General Motors has agreed to pay $12.75 million to resolve allegations that it illegally sold the precise location and driving data of hundreds of thousands of California motorists to two data brokers, even as the automaker publicly assured customers it would not do so, California Attorney General Rob Bonta announced Friday.

The settlement, which is subject to court approval, includes civil penalties and imposes sweeping new restrictions on how the Detroit-based automaker can collect, use and share consumer driving data. It also bars GM from selling such information to any data broker for five years — a significant constraint on a revenue stream the company had quietly cultivated for years through its in-vehicle OnStar service.

“General Motors sold the data of California drivers without their knowledge or consent,” Bonta said in a statement. “This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians.”

GM did not immediately respond to a request for comment.

Years of data sales

According to the complaint filed by the state, GM sold the names, contact information, geolocation data and driving-behavior data of hundreds of thousands of California drivers to Verisk Analytics and LexisNexis Risk Solutions between 2020 and 2024.

The company is alleged to have generated roughly $20 million from those transactions during that period — meaning Friday’s settlement amounts to more than half of the revenue investigators say GM took in from the practice.

The data was harvested through OnStar, GM’s long-running connected-vehicle subscription service marketed to customers as a safety and security feature offering automatic crash response, stolen-vehicle assistance and turn-by-turn navigation.

Investigators say the same technology was simultaneously feeding granular records of where drivers went, how fast they drove, how hard they braked and how often they accelerated to outside firms in the data-broker industry.

Bonta’s office argued that the practice violated California consumer-protection laws not only because customers had not meaningfully consented, but because GM had explicitly told them in its privacy policy that it would not sell driving or location data. The state contends the company handed that information to brokers anyway.

“Modern cars are rolling data-collection machines,” said San Francisco District Attorney Brooke Jenkins, one of several local prosecutors who joined the investigation. “Californians must have confidence that they know what data is being collected, how it is being used and what their opt-out rights are. Those duties fall on the automobile companies.”

What the data revealed

State officials emphasized that vehicle-location data is particularly sensitive because, when aggregated, it can paint an intimate portrait of a person’s life. Pinpoint coordinates collected over weeks or months can reveal where a driver lives, works, attends school, worships, seeks medical care or socializes — information that becomes effectively impossible for consumers to claw back once it enters the broker ecosystem and is resold to insurers, marketers, employers, lenders or government agencies.

That ecosystem has drawn growing scrutiny from state and federal regulators. Verisk and LexisNexis, the two brokers identified in the complaint, are major players in insurance analytics, packaging driver-behavior data into risk scores that auto insurers use to set premiums in many states.

Bonta said California drivers should not expect to see higher auto-insurance premiums as a direct result of GM’s sales, because California law already prohibits insurers from using driving-behavior data to set rates. He stressed, however, that the financial protection in California does not absolve the automaker. The core harm, he said, was that GM misled customers about what was happening with their information.

Origins of the investigation

California began examining GM and other automakers in 2023, with the attorney general’s office working alongside several district attorneys and the California Privacy Protection Agency, the state body created to enforce the California Consumer Privacy Act and its successor, the California Privacy Rights Act.

The inquiry intensified after a 2024 New York Times investigation found that GM and other carmakers had been quietly forwarding granular driving-behavior data to insurers through intermediaries, in some cases resulting in higher premiums for consumers who said they had no idea their cars were tracking them in such detail.

The reporting prompted GM to announce later that year that it would stop sharing data with the insurance-industry-linked broker Verisk and would wind down certain telematics-sharing programs.

Friday’s settlement formalizes those changes for California drivers and goes further. In addition to the civil penalty and the five-year ban on selling driving data to brokers, the agreement places limits on GM’s collection and use of consumer driving data overall, the attorney general’s office said.

A broader reckoning

The action against GM is part of a wider regulatory push to rein in the auto industry’s data practices. Connected vehicles routinely collect hundreds of data points per drive, ranging from GPS coordinates and speed to seatbelt use, infotainment activity and even biometric inputs from driver-monitoring cameras.

Privacy advocates have long argued that the consent flows offered to car buyers — typically buried in lengthy terms-of-service documents signed at the dealership or accepted on a touchscreen — fall short of what the law requires.

Federal regulators have also signaled interest. The Federal Trade Commission has opened separate inquiries into automaker data-sharing, and members of Congress have called for stricter limits on how vehicle telematics can be monetized. Several states, including New York and Texas, have launched their own probes.

For consumers, advocates say the GM case underscores how difficult it can be to know what a car is doing with the data it collects. Even drivers who never enroll in a usage-based insurance program may have data passing through their vehicles’ connected services, and opt-out tools are often hard to find or incomplete.

“Once the precise location of a vehicle is revealed, all sorts of sensitive information can be gleaned,” Bonta said.

The settlement still requires approval from a California court. If approved, it will rank among the largest state enforcement actions to date targeting an automaker over connected-car data, and is likely to serve as a template for similar cases pending elsewhere.