Your car has been reporting on you
General Motors made $20 million selling detailed surveillance data from millions of OnStar subscribers to insurance industry data brokers between 2016 and 2024, then agreed this month to pay California $12.75 million to settle the resulting privacy investigation, a discount that reveals how profitable illegal data sales remain even after enforcement. The settlement, announced May 8 by California Attorney General Rob Bonta, exposes the connected-vehicle data supply chain that turns cars into tracking devices and drivers into products.
GM collected names, phone numbers, home addresses, and GPS coordinates of everywhere OnStar subscribers drove and parked. The company tracked speeds, rapid acceleration, braking patterns, seat belt usage, nighttime driving activity, and trip duration, then sold this catalog to LexisNexis Risk Solutions and Verisk Analytics, two data brokers who package driver behavior for insurance companies. Customers who thought they were buying roadside assistance and emergency services got continuous surveillance instead.
The Smart Driver product that wasn't smart for drivers
The data collection happened through what GM called its "Smart Driver" product, which the company discontinued in 2024 after media investigations forced the scheme into public view. OnStar, GM's subscription service that provides directions and emergency assistance, became the vehicle for extraction. From 2016 through 2024, the system logged granular behavioral data and funneled it to brokers whose business model depends on scoring drivers for insurance risk.
California drivers avoided the worst consequences by accident of geography. State insurance law prohibits insurers from using driving behavior data to set rates, so California OnStar subscribers didn't experience premium increases even though their data was sold, according to Attorney General Bonta. But GM's data sales were nationwide. In the 49 states without California's protections, that same information fed algorithms that could raise premiums, deny coverage, or create permanent records of trips to medical clinics, protests, or any other destination a driver might prefer to keep private.
The Federal Trade Commission called GM's behavior an "egregious betrayal of consumers' trust" when it announced in January 2025 that GM and OnStar had agreed not to disclose or sell sensitive vehicle geolocation and driver behavior data for five years. The California settlement adds a parallel five-year ban on selling personal data to data brokers, plus a compliance program and mandatory reporting to state authorities.
Enforcement that followed journalism, not violations
The timeline reveals reactive rather than proactive oversight. GM's data sales ran for eight years before consequences arrived. A 2024 New York Times investigation reported that automakers were sharing detailed vehicle information with data brokers. That same year, media reports suggested the practice was widespread across the industry. California's Privacy Protection Agency had announced investigations into connected vehicle privacy practices in 2023, but enforcement came only after public exposure.
The settlement terms show what should have been standard practice all along. GM must delete retained driving data within 180 days unless consumers explicitly authorize retention. The company must ask LexisNexis and Verisk to delete previously received data. California OnStar customers must be able to disable location-based collection features remotely. GM must provide clearer privacy notices during enrollment and obtain separate permission for different categories of data collection and disclosure.
These mandates exist because GM failed to obtain proper consent in the first place. The company made reassuring statements to drivers that it would not sell their data while doing exactly that, according to California authorities. The consent fiction, burying data practices in terms of service documents while marketing the product as helpful driver assistance, turned a safety feature into a surveillance pipeline.
When the largest penalty is still a bargain
California officials called the $12.75 million penalty the largest under the state's Consumer Privacy Act and the first data minimization enforcement case. But the math tells a different story about deterrence. GM made approximately $20 million nationwide from the data sales, meaning the company netted roughly $7.25 million even after California's "historic" fine. The settlement covers only California violations; GM's profit from the other 49 states remains untouched by this enforcement action.
The five-year ban on data broker sales functions as an implicit admission that the practice will be tempting again once the prohibition expires. GM discontinued Smart Driver in 2024, but the connected-vehicle infrastructure that made the surveillance possible remains in every OnStar-equipped car. The settlement restricts GM's use of consumer driving data compiled about OnStar subscribers, but it doesn't dismantle the technical capability to collect that data.
Multiple California district attorneys collaborated on the settlement alongside the Attorney General and the California Privacy Protection Agency, suggesting either coordinated enforcement or overlapping jurisdiction that required negotiation. The settlement remains subject to court approval, though such approval is typically routine in negotiated agreements between state authorities and corporate defendants.
The GM case exposes a broader pattern in connected-device economics. When products offer digital services, whether cars, fitness trackers, or smart home devices, the service often serves as cover for data extraction. The device owner becomes the product, and the actual customer is whoever buys access to the behavioral data. GM's scheme worked for eight years because most drivers had no visibility into what happened after their car transmitted data to OnStar servers. The company counted on that opacity, and the bet paid off even after enforcement arrived.