General Motors (GM) has agreed to pay $12.75 million to settle a lawsuit in California alleging it sold the personal and driving data of OnStar subscribers without proper disclosure or consent.
OnStar is GM’s subscription-based offering for in-vehicle safety.
The lawsuit was filed by the California Attorney General and district attorneys representing Los Angeles, Napa, San Francisco and Sonoma counties, with support from the California Privacy Protection Agency.
Authorities alleged that between 2016 and 2024, GM collected data related to drivers and vehicles from hundreds of thousands of California OnStar subscribers.
The information allegedly included names, phone numbers, home addresses, vehicle speeds, rapid acceleration and harsh braking, along with GPS location data showing where customers were driving and parking.
Los Angeles County District Attorney Nathan Hochman said: “This settlement makes clear that auto companies cannot secretly accelerate your personal data for profit.
“Consumers have a fundamental privacy right to control their personal information, and this right doesn’t end at the door of a car. We thank the California Attorney General, the California Privacy Protection Agency, and our associate district attorneys for holding companies doing business in California accountable.”
According to the complaint, GM had told subscribers that their data would only support OnStar services, including emergency response, navigation and driver training.
The company also allegedly stated that it did not sell driving or location information, the press release added.
However, as of 2020, GM allegedly sold the data to LexisNexis Risk Solutions and Verisk Analytics without sufficiently disclosing the practice or allowing customers to opt out.
The lawsuit claims GM generated about $20 million nationwide from the data sales deal.
Under the proposed settlement, which still requires court approval, GM will pay $12.75 million in civil penalties and take several corrective actions affecting OnStar customers in California.
The agreement includes a five-year ban on selling driving data to consumer reporting agencies, including LexisNexis and Verisk.
GM must also delete retained driving data within 180 days, except where limited internal uses apply and consumers have provided express consent.
Additionally, the company must ask LexisNexis and Verisk to delete all driving data they possess.
The agreement also requires GM to establish a privacy program aimed at identifying, reducing and documenting risks linked to OnStar’s data collection practices and ensuring compliance with the California Consumer Privacy Act.