GM Settles $12.75 M California CCPA Violation Over Unauthorized OnStar Driving‑Data Collection and Sale
What Happened — General Motors was found to have collected precise location and driving‑behavior data from its OnStar service, stored it without explicit consumer consent, and sold the dataset to data‑broker firms Verisk and LexisNexis. California regulators imposed a $12.75 million civil penalty, ordered a five‑year halt to any further data sales, and required GM to delete the retained data after 180 days unless consumers opt‑in.
Why It Matters for TPRM —
- Demonstrates the financial and reputational risk of non‑compliant telematics data practices.
- Highlights third‑party supply‑chain exposure when vendors share consumer data with brokers.
- Sets a precedent for large CCPA‑style penalties that can affect any organization handling connected‑device data.
Who Is Affected — automotive OEMs, connected‑car service providers, telematics platform vendors, data‑broker intermediaries, and the millions of drivers whose location and behavior data were harvested.
Recommended Actions — review all vendor contracts for explicit consent clauses, audit telematics data‑collection pipelines for privacy‑by‑design controls, verify that third‑party brokers adhere to CCPA‑equivalent standards, and implement robust data‑retention and deletion policies.
Technical Notes — The breach stemmed from a misconfiguration of privacy controls and the absence of a consent‑capture mechanism within the OnStar platform. Data types included precise GPS coordinates, speed, acceleration, driver identifiers, and contact information. No software vulnerability (CVE) was disclosed. Source: The Record