GM Settles California Probe Over OnStar Data Sales – Key Questions Answered

General Motors has agreed to pay $12.75 million to resolve a California investigation into allegations that the automaker illegally sold the location and driving data of OnStar subscribers to third-party brokers. The settlement, announced in early 2025, highlights growing concerns over automotive data privacy. Below, we break down the key details of the case, the data involved, and what it means for consumers.

What led to the California investigation against GM?

The California Attorney General’s office launched an investigation after receiving allegations that GM’s OnStar connected-services unit was collecting and selling subscribers’ precise location and driving behavior data without proper consent. Investigators found that GM had agreements with data brokers who then repackaged and sold this information to insurers, marketers, and other entities. California’s privacy laws, including the California Consumer Privacy Act (CCPA), require clear disclosure and opt-in consent before selling such sensitive data. The probe focused on whether GM violated those requirements by not adequately informing OnStar users about the commercial use of their driving data.

GM Settles California Probe Over OnStar Data Sales – Key Questions Answered

What specific data did GM allegedly sell from OnStar subscribers?

According to the investigation, GM allegedly collected and sold two main categories of data: location data (real-time and historical GPS coordinates of each vehicle) and driving behavior data (such as speed, acceleration, braking patterns, and mileage). This information was gathered through the OnStar telematics system installed in millions of GM vehicles. The data was sent to brokers who aggregated it with other datasets to create detailed profiles of individual drivers. In some cases, the brokers then sold access to insurers who used it to adjust premiums, or to advertisers for targeted location-based marketing. The investigation determined that GM did not obtain explicit, informed consent from subscribers before sharing this personal information.

How much did GM agree to pay to settle the investigation?

GM agreed to pay $12.75 million to resolve the California investigation. The payment covers civil penalties and costs associated with the probe. However, the settlement does not include an admission of wrongdoing by GM; the company denies the allegations but chose to settle to avoid prolonged litigation. The funds will be distributed to the California Department of Justice and other state agencies to support consumer privacy enforcement. This amount is relatively modest compared to GM’s annual revenue, but the case sets an important precedent for automakers regarding data collection and sharing practices.

To whom did GM allegedly sell the driving data?

The state alleged that GM sold the OnStar data to data brokers, who then resold it to various industries. Among the buyers were auto insurance companies, which used the driving behavior data to assess risk and adjust premiums, sometimes without the driver’s knowledge. Other purchasers included marketing firms seeking to target ads based on location, and even parking enforcement companies. The brokers acted as intermediaries, often anonymizing the data but still allowing re-identification through cross-referencing. This practice raised serious privacy concerns, especially since OnStar subscribers were not clearly told that their data would be sold to third parties for purposes unrelated to the vehicle’s operation or safety.

What are the potential privacy implications for OnStar subscribers?

For OnStar subscribers, the unauthorized sale of location and driving data can have significant privacy implications. Precise location data can reveal home addresses, work routines, medical visits, and other sensitive activities. Driving behavior data can indicate aggressive driving, late-night trips, or even potential health issues (e.g., erratic braking). When insurers obtain this data, they may raise premiums or deny coverage based on behaviors the driver did not knowingly share. Additionally, the data could be used in legal proceedings, such as divorce cases or traffic disputes. The settlement underscores the importance of transparency and consent in connected-car ecosystems. Subscribers should review their OnStar privacy settings and understand what data is being collected.

How did California regulators uncover this violation?

California’s investigation was triggered by a combination of consumer complaints, whistleblower reports, and media investigations. Several drivers reported receiving insurance rate increases or marketing calls shortly after using OnStar features, which prompted them to file complaints with the California Attorney General’s office. Meanwhile, journalists from outlets like Reuters and The New York Times uncovered documents showing GM’s data-sharing agreements with brokers. The state’s privacy enforcement unit then subpoenaed GM and the brokers, obtaining contracts and data flow records. These records revealed that GM had classified the data sales as “anonymized” but that re-identification was possible, violating the CCPA’s requirement for opt-in consent before selling personal information.

What steps will GM take to prevent future data sales?

As part of the settlement, GM agreed to several corrective actions. First, the company will enhance its privacy disclosures to OnStar subscribers, clearly explaining what data is collected and how it may be used or sold. Second, GM will implement a technical mechanism to allow subscribers to opt out of data sharing at any time, both through the vehicle’s dashboard and the OnStar mobile app. Third, the automaker will conduct annual audits of its data-sharing partners to ensure compliance with California privacy laws. Fourth, GM will report to the California Attorney General each year for three years, detailing all data sales and any consumer complaints. These measures aim to restore trust and prevent similar violations.

What does this settlement mean for other automakers?

The GM settlement sends a strong signal to all automakers with connected vehicles: data privacy is a regulatory priority. Other manufacturers like Ford, Toyota, and Tesla also collect similar telematics data and may face increased scrutiny. The case clarifies that selling individually identifiable location or driving data without explicit, informed consent violates California law (and potentially other state laws). Automakers are now likely to review their own data-sharing agreements and improve user disclosures. Some may choose to stop selling driving data altogether to avoid legal risk. The settlement may also encourage more consumer class-action lawsuits if similar practices are uncovered. Ultimately, it pushes the industry toward more transparent and ethical data practices.

Tags: