The settlement, pending court approval, requires GM to cease selling driving data to consumer reporting agencies for five years, delete retained driving data within 180 days absent express customer consent, and request deletion from LexisNexis and Verisk. GM must also strengthen its privacy program. The company generated approximately $20 million in revenue from these data sales nationwide during the period under investigation.
California regulators determined that GM misled consumers by suggesting OnStar data would be used solely to deliver the requested service, while internally requiring clearer disclosure about data sharing practices. The state has characterized this as its largest California Consumer Privacy Act penalty to date and its first data minimization enforcement action, establishing precedent for how privacy law applies to connected vehicles and telematics. Attorneys tracking automotive liability, insurance regulation, and state privacy enforcement should monitor the settlement's final approval and its implications for how automakers must handle driver data going forward.