GM Settles $12.75 M for Illegal Sale of California Drivers’ Location Data
What Happened – California regulators fined General Motors $12.75 million after uncovering that its OnStar “Smart Driver” system collected precise driving and location data from California residents and sold it to data‑brokers Verisk Analytics and LexisNexis Risk Solutions between 2020‑2024, in violation of the California Consumer Privacy Act (CCPA).
Why It Matters for TPRM –
- Demonstrates that vehicle‑telemetry platforms can become vectors for unlawful data commercialization.
- Highlights regulatory risk for third‑party data‑sharing arrangements, especially when consent and data‑minimization controls are weak.
- Sets a precedent for hefty civil penalties and mandatory remediation actions that can affect supply‑chain contracts.
Who Is Affected – Automotive manufacturers, telematics service providers, data‑broker intermediaries, insurers that rely on driver‑scoring data, and any downstream vendors that ingest GM‑derived datasets.
Recommended Actions –
- Review contracts with automotive OEMs and telematics vendors for CCPA‑compliant data‑handling clauses.
- Verify that any third‑party data you receive from vehicle‑derived sources includes documented consumer consent and retention limits.
- Conduct a privacy‑impact assessment (PIA) on any driver‑behavior analytics you ingest or store.
Technical Notes – The violation stemmed from systematic collection of GPS‑level location and driving‑behavior metrics via OnStar, followed by bulk transfer to external brokers without explicit consumer consent. No technical exploit was involved; the risk was procedural and governance‑related. Source: BleepingComputer