GM's $12.75M CCPA Fine: Record Penalty for Selling Driver Data

The settlment On May 8, 2026, California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors over the company's practice of selling driving data collected through its OnStar connected-vehicle service to data brokers. The settlement is the largest CCPA penalty in history — surpassing the previous record by a wide margin. The specific allegations: GM collected location data and driving behavior data (speed, acceleration, braking, mileage) from hundreds of thousands of Californians through its OnStar Smart Driver feature, then sold that data to data brokers LexisNexis and Verisk. Those brokers intended to resell the data to insurance companies for rate-setting purposes. Why this matters more than the numbers suggest The headline penalty is $12.75M. The context is more telling: GM made approximately $20 million nationwide from its driving data sales to brokers Only California received compensation under this settlement (the CCPA only covers state residents) The settlement bans GM from selling driving data for 5 years — but only for California residents GM must delete existing data within 180 days — but again, only for California For everyone else: GM can keep selling. The data minimization precedent This is the first CCPA enforcement action to focus specifically on data minimization — the principle that companies should not collect more data than they need for the service provided. The California AG's office argued that GM collected driving behavior data through a program marketed as a "driving improvement" feature, but the primary economic value of the data was not improving driving — it was selling the data to insurance companies. This gap between what the feature claimed to do and what it actually did was central to the CCPA violation. The insurance angle An important detail that received less coverage: California law already prevents insurers from using driving data to raise premiums (Proposition 103, 1988). In other states, insurance companies have been quietly using this data to increase rates, in many cases without the policyholder knowing. The data flow works like this: GM collects your driving data through OnStar (you opted in via a vague consent screen) GM sells the data to LexisNexis and Verisk (you were not notified) LexisNexis sells the data to insurance companies (you were not asked) The insurance company adjusts your rates based on your driving data (you find out when your premium changes) Most drivers never connected the data collection consent to a subsequent rate increase. What you can do Check whether OnStar Smart Driver is enabled on your GM vehicle. The feature is opt-in, but the setup screens are designed to encourage enrollment without explaining the data sales. File a CCPA deletion request with LexisNexis and Verisk if you live in California. Out-of-state residents may have fewer options, but the data broker opt-out process still works for some categories. Check your insurance premium history against any OnStar enrollment dates. If your rates went up after enrollment, the causal chain is worth documenting. Contact your state attorney general and ask about car data privacy enforcement. State AGs outside California have been largely absent on this issue. The GM settlement is a record. It is also a reminder that the CCPA's enforcement structure — state AG action only, no private right of action for data sales — means most companies will treat compliance as a cost of doing business until the penalties exceed the revenue from data sales.