Forgot your password?
Close
typodupeerror
Privacy Transportation Government

GM Secretly Sold California Drivers' Data, Agrees to Pay $12.75M In Privacy Settlement (ca.gov) 41

Posted by EditorDavid from the heartbeats-of-America dept.
"General Motors sold the data of California drivers without their knowledge or consent," says California's attorney general, "and despite numerous statements reassuring drivers that it would not do so."

In 2024, The New York Times "reported that automakers including GM were sharing information about their customers' driving behavior with insurance companies," remembers TechCrunch, "and that some customers were concerned that their insurance rates had gone up as a result."

Now General Motors "has reached a privacy-related settlement with a group of law enforcement agencies led by California Attorney General Rob Bonta..." The settlement announcement from Bonta's office similarly alleges that GM sold "the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians" to Verisk Analytics and LexisNexis Risk Solutions, which are both data brokers. Bonta's office further alleges that this data was collected through GM's OnStar program, and that the company made roughly $20 million from data sales.

However, Bonta's office also said the data did not lead to increased insurance prices in California, "likely because under California's insurance laws, insurers are prohibited from using driving data to set insurance rates." As part of the settlement, GM has agreed to pay $12.75 million in civil penalties and to stop selling driving data to any consumer reporting agencies for five years, Bonta's office said. GM has also agreed to delete any driver data that it still retains within 180 days (unless it obtains consent from customers), and to request that Lexis and Verisk delete that data.
"This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians," according to the attorney general's announcement. The settlement "requires General Motors to abandon these illegal practices, and underscores the importance of the data minimization in California's privacy law — companies can't just hold on to data and use it later for another purpose."

"Modern cars are rolling data collection machines," said San Francisco District Attorney Brooke Jenkins. "Californians must have confidence that they know what data is being collected, how it is being used, and what their opt-out rights are... This case sends a strong message that law enforcement will take action when California privacy laws are not scrupulously followed."

GM Secretly Sold California Drivers' Data, Agrees to Pay $12.75M In Privacy Settlement More | Reply

GM Secretly Sold California Drivers' Data, Agrees to Pay $12.75M In Privacy Settlement

Comments Filter:

  • MBA strikes again (Score:3)

    by evil_aaronm ( 671521 ) on Sunday May 10, 2026 @02:46PM (#66136954)
    One more example to throw on the pile where a manager saw dollar signs and said, "Fk them customers." I think it's reasonable to assume companies will act in the worst possible way - even if they make claims to the contrary - until proven otherwise.

    • Re:MBA strikes again (Score:5, Insightful)

      by rudy_wayne ( 414635 ) on Sunday May 10, 2026 @03:13PM (#66136988)

      ....the company made roughly $20 million from data sales.

      Which means that the fine must be more than $20 Million, otherwise, what's the point?

      Spend 12, make 20. Sounds like a good deal that will be repeated in the future.

      • Re: (Score:3)

        by schwit1 ( 797399 )

        $12.75M plus legal expenses plus future lawsuits by GM vehicle owners and other states.

        • GM could argue that that language in the EULA/TOS/lease includes wording that allows for collecting and selling that information... do the newer vehicles have a built-in cell connection for the GPS to use or do you always have to pair your phone with the infotainment system so it has data?
          Same thing with cell phones, and OS installations... there's always language in there that allows for the _potential_ collection of data and selling that data to whoever.

      • A fine paid by the business will not change behaviour of managers -- who just profited (got bigger bonuses) from this. The decision makers need life changing fines or prison time. Managers in other companies will see this, decide that they do not want the same and so behave.

    • Re: (Score:1)

      by jjbenz ( 581536 )
      You are not wrong.

    • We are missing a HUGE point. It is illegal for insurance companies to use this data to adjust their pricing.
      So why would the insurance companies be buying this data?

      Time to start investigations on when they received the data and when their customers started receiving increases in insurance rates.

  • Operating Expenses (Score:3)

    by algaeman ( 600564 ) on Sunday May 10, 2026 @02:50PM (#66136964)
    the company made roughly $20 million from data sales
    GM has agreed to pay $12.75 million in civil penalties

    That is called a transaction fee. Is this intended to be a deterrent, or just a concern that the government isn't getting their cut?

