The Allegations Behind the gm driver privacy settlement
California Attorney General Rob Bonta took a firm stance against General Motors in early 2025 when his office announced a major settlement over the automaker’s data-sharing practices. The gm driver privacy settlement stems from accusations that GM collected and sold the driving behavior of hundreds of thousands of Californians without their knowledge or consent. Bonta’s investigation revealed that GM had been sharing sensitive information through its OnStar telematics program with data brokers like Verisk Analytics and LexisNexis Risk Solutions.
The data in question included names, contact details, geolocation information, and detailed records of how people drove their vehicles. According to Bonta’s office, GM made approximately $20 million from these data sales. The company told customers that their driving data would remain private, yet behind the scenes, that same information flowed to third-party brokers who repackaged it for insurers and other clients.
How OnStar Became a Data Collection Pipeline
OnStar has been a staple feature in GM vehicles for decades. What started as a safety and navigation service gradually evolved into a sophisticated data collection system. Modern connected cars generate enormous amounts of information every time someone drives. Speed, braking patterns, acceleration habits, cornering behavior, and even the time of day someone drives all become data points.
GM’s Smart Driver program, which launched in 2023 and was discontinued in 2024, offered drivers feedback on their driving habits. Many participants believed they were signing up for a harmless scorecard that would help them drive more efficiently. The gm driver privacy settlement reveals that the data collected through this program had a second life. It went to data brokers who then made it available to insurance companies and other entities.
For a privacy-conscious driver, this scenario raises uncomfortable questions. Imagine receiving a letter from your insurance company informing you that your rates went up because of how you drive. You never authorized anyone to share that information. You never clicked a button that said yes, please sell my driving data to insurers. Yet it happened anyway. That is exactly the situation thousands of GM owners found themselves in.
The Three Data Brokers at the Center of the Settlement
The gm driver privacy settlement specifically names two data brokers that received GM customer data: Verisk Analytics and LexisNexis Risk Solutions. Both companies operate in the shadows of the data economy, collecting information from various sources and selling insights to businesses.
Verisk Analytics focuses heavily on risk assessment for the insurance industry. When an insurer wants to evaluate a potential customer, they often turn to companies like Verisk for data that helps them decide whether to offer coverage and at what price. LexisNexis Risk Solutions performs similar functions, compiling detailed profiles on individuals using data from multiple sources.
What makes this case particularly concerning is the nature of the data shared. Driving behavior data is deeply personal. It reveals where you go, when you go there, how fast you drive, whether you brake hard, and whether you take risks on the road. This information paints an intimate portrait of your daily life. Selling it without explicit consent violates not just trust but also California’s privacy laws.
Why California Drivers Were Protected From Rate Hikes
One unusual aspect of the gm driver privacy settlement is that California drivers did not actually see their insurance rates increase as a result of this data sharing. Bonta’s office noted that under California’s insurance laws, insurers are prohibited from using driving data to set insurance rates. This legal protection created a firewall that prevented the data from being used against consumers in the state.
However, drivers in other states may not have enjoyed the same protection. The New York Times reported in 2024 that customers across the country saw their insurance premiums rise after automakers shared their driving behavior with insurers. Some drivers reported rate increases of 20 percent or more, with no explanation from their insurance company about where the data came from.
This discrepancy between states highlights a fundamental problem with connected car privacy. Federal law has not kept pace with technology. Automakers collect data nationally, but the rules governing how that data can be used vary wildly from one state to another. A driver in California has legal protections that a driver in Texas or Florida may not have.
The $12.75 Million Penalty and What It Covers
As part of the gm driver privacy settlement, GM agreed to pay $12.75 million in civil penalties to the state of California. This sum reflects the severity of the violations but also raises questions about whether it is sufficient. GM made roughly $20 million from the data sales in question. The penalty essentially claws back the profit and adds a relatively modest fine on top.
Critics of the settlement argue that $12.75 million represents a small fraction of GM’s annual revenue, which exceeds $150 billion. For a company of that size, the penalty may feel more like a cost of doing business than a genuine deterrent. However, the non-monetary terms of the settlement carry significant weight and may have a more lasting impact on how GM handles customer data going forward.
The Five-Year Ban on Selling Driving Data
One of the most consequential terms of the gm driver privacy settlement is the five-year prohibition on selling driving data to consumer reporting agencies. This restriction applies specifically to data that could be used to evaluate a person’s creditworthiness, insurance risk, or eligibility for services. The ban gives consumers a five-year window during which their driving behavior cannot be monetized through these channels.
For GM, this represents a major shift in how it can leverage the data its vehicles collect. The company had built a revenue stream around selling this information. Now that stream has been shut off, at least temporarily. The ban also sends a signal to other automakers that similar practices may face regulatory scrutiny.
