GM Secretly Sold California Drivers' Data, Agrees to Pay $12.75M In Privacy Settlement (ca.gov)
- Reference: 0183175428
- News link: https://yro.slashdot.org/story/26/05/10/1833256/gm-secretly-sold-california-drivers-data-agrees-to-pay-1275m-in-privacy-settlement
- Source link: https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general
In 2024, The New York Times " [2]reported that automakers including GM were sharing information about their customers' driving behavior with insurance companies," [3]remembers TechCrunch , "and that some customers were concerned that their insurance rates had gone up as a result."
Now General Motors "has reached a privacy-related settlement with a group of law enforcement agencies led by California Attorney General Rob Bonta..."
> The [4]settlement announcement from Bonta's office similarly alleges that GM sold "the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians" to Verisk Analytics and LexisNexis Risk Solutions, which are both data brokers. Bonta's office further alleges that this data was collected through GM's OnStar program, and that the company made roughly $20 million from data sales.
>
> However, Bonta's office also said the data did not lead to increased insurance prices in California, "likely because under California's insurance laws, insurers are prohibited from using driving data to set insurance rates." As part of the settlement, GM has agreed to pay $12.75 million in civil penalties and to stop selling driving data to any consumer reporting agencies for five years, Bonta's office said. GM has also agreed to delete any driver data that it still retains within 180 days (unless it obtains consent from customers), and to request that Lexis and Verisk delete that data.
"This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians," according to [5]the attorney general's announcement . The settlement "requires General Motors to abandon these illegal practices, and underscores the importance of the data minimization in California's privacy law — companies can't just hold on to data and use it later for another purpose."
"Modern cars are rolling data collection machines," said San Francisco District Attorney Brooke Jenkins. "Californians must have confidence that they know what data is being collected, how it is being used, and what their opt-out rights are... This case sends a strong message that law enforcement will take action when California privacy laws are not scrupulously followed."
[1] https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general
[2] https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html
[3] https://techcrunch.com/2026/05/09/gm-agrees-to-pay-12-75m-in-california-driver-privacy-settlement/
[4] https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general
[5] https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general
Operating Expenses (Score:2)
the company made roughly $20 million from data sales
GM has agreed to pay $12.75 million in civil penalties
That is called a transaction fee. Is this intended to be a deterrent, or just a concern that the government isn't getting their cut?
Re: (Score:2)
> That is called a transaction fee. Is this intended to be a deterrent, or just a concern that the government isn't getting their cut?
You've both asked, and answered, your own question.
Re: (Score:2)
> the company made roughly $20 million from data sales GM has agreed to pay $12.75 million in civil penalties That is called a transaction fee. Is this intended to be a deterrent, or just a concern that the government isn't getting their cut?
The fine was 63%, which would be a pretty stiff "transaction" fee. That said, the fine should be more than what GM earned to be a real deterrent/penalty, though I don't know what GM also paid in legal fees defending themselves...
Re: (Score:2)
This
Very odd... (Score:2)
So, we're expected to believe the insurance companies were paying GM twenty million for that data out of simple curiosity?
If they were simply doing aggregate metrics, the data wouldn't have involved the driver's names. That's a thing one should definitely not be including when one has already been telling the victims it won't be shared.
It seems more to me like the data brokers were interested in paying GM a bit of money because to the data broker it "would be cool" if their customers could literally purcha
Hey GM (Score:1)
Hey GM, fuck you and the rolling data collection machine you rode in on.
Why so little? (Score:5, Insightful)
If they made $20 mil, a multiple of the profit, and not a percentage, would be more appropriate
Re: (Score:2)
Different rules for rich people.
They get a slap on the wrist with a soggy bus ticket and get told in effect "Don't get caught again"
Not rich on the other hand pirate one music track and it easily 1000 times what its retail price is
Justice may be blind, but its tacking kickbacks....
So they made a profit? (Score:3)
So let me get this straight. They sold data they shouldn't have for $20 million. They settled for $12.75 million. So they made a profit of $7.25 million. So what exactly is the incentive for them not to do this again? They don't make as much as they want if they get caught, but they still make money. This is how you encourage companies to do this, not discourage them.
Re: (Score:2)
It was a "Don't get caught again" warning, not a "Don't do it" disincentive.
They can continue to do what they like so long as its kept a better secret.
Its grossly unfair to punish rich people and corporations.
/S
Soo, does my Chevy contain spyware? (Score:3)
If it does how can I disable or remove it
Re: (Score:3)
If you have one that has cellular connectivity and an infotainment system, espeically EV's, the only way that I have found is to track down the telematics module for your car and locate the antenna connector and put a resistor on it to disable it completely. Just disconnecting the shark fin is not enough since the wire itself or even just the connector can function enough that it can still get signal through when it is in areas with very strong signal. But then you use something like a mobile 4G/5G hotspot
Security (Score:3)
When are people going to insist that cars are owned by the owner? Security should have no component of trust. Locking out a manufacturer from a connected thing should be something that is enshrined by law. Zero trust is the gold standard worldwide and there should be no trust involved. If something is connected, the owner should be able to force verify what is being sent over that connection and should be able to do it in a way that does not tip off the device that it is being watched that would allow it to change behavior. Manufacturers are not trustworthy and never will be and the owners should always have the ability to lock them out unless there is a documented need for them to communicate with the vehicle. And that means without bricking things like navigation, EV charger finding etc. In other words, the connectivity should be 100% in control of the owner of the device up to and including the law enforced ability to load owner certs on the device and inspect all traffic in and out and block any traffic that does not work in the owners interest. For EV's especially, these things are connected to the grid for God's sake... WHY are the owners not allowed to sandbox these things and only allow them to be communicated with (other than nav or audio video streaming) when there is no documented need for it to happen? Leaving them permanently open to the internet is patently ridiculous from a security perspective. And trusting the manufacturers to do the right thing is just as ridiculous from the privacy side. Trust is not a security or privacy model. Owners should have the ability to ENFORCE it.
On Star Phone Home (Score:2)
It phones home, even with no subscription, unless you specifically opt out. How many drivers realize that?
Thats great and all (Score:2)
The California DMV makes millions every year selling data we have no option to withold as a tax payer or licensed driver. Wheres the legislation and my check for that?
So they made 20 million dollars (Score:2)
And got fined about 12 million dollars.
That is nice.
MBA strikes again (Score:2)
One more example to throw on the pile where a manager saw dollar signs and said, "Fk them customers." I think it's reasonable to assume companies will act in the worst possible way - even if they make claims to the contrary - until proven otherwise.
Re:MBA strikes again (Score:4, Insightful)
> ....the company made roughly $20 million from data sales.
Which means that the fine must be more than $20 Million, otherwise, what's the point?
Spend 12, make 20. Sounds like a good deal that will be repeated in the future.
Re: (Score:2)
$12.75M plus legal expenses plus future lawsuits by GM vehicle owners and other states.
Re: (Score:2)
GM could argue that that language in the EULA/TOS/lease includes wording that allows for collecting and selling that information... do the newer vehicles have a built-in cell connection for the GPS to use or do you always have to pair your phone with the infotainment system so it has data?
Same thing with cell phones, and OS installations... there's always language in there that allows for the _potential_ collection of data and selling that data to whoever.