GM Settles for $12.75M Over Unauthorized Driver Data Sales

Overview of the GM Driver Data Privacy Settlement

General Motors (GM) has agreed to a proposed $12.75 million settlement with the California Attorney General’s office following allegations of extensive privacy violations. According to Bleeping Computer, the settlement addresses claims that the automotive giant collected and sold sensitive driver telematics data to third-party insurance brokers without obtaining meaningful consent from vehicle owners. This action was found to be in direct violation of the California Consumer Privacy Act (CCPA), which mandates transparency and consumer control over personal information.

Between 2015 and 2024, GM utilized its OnStar “Smart Driver” program to monitor driving behaviors such as hard braking, rapid acceleration, and speed. While this feature was presented as a tool for drivers to monitor their own performance, the investigation revealed that the data was subsequently sold to brokers including LexisNexis Risk Solutions and Verisk Analytics. These brokers then integrated the telemetry into reports used by insurance companies to adjust premiums, often leading to unexpected rate hikes for consumers.

Technical Analysis of Telematics Data Collection

The technical mechanism behind this data collection involves the vehicle’s integrated OnStar module, which serves as a gateway for telecommunications and telemetry. In modern connected vehicles, this module captures high-frequency data from the Controller Area Network (CAN) bus. This data includes GPS coordinates, odometer readings, and specific inertial measurements. While this incident is not a result of an exploited CVE, it demonstrates how legitimate data collection pipelines can be weaponized against user privacy when oversight is lacking.

In the context of the GM driver data privacy settlement, the failure was not in the encryption or transmission of the data, but in the governance of the data lifecycle. The datasets provided to brokers were highly granular, allowing for a detailed reconstruction of a driver’s daily routines and risk profile. For security professionals, this highlights a specific type of Supply Chain Attack on privacy, where the manufacturer acts as the source of unauthorized data egress.

California Consumer Privacy Act Telematics Compliance

Maintaining California Consumer Privacy Act telematics compliance requires more than just a checkbox on a user agreement. The California AG’s investigation highlighted that GM failed to provide clear, conspicuous notices about the sale of data. The CCPA requires that businesses provide a “Do Not Sell My Personal Information” link and clear disclosures regarding the categories of third parties receiving the data.

Under the terms of the settlement, GM must perform several remedial actions:

• Cease the sale of driver telematics data to third-party brokers for insurance purposes.
• Implement a data deletion protocol for all previously collected data that was shared without consent.
• Provide clear disclosures for future data collection programs with explicit opt-in mechanisms.
• Conduct annual privacy impact assessments to ensure ongoing compliance.

Impact of Unauthorized Sharing of Vehicle Telematics Data

The unauthorized sharing of vehicle telematics data has broad implications for both consumer trust and corporate risk management. When sensitive behavioral data is transferred to third parties without a Zero Trust approach to data governance, the potential for misuse increases. Although the brokers involved utilized the data for insurance underwriting, the existence of such databases creates a significant target for threat actors. If these brokers were compromised, the detailed movement patterns of millions of individuals would