California regulators have fined General Motors $12.75 million and imposed strict controls after finding the company sold OnStar driving data without consent. The settlement — the state’s first major enforcement action explicitly aimed at data-minimization failures by an automaker — requires deletion deadlines, a five-year sales ban to certain buyers, and ongoing compliance reporting.

How the state framed the risk and what was sold

The investigation, led by Attorney General Rob Bonta, the California Privacy Protection Agency (CPPA) and county prosecutors including Los Angeles County District Attorney Nathan Hochman, concluded GM sold names, contact details, precise location pings and driving-behavior metrics (speed, braking) from OnStar subscribers between 2020 and 2024. Regulators said those sales to LexisNexis Risk Solutions and Verisk Analytics generated about $20 million nationwide and contradicted GM’s customer assurances that the data would be used only for OnStar services.

This action is not a routine privacy penalty: California flagged data-minimization and consent failures — how long data was kept and whether customers agreed to sales — rather than only poor notice or disclosure. The state tied the case to a 2023 New York Times report and to the discovery of location data appearing in an individual consumer report, which triggered the probe and differentiated it from broader, less specific privacy fines.

What GM must do now — settlement terms at a glance

Recommended Reading

Ericsson’s US Data Breach Shows Why Internal Security and Third-Party Risk Can’t Be Treated Separately

Ericsson’s latest US breach is not just a case of one company losing control of sensitive records. It is a clearer example of how breach exposure now sits across two layers at once: direct access to internal systems and connected third-party software. That distinction matters here because the March 2026 incident affected about 4,377 people […]

Ericsson’s US Data Breach Shows Why Internal Security and Third-Party Risk Can’t Be Treated Separately

The settlement imposes immediate and time-bound obligations that go beyond a financial penalty: a five-year ban on selling driving data to consumer reporting agencies, an obligation to delete retained driving data within 180 days unless a consumer gives explicit consent, and a requirement that LexisNexis and Verisk delete previously acquired data on demand. GM also agreed to implement a privacy program with regular assessments submitted to California regulators.

How regulators and third parties will verify compliance

California has built verification hooks into the settlement: GM must produce regular assessments and allow state review, and regulators will expect evidence that brokers such as LexisNexis and Verisk actually removed the data they acquired. The CPPA’s reporting requirements create recurring checkpoints rather than a one‑time audit, making future compliance measurable on a schedule rather than open‑ended.

Another verification channel is the state’s Delete Request and Opt-out Platform (DROP), which lets residents request deletion from hundreds of registered data brokers; DROP will be an operational test of whether broker deletions are executed and tracked. The settlement’s lifespan and the 180‑day deletion clock give regulators clear deadlines to check for proof of deletion, contractual amendments with brokers, and technical changes that prevent future unauthorized exports.

What drivers, insurers and automakers should change operationally

For Californians the immediate consumer implication is practical: California law already bars insurers from using driving-behavior data to set rates, so the settlement is unlikely to have produced direct premium hikes locally, but it does offer a new enforcement route to remove sensitive movement and behavior records. Drivers should consider using DROP to find and remove records and check OnStar account settings for any consent toggles tied to discontinued products like OnStar Smart Driver, which GM said related to the settlement.

For automakers and fleet operators the settlement crystallizes three operational thresholds: (1) default collection and retention policies must align with data-minimization principles; (2) contracts with data brokers must include deletion and audit clauses that survive acquisitions; (3) compliance programs must be able to produce periodic assessments to regulators. Companies that export telematics or location feeds should assume regulators will expect demonstrable, time-stamped evidence of deletion and of consumer consent if retention extends beyond 180 days.

Short Q&A

Will Californians see insurance increases because of these sales? No—California law prohibits insurers from using driving data to set rates, and regulators noted that restriction when assessing impact.

What happens to data already bought by brokers? The settlement requires GM to demand deletion from LexisNexis and Verisk and to verify that deletion; brokers are on the hook to comply or face further scrutiny.

When must GM finish deleting retained data? The deadline in the settlement is 180 days after the agreement unless individual consumers explicitly consent to continued retention.