GM's $12.75M Fine: OnStar Sold Your Driving Data to Insurers

California Attorney General Rob Bonta announced on June 9, 2026 that General Motors had agreed to pay $12.75 million to settle a California Consumer Privacy Act investigation — the largest CCPA civil penalty in the law's history. The investigation found that GM collected precise driving data from vehicles equipped with OnStar and sold that data to LexisNexis Risk Solutions and Verisk Analytics, two of the largest insurance data brokers in the United States, without obtaining the specific, informed consent the CCPA requires. The data was then used by insurers to adjust policyholders' rates without their knowledge.

Key Takeaways

• California fined GM $12.75 million — the largest CCPA penalty ever — for selling OnStar driving data to insurance data brokers LexisNexis and Verisk.
• The data included GPS location history, hard-braking events, rapid acceleration, and speed-over-limit incidents collected from 2020 through 2024, during which GM earned approximately $20 million from data sales.
• Drivers enrolled in OnStar were not informed that their behavioral driving data would be shared with insurers; the CCPA violation was a failure of purpose limitation, not of data security.
• LexisNexis and Verisk sold derived "driver risk scores" to auto insurers, who used them to raise premiums — in some cases for drivers who had never filed a claim.
• The settlement does not include private damages; affected drivers who saw rate increases based on OnStar data are not automatically compensated.

What Did OnStar Actually Collect?

OnStar is GM's in-vehicle connected services platform, active in tens of millions of vehicles sold since the late 1990s. Its primary marketed functions include emergency response, roadside assistance, stolen vehicle assistance, and turn-by-turn navigation. To perform those functions, OnStar maintains a persistent cellular connection and logs the vehicle's GPS position, speed, and sensor data.

The data GM sold to LexisNexis and Verisk went beyond coarse location. According to the AG's complaint, the dataset included timestamped GPS coordinates at high frequency, hard-braking events (sudden deceleration above a defined threshold), rapid acceleration events, speeding incidents quantified by how far above the posted limit the vehicle was traveling, and trip-level patterns — time of day, distance, frequency of use. This is behavioral driving data specific enough to reconstruct individual trips and generate a risk profile far more granular than anything a driver self-reports on an insurance application.

The data collection ran from approximately 2020 through 2024. During that period, GM earned roughly $20 million from data sales to the two brokers — a figure that will acquire ironic significance in context: it is less than two-thirds of the penalty California imposed.

The CCPA Violation: Purpose Limitation

The core legal issue is not that GM collected driving data — OnStar's privacy disclosures mentioned data collection in broad terms. The violation is what GM did with that data after collection, and whether drivers were told it might happen.

The CCPA's purpose-limitation requirement is explicit: businesses cannot use personal information for a purpose "materially different" from the purpose for which it was collected without providing a new notice and obtaining fresh consent. Drivers who activated OnStar understood they were sharing location data for emergency response and navigation. They were not informed — and did not consent — to that same data being packaged and sold to insurance data brokers for risk scoring.

Attorney General Bonta framed the violation in terms that will be quoted in compliance training for years: "Companies can't just hold on to data and use it later for another purpose. That's not how privacy law works, and it's not how trust works." The quote articulates something regulators have been building toward since GDPR came into force in 2018: the moment of consent must match the moment of use. Data collected for one purpose does not carry unlimited license for future exploitation, regardless of what a terms-of-service document might claim.

How the Data Reached Insurers

LexisNexis Risk Solutions and Verisk Analytics are the two dominant players in the insurance data-broker market. Both companies operate products specifically designed to ingest telematics data — the industry term for sensor data collected from connected vehicles — and convert it into actuarial risk scores that insurers embed into their underwriting models.

LexisNexis's product is called LexisNexis Risk Solutions Telematics; Verisk operates the Verisk Insurance Solutions telematics analytics line. When GM sold the OnStar data, it fed into these pipelines. Insurers querying LexisNexis or Verisk for a policyholder's risk profile received a score derived in part from that driver's actual GPS and sensor history — without the driver being aware that OnStar data had traveled to their insurer.

The downstream consequence was premium increases. Consumer advocates documented cases in 2024 and 2025 in which drivers who had never filed a claim, never received a traffic citation, and explicitly declined telematics-based "usage-based insurance" programs saw unexplained rate hikes — hikes that investigations later linked to LexisNexis or Verisk scores informed by OnStar data. In some states, insurers are not required to disclose what data they used when adjusting a rate, which left affected drivers with no mechanism to identify or challenge the input.

Why the $12.75M Fine Is Significant

Before this settlement, the largest CCPA civil penalty was $8.7 million, assessed against Sephora in 2022 for selling personal data without disclosure. The GM penalty is not only larger in dollar terms — it represents a qualitative escalation in what California AG enforcement is targeting. Sephora involved behavioral data on a shopping platform. The GM case involves behavioral data tied to physical location and movement, sold to companies whose explicit business is risk classification with financial consequences for individuals.

The penalty structure matters too. The CCPA allows fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. With millions of affected vehicles and years of data sales, the $12.75 million figure represents a negotiated settlement, not the theoretical ceiling. California's AG did not seek the maximum — an aggressive enforcement posture would have produced a materially larger number.

For compliance officers at connected device companies — not only automotive manufacturers but any organization running hardware that collects behavioral or location data — the GM settlement establishes a clear enforcement benchmark: purpose limitation is enforced, secondary data sales require fresh consent, and the penalty for getting this wrong now exceeds eight figures.

Implications Beyond Automotive

The GM case is an automotive enforcement action, but the legal principle it enforces applies identically to any product that collects behavioral data and later monetizes it in ways users did not specifically authorize. Fitness trackers, smart home devices, healthcare apps, and — directly relevant to this publication — email clients and marketing platforms all operate under the same CCPA framework.

Email tracking platforms collect behavioral data — open timestamps, link-click patterns, device type, approximate location — that users generate while reading messages. That data is used by the platform and sometimes shared with third parties. The CCPA purpose-limitation requirement applies: the user's implicit consent to receive an email is not consent to have their behavioral reading patterns aggregated, scored, and shared. California's enforcement posture in the GM case signals that regulators are prepared to treat this distinction as a matter of law, not interpretation.

The pattern of regulatory escalation is consistent with other enforcement actions this year. See also: Kaiser Permanente's tracking-pixel class action settlement and Coupang's €365 million GDPR fine — both cases from the same enforcement cycle where purpose limitation and data-sharing disclosures drove the penalty.

What Happens to Affected Drivers?

The $12.75 million goes to the California general fund, not to affected drivers. The AG's civil penalty action is distinct from private litigation: drivers whose insurance rates increased as a result of OnStar data sold to LexisNexis or Verisk are not automatically compensated under this settlement. Several private class-action suits are pending against GM, LexisNexis, and Verisk in federal and state courts; those cases are proceeding independently.

GM confirmed in a statement that it terminated the data-sharing programs with LexisNexis and Verisk in March 2024, following initial news coverage of the OnStar data sales. As part of the settlement, GM agreed to enhanced disclosures, revised consent mechanisms for any future telematics data programs, and compliance monitoring for three years. LexisNexis and Verisk, which were not parties to the AG settlement, face separate regulatory scrutiny over their roles as downstream recipients of the data.

Source: The Record: GM to pay $12.75 million in California privacy settlement over OnStar data; California AG press release, June 9, 2026.