    • That is called a transaction fee. Is this intended to be a deterrent, or just a concern that the government isn't getting their cut?

      You've both asked, and answered, your own question.

    • the company made roughly $20 million from data sales GM has agreed to pay $12.75 million in civil penalties That is called a transaction fee. Is this intended to be a deterrent, or just a concern that the government isn't getting their cut?

      The fine was 63%, which would be a pretty stiff "transaction" fee. That said, the fine should be more than what GM earned to be a real deterrent/penalty, though I don't know what GM also paid in legal fees defending themselves...

    • This

  • So, we're expected to believe the insurance companies were paying GM twenty million for that data out of simple curiosity?

    If they were simply doing aggregate metrics, the data wouldn't have involved the driver's names. That's a thing one should definitely not be including when one has already been telling the victims it won't be shared.

    It seems more to me like the data brokers were interested in paying GM a bit of money because to the data broker it "would be cool" if their customers could literally purcha

  • Hey GM, fuck you and the rolling data collection machine you rode in on.

  • Why so little? (Score:5, Insightful)

    by rnmartinez ( 968929 ) on Sunday May 10, 2026 @03:12PM (#66136986)
    If they made $20 mil, a multiple of the profit, and not a percentage, would be more appropriate
    • Different rules for rich people.
      They get a slap on the wrist with a soggy bus ticket and get told in effect "Don't get caught again"

      Not rich on the other hand pirate one music track and it easily 1000 times what its retail price is

      Justice may be blind, but its tacking kickbacks....
    • And the supreme Court is completely corrupt. So no attorney general is going to want to risk anything getting anywhere near the supreme Court because you never know when those corrupt assholes are just going to rule that states cannot Levy fines at all.

      Basically right now and for the foreseeable future it is open season on consumers. Keep an eye on any elderly relatives you have that you care enough about to potentially be forced to bail out.

  • So they made a profit? (Score:4, Insightful)

    by dirk ( 87083 ) <dirk@one.net> on Sunday May 10, 2026 @03:15PM (#66136994) Homepage

    So let me get this straight. They sold data they shouldn't have for $20 million. They settled for $12.75 million. So they made a profit of $7.25 million. So what exactly is the incentive for them not to do this again? They don't make as much as they want if they get caught, but they still make money. This is how you encourage companies to do this, not discourage them.

    • It was a "Don't get caught again" warning, not a "Don't do it" disincentive.
      They can continue to do what they like so long as its kept a better secret.

      Its grossly unfair to punish rich people and corporations.

      /S

    • Re: (Score:2)

      by Monoman ( 8745 )

      I'll assume (probably incorrectly) that they $20M was for total sales across all states. Fines aren't enough. The people running these companies need to be held accountable... and that ain't happening.

  • Soo, does my Chevy contain spyware? (Score:3)

    by FudRucker ( 866063 ) on Sunday May 10, 2026 @03:31PM (#66137010)
    If it does how can I disable or remove it

    • Re:Soo, does my Chevy contain spyware? (Score:4, Interesting)

      by rtkluttz ( 244325 ) on Sunday May 10, 2026 @04:23PM (#66137070) Homepage

      If you have one that has cellular connectivity and an infotainment system, espeically EV's, the only way that I have found is to track down the telematics module for your car and locate the antenna connector and put a resistor on it to disable it completely. Just disconnecting the shark fin is not enough since the wire itself or even just the connector can function enough that it can still get signal through when it is in areas with very strong signal. But then you use something like a mobile 4G/5G hotspot with true firewall capability and connect the car to that through its ability to use external wifi. Then you block access to GM and onstar sites while still letting things like google maps through for nav so that you don't brick your entire infotainment system. This is what I do on both of my GM EV's.

    • There are two ways to opt out. First, is that you call and withdraw consent to connected services. Manufacturers will punish you by disabling every remote feature. For example, Toyota will disable keyfob remote start when you opt out. This does not generally prevents your car sending out the data, as verified by multiple people doing signal analysis.

