Key Takeaways
- California officials attained a proposed $12.75 million settlement with General Motors (GM), the largest CCPA fine ever issued.
- Officials allege that GM sold the names, contact information, geolocation, and driving behavior data to two data brokers without proper notice or approval.
- This settlement follows the eighth enforcement action under the CCPA and California’s first data minimization enforcement action.
- As a result, GM must implement and sustain a privacy program and delete all collected data.
What Happened
In 2023, California Attorney General Rob Bonta, along with the California Privacy Protection Agency (“CalPrivacy”) and local district attorneys, reached a $12.75 million CCPA settlement with General Motors (GM) for the unlawful distribution of Californians’ driving and location data.
From 2020 to 2024, GM sold the names, contact information, geolocation, and driving behavior data of hundreds of thousands of Californians to two data brokers (Verisk Analytics, Inc. and LexisNexis Risk Solutions). The distribution and collection of drivers’ data were revealed through an investigation to be obtained and sold without proper notice or authorization. Instead, consumers were misinformed about how their data was used, being told by GM that it was used to provide OnStar subscribers with requested services. Additionally, GM’s privacy policy stated that it does not sell driving or location data.
This case represents the largest CCPA settlement to date and is the eighth enforcement action regarding California’s data minimization requirements. Violations pertaining to gathered data being sold to insurance entities for rate-setting purposes also bring up concerns with consumer privacy.
Privacy and Governance Concerns
The New York Times reported that automakers, including GM, were selling Californians’ driving and location data to data brokers and insurance companies, which resulted in hidden premiums for unsuspecting consumers. GM’s OnStar Smart Driver program collected private vehicle data, including behaviors like hard braking, speeding, distance traveled, and the duration of driving. The data that was collected in this case reveals highly sensitive information about individuals’ daily lives, such as where one may live, work, travel, and specific trip details.
With the collection of sensitive data, implications of surveillance and profiling become a concern, particularly when data is used for more purposes than disclosed to individuals. In the lawsuit, GM allegedly retained Californians’ driving and location data long after its use to operate OnStar and subsequently shared it with data brokers.
The lawsuit claims that GM violated the CCPA’s purpose limitation and data minimization requirements, which were added in 2023. The outcome of this settlement represents the eighth enforcement action under the CCPA, along with making it the CCPA’s largest fine to date due to the severity of alleged violations.
Why It Matters / Policy Considerations
Mandatory disclosure of data-gathering methods would promote transparency and accountability to consumers. This would also prompt organizations like GM to advise customers on how their data is collected, shared, and used while also providing clear opt-in and opt-out choices for data-sharing activities. Other oversight mechanisms that are appropriate for this issue are risk assessment, more specifically involving the CCPA; data processing agreements between organizations and third parties; and stronger consent and privacy notices.
After the settlement, the FTC has imposed safeguards that will ban GM’s OnStar program for five years from disclosing consumers’ geolocation and driver behavior data. In addition to this, GM has been directed to implement stricter transparency and choice for customers concerning data that is collected and shared.