The five-year timeline is notable because it aligns with the pace of technological change in the automotive industry. By the time the ban expires, the landscape of connected car data may look completely different. New regulations may be in place. Consumer awareness may be higher. GM may have developed new privacy practices that make the ban irrelevant.
The 180-Day Data Deletion Requirement
The gm driver privacy settlement also requires GM to delete any driver data it still retains within 180 days, unless the company obtains explicit consent from customers to keep it. This provision addresses a common problem in the data economy: companies holding onto information indefinitely, even after the original purpose for collecting it has ended.
Data minimization is a core principle of California’s privacy law. The idea is simple: companies should not collect more data than they need, and they should not keep data longer than necessary. The settlement forces GM to apply this principle retroactively, scrubbing years of accumulated driving records from its systems.
Additionally, GM must request that Verisk Analytics and LexisNexis Risk Solutions delete the data they received. This requirement acknowledges that once data leaves a company’s control, it does not simply disappear. The brokers must be compelled to wipe their records as well. Whether those requests will be fully honored remains to be seen, but the settlement gives consumers a stronger legal basis to demand deletion.
The Previous FTC Settlement With GM
The gm driver privacy settlement is not the first time GM has faced consequences for its data practices. The company previously settled with the Federal Trade Commission over similar allegations. That settlement resulted in a final order banning GM and OnStar from selling certain types of data to consumer reporting agencies.
The FTC order covered some of the same ground as the California settlement but did not go as far. It restricted future data sales but did not require the deletion of already-collected data. It also did not impose monetary penalties. The California settlement fills those gaps, adding financial consequences and a data deletion mandate.
Together, these two settlements paint a picture of an automaker that repeatedly crossed the line between acceptable data use and privacy violation. The pattern suggests that internal safeguards were insufficient and that regulatory pressure was necessary to force change.
What the Smart Driver Product Was and Why It Mattered
GM’s Smart Driver program launched in 2023 as a way to give drivers feedback on their performance behind the wheel. The program scored drivers on factors like hard braking, rapid acceleration, and speeding. Participants could see their scores in the myChevrolet, myBuick, myGMC, and myCadillac mobile apps.
On the surface, Smart Driver appeared to be a benign tool for self-improvement. Many drivers signed up thinking they were simply getting tips to drive more efficiently. The gm driver privacy settlement reveals that the data collected through this program had a different destination. It flowed to data brokers who then sold access to insurance companies.
GM discontinued Smart Driver in 2024, around the same time that news reports began exposing the data-sharing pipeline. The company told Reuters that the settlement addresses Smart Driver specifically and reinforces steps the company has taken to strengthen its privacy practices. For consumers who participated in the program, the damage was already done. Their driving data had been collected, shared, and potentially used against them.
How Other States Compare on Driving Data Privacy
The gm driver privacy settlement highlights the uneven patchwork of privacy protections across the United States. California has some of the strongest privacy laws in the country, including the California Consumer Privacy Act and the California Privacy Rights Act. These laws give residents the right to know what data companies collect about them, the right to delete that data, and the right to opt out of its sale.
Other states have weaker protections or none at all. Only a handful of states have comprehensive privacy laws that cover connected car data. In states without such laws, automakers and data brokers face fewer restrictions on how they collect, share, and monetize driving behavior information.
This disparity creates a situation where your privacy rights depend on where you live. A driver in California can invoke legal protections that a driver in Alabama or Missouri cannot. The same vehicle, the same data collection system, and the same data brokers treat consumers differently based on their zip code.
Federal legislation could solve this problem by establishing a national standard for connected car privacy. Several bills have been proposed in Congress, but none have advanced far enough to become law. Until that changes, state-level enforcement actions like the gm driver privacy settlement will remain the primary tool for holding automakers accountable.
Practical Steps to Protect Your Connected Car Privacy
For anyone who owns a connected vehicle, the gm driver privacy settlement serves as a wake-up call. Automakers collect vast amounts of data, and that data may be shared in ways you never expected. The good news is that you can take steps to protect yourself.
You may also enjoy reading: New Pack2TheRoot Flaw Gives Hackers Root Linux Access.
Review Your Vehicle’s Privacy Settings
Most modern cars have a privacy settings menu somewhere in the infotainment system. Look for options related to data collection, data sharing, and connected services. You may find toggles that let you limit what information the vehicle transmits to the manufacturer. Some automakers make these settings easy to find. Others bury them deep in the menu system. Take the time to explore every screen.
Opt Out of Telematics Programs
Programs like GM’s Smart Driver are optional, but many drivers enroll without fully understanding what they are agreeing to. If your vehicle has a similar program, check whether you are enrolled and opt out if you do not want your driving behavior tracked. You can usually do this through the manufacturer’s mobile app or by contacting customer support.