      You can find a remote telematics/data collection module and remove cell modem. This is A LOT of work as these modules tend to be deep in the dash. You can dis

  • Security (Score:4, Interesting)

    by rtkluttz ( 244325 ) on Sunday May 10, 2026 @03:37PM (#66137016) Homepage

    When are people going to insist that cars are owned by the owner? Security should have no component of trust. Locking out a manufacturer from a connected thing should be something that is enshrined by law. Zero trust is the gold standard worldwide and there should be no trust involved. If something is connected, the owner should be able to force verify what is being sent over that connection and should be able to do it in a way that does not tip off the device that it is being watched that would allow it to change behavior. Manufacturers are not trustworthy and never will be and the owners should always have the ability to lock them out unless there is a documented need for them to communicate with the vehicle. And that means without bricking things like navigation, EV charger finding etc. In other words, the connectivity should be 100% in control of the owner of the device up to and including the law enforced ability to load owner certs on the device and inspect all traffic in and out and block any traffic that does not work in the owners interest. For EV's especially, these things are connected to the grid for God's sake... WHY are the owners not allowed to sandbox these things and only allow them to be communicated with (other than nav or audio video streaming) when there is no documented need for it to happen? Leaving them permanently open to the internet is patently ridiculous from a security perspective. And trusting the manufacturers to do the right thing is just as ridiculous from the privacy side. Trust is not a security or privacy model. Owners should have the ability to ENFORCE it.

  • It phones home, even with no subscription, unless you specifically opt out. How many drivers realize that?

    • In my younger and more foolish days I had a Pontiac and I opted out with wire cutters to the Surveillance module's power cables.

      At the time I was actually more concerned with remote unlock hijacking than tracking but still I didn't trust GM.

      All together now: WE TOLD YOU SO.

      If I had to guess 20 years later doing that would disable the ECU.

    • THIS is why anybody with any brains would NEVER EVER buy a new car with this bullshit in it. I'm 76 and my car is a 13 year old 2013 and I'll keep it running till I shuffle off mortality. Even if I had Musk's wealth, I'd STILL never buy one of these rolling tattle-tales...

  • The California DMV makes millions every year selling data we have no option to withold as a tax payer or licensed driver. Wheres the legislation and my check for that?

  • So they made 20 million dollars (Score:3)

    by NXIL ( 860839 ) on Sunday May 10, 2026 @05:34PM (#66137156)

    And got fined about 12 million dollars.

    That is nice.

  • I gather the intent of the privacy law is to make sure that bad drivers are subsidized by good drivers. After all, you shouldn't have to pay higher insurance rates just because you're a road hazard... I guess...

  • ... I'm not a California driver. I guess this means GM won't be selling my data.

  • Wake me up when the penalty gets into the mid hundreds-of-millions. Until then it's just a cost-of-business that already appeared - probably at well over 12 million bucks - as a line item in a budget which existed long before the penalty was assessed.

    Such fines are mere theatre. It's a show that keeps the rubes entertained, while simultaneously distracting them from the financial and privacy-oriented ass raping inflicted on them daily with the tacit assent of their government and regulatory agencies.

    More pe

  • Some intrepid sould would be forever thanked if they hosted a site (offshore, safe from DMCA takedowns) with user-contributed instructions on how to remove or disable the cellular modem on popular car models.

    If they want my data, they need to pay for it. By, for example, making the car free or steeply discounted. Until then, fuck off.

  • Why is everybody only focusing on California? They have at least some sense in their legislation, so they are fine. What everybody should be screaming now about is the rest of the country - 49 states, where GM surely followed the same practice but does not receive even a slap on the wrist.

  • GM needs to be made to disgorge every dime they made selling that data.

    They need to disclose who purchased the data and what the price was.

    Every victim of this privacy violation needs legal recourse and class action seems like it would be best for the masses.

    Anyone who can show significant harm should aggressively pursue all parties involved.

    The only way this behavior will stop is when engaging in it brings bitter pain.

  • $12.75M is like one parking ticket to them.
  • When I was in high school, I had a Chevy pickup. It was ok, but the transmission was garbage. Never drove another Chevrolet product. Now I guess I never will.
  • Let's create an open source, publicly available database listing internet-enabled communications hardware in all new vehicles, including guides and parts lists that successfully block all communications they attempt to make. Maybe name it Faraday2day

Slashdot Top Deals

Everything that can be invented has been invented. -- Charles Duell, Director of U.S. Patent Office, 1899

Close