GM Settles Lawsuit in California Over Improper Sale of Driving Data
General Motors (GM) has agreed to a $12.75 million settlement with the state of California over the unauthorized sale of customer driving data. The sale of data is prohibited for five years.
GM Settles Driving Data Lawsuit in California for $12.75 Million
General Motors (GM) has settled a lawsuit led by the California Attorney General regarding the unauthorized sale of customer driving data. The settlement amount totals $12.75 million (approximately ¥1.9 billion), and GM has been barred from selling driving data to consumer reporting agencies for the next five years.
Origins of the Issue in 2024 Reports
The controversy came to light in 2024 following investigative reporting by The New York Times. The report revealed that GM had sold driving data collected through its onboard telematics service, OnStar, to data brokers Verisk Analytics and LexisNexis Risk Solutions. These brokers reportedly resold the data to auto insurance companies for potential use in risk assessments, which could lead to increased insurance premiums for customers.
However, California law prohibits insurance companies from using driving data for such purposes, suggesting that consumers in the state were likely spared from direct insurance premium hikes in this case.
Key Elements of the Settlement
The lawsuit argued that GM’s sale of personal information—including names, contact details, location data, and driving behavior—without explicit customer consent constituted a violation of privacy.
Under the settlement agreement, GM is required to delete all driving data within 180 days, except for “specific limited internal uses.” This deletion is mandatory unless explicit consent has been obtained from the customer. Additionally, GM must implement a privacy program to assess risks associated with data collection via OnStar and report its findings to the Department of Justice and other relevant authorities.
In a statement, California Attorney General Rob Bonta said, “This settlement compels General Motors to cease such illegal practices and underscores the importance of data minimization under California’s privacy laws. Companies cannot simply retain data for later use for unrelated purposes.”
Challenges in Data Privacy for Automakers
This case underscores the transformation of modern vehicles from mere transportation tools to mobile data-collection devices. With advancements in autonomous driving and connected cars, the value of data related to driving behavior, location, and vehicle conditions has increased exponentially.
However, there remains a fundamental issue regarding consumer understanding and control over how this data is collected, shared, and used. The GM case is a prime example of how a lack of transparency and consent can lead to legal repercussions.
Moving forward, other automakers will likely face increased pressure to enhance transparency in their data collection and utilization policies, as well as to improve processes for obtaining clear and informed consent from consumers.
Frequently Asked Questions
- What specific data did GM sell?
- According to documents related to the settlement, GM sold data that included names, contact information, geographic location data, and driving behavior (such as frequency of sudden acceleration or braking). The core issue was the sale of this data to brokers without explicit customer consent.
- Will GM vehicle owners affected by this settlement receive compensation?
- The settlement primarily involves civil penalties paid to the state of California and does not include direct financial compensation for individual consumers. Those seeking compensation may need to pursue separate class-action lawsuits, as this settlement does not cover individual claims.
- Are connected cars sold in Japan collecting similar data?
- Many connected cars sold in Japan do collect vehicle and driving data through telematics services. However, the scope of data collection, its usage, and whether it is shared with third parties depend on the privacy policies of individual automakers and service providers. Under Japan's Personal Information Protection Act, companies are required to notify or disclose the purpose of data use and respond to requests from individuals to stop the use of their data. Consumers are advised to review each company's policies and make necessary adjustments, such as opting out, to safeguard their privacy.
Comments