming service that logs every show you watch and sells the file to ad tech, a wearable that ships your heart rate to a wellness broker, or an email marketing platform that compiles a behavioral profile of every recipient and shares it across its customer base is doing the same thing GM was doing. Just with different sensors. Texas filed a parallel lawsuit against Netflix this week alleging the streaming service operates "surveillance machinery" that logs five petabytes of behavioral signals daily — the same architectural pattern.

Email is the underappreciated example. Most marketing senders today log open events, click events, scroll depth, time on message, and geographic IP for every recipient — then enrich that data with third party identity graphs and either sell access or trade it for reciprocal access to other senders' files. None of it is disclosed beyond a generic line in the privacy policy that says "we may share data with partners." The CCPA's data minimization standard, once it is enforced against email senders the way it was just enforced against GM, will not survive that ambiguity.

What Compliance Officers Should Do This Week

If you handle privacy compliance for a company that touches California residents — and given the state's market size, that is most companies — three concrete actions follow from the GM order.

  • Audit any data sales to consumer reporting agencies or data brokers. If your privacy policy says you do not sell data, but your ad tech contract or your CDP integration moves identifiers to a third party for value, that is the GM scenario.
  • Document a data minimization rationale for every category of behavioral data you retain. California's case turned on retention beyond operational necessity. The fact that GM kept years of location data when it only needed weeks was a violation in itself.
  • Map the disclosure language at the point of collection. Generic privacy policies are not consent. The OnStar enrollment flow looked compliant on paper and still produced the largest CCPA fine in state history because the consumer never saw the broker names.

For everyone else, the takeaway is simpler. The car was logging more than you thought, the maker was selling it to companies you have never heard of, and California just announced that it is now an enforceable problem. The same mechanism is sitting inside your inbox, your phone, and probably your thermostat. The legal floor just moved.

Sources

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.