General Motors will pay $12.75 million to resolve a civil lawsuit alleging that from 2020-24, the company unlawfully sold hundreds of thousands of OnStar subscribers’ personal information and driving data to third-party data brokers in violation of California’s privacy, false advertising and unfair competition laws, officials announced Friday.
The lawsuit, filed by the California Attorney General and the District Attorneys of Los Angeles, Napa, San Francisco and Sonoma counties with support from the California Privacy Protection Agency, alleges that from 2016 to 2024, General Motors collected and kept driver- and driving-related data from hundreds of thousands of Californians who had subscribed to OnStar, a vehicle connectivity service offered by General Motors.
The data included names, phone numbers, home addresses, speeds, rapid acceleration and hard braking, as well as the GPS location of where OnStar subscribers drove and parked their vehicles.
“This settlement makes clear that car companies cannot secretly speed off with your personal data for profit,” Los Angeles County District Attorney Nathan J. Hochman said in a statement. “Consumers have a fundamental
privacy right to control their personal information, and this right does not stop at a car door. We appreciate the California Attorney General, the California Privacy Protection Agency and our partner District Attorneys for
holding companies who do business in California accountable.”
General Motors allegedly affirmatively told OnStar subscribers that it did not sell any driving or location data and that their data would only be used for OnStar services, like summoning an ambulance, providing driving
directions or improving driver skills.
In 2020, GM allegedly began selling this data to two data brokers, LexisNexis Risk Solutions and Verisk Analytics, Inc., deceiving consumers by not adequately disclosing that such data would be sold to third parties and not providing an opportunity to opt out of the information sharing, Hochman said.
General Motors reportedly earned about $20 million nationwide from these data sales.
“Your data isn’t free, and no one has the right to sell it without your consent,” Hochman said. “I encourage California consumers to read the fine print and exercise your right to stop companies from collecting, sharing or selling your data.”
Under the settlement, subject to court approval, General Motors must pay civil penalties totaling $12.75 million.
- According to the settlement, with respect to California OnStar customers, General Motors must:
- Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk
- Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers
- Request Lexis and Verisk delete driving data
- Develop and maintain a robust privacy program that is required to assess, mitigate and document the risks of collecting data through OnStar and ensure that General Motors complies with the California Consumer Privacy Act
- Report its privacy assessments to the California Department of Justice, the California Privacy Protection Agency and the district attorneys’ offices of Los Angeles, Napa, San Francisco and Sonoma countie