Understand What Your Owner’s Manual Says About Data
Vehicle owner’s manuals increasingly include sections about data collection and privacy. These sections are often written in dense legal language, but they contain important information about what data your car collects and how it is used. Read this section carefully. If anything is unclear, contact the manufacturer and ask for clarification.
Limit Connected Services You Do Not Need
Many connected car features require data collection to function. Navigation services need your location. Remote start features need to know where your car is parked. If you do not use a particular connected service, consider disabling it. Every active service is a potential data collection point.
Check Your Insurance Policy for Data Sharing Clauses
Some insurance companies offer discounts for drivers who agree to share their driving data. These programs are usually opt-in, but the fine print may contain surprises. Review your insurance policy to see whether it includes any provisions related to driving data. If you are unsure, call your agent and ask directly.
Use a Privacy-Focused Approach When Buying a New Car
If you are shopping for a new vehicle, consider asking about data practices before you buy. Some automakers have stronger privacy policies than others. Ask the sales representative what data the vehicle collects, how it is used, and whether it is shared with third parties. If the salesperson cannot answer these questions, ask to speak with someone who can.
The Bigger Picture of Connected Car Privacy
The gm driver privacy settlement is one case among many that illustrate the growing tension between connected car technology and consumer privacy. Automakers have discovered that data is valuable. Every mile driven generates information that can be sold, analyzed, and repurposed. The business model of the modern auto industry increasingly depends on data revenue.
Consumers, meanwhile, are often unaware that their vehicles are collecting and sharing this information. The privacy policies that govern connected car data are long, complex, and written in language that most people do not read. Even when they do read them, the policies often contain broad language that allows for data sharing in ways consumers would not expect.
Regulators are beginning to catch up. The California Attorney General’s office has made connected car privacy a priority. The FTC has taken action against multiple automakers. State legislatures are introducing bills that would regulate how vehicle data can be collected and used. But the pace of regulation lags behind the pace of technology.
What Automakers Can Learn From This Settlement
For automakers across the industry, the gm driver privacy settlement offers several lessons. First, collecting data without meaningful consent is a legal risk. Customers must be told clearly what data is being collected and how it will be used. Burying these disclosures in dense privacy policies does not count as meaningful consent.
Second, selling customer data to third parties creates exposure. Once data leaves a company’s control, the company cannot guarantee how it will be used. Regulators hold the original collector responsible for what happens downstream. Automakers that sell data to brokers are taking on liability that can come back to haunt them.
Third, privacy promises matter. GM told customers that their driving data would not be shared. When that promise was broken, it became the centerpiece of the enforcement action. Companies that make privacy commitments must have systems in place to ensure those commitments are honored.
What Consumers Should Demand Going Forward
The gm driver privacy settlement gives consumers a stronger position to demand better privacy practices from automakers. If you own a connected vehicle, you have the right to know what data it collects and how that data is used. You have the right to opt out of data collection that is not necessary for the core functions of your vehicle. And you have the right to have your data deleted when you no longer want the manufacturer to hold it.
These rights exist under California law and under the laws of a growing number of other states. Even if your state does not have a comprehensive privacy law, you can still advocate for yourself by contacting the manufacturer and asking questions. The more consumers demand transparency, the more pressure automakers will feel to improve their practices.
The settlement also highlights the importance of data minimization. Companies should not collect data they do not need, and they should not keep data longer than necessary. Consumers can support this principle by choosing automakers that follow data minimization practices and by using the privacy settings available in their vehicles.
A Turning Point for Automotive Data Privacy
The gm driver privacy settlement marks a significant moment in the evolution of connected car privacy. It demonstrates that regulators are willing to take aggressive action against automakers that misuse customer data. It shows that even large companies with substantial resources can be held accountable for their data practices. And it gives consumers a concrete example of what happens when privacy promises are broken.
For GM, the settlement closes a chapter that began with well-intentioned programs like OnStar and Smart Driver but ended with allegations of deception and illegal data sales. The company has agreed to change its practices, pay a penalty, and delete data it should not have collected in the first place. Whether these changes will be enough to rebuild consumer trust remains an open question.
For the broader auto industry, the settlement serves as a warning. Every automaker that collects driving data is now on notice that regulators are watching. The days of collecting first and asking for permission later are coming to an end. Companies that want to avoid similar settlements must build privacy into their products from the start, not as an afterthought.
For consumers, the settlement is a reminder that privacy in the connected car era requires vigilance. Your vehicle is collecting data every time you drive. Understanding what happens to that data, and taking steps to control it, is essential to protecting your privacy in a world where cars are increasingly connected to the internet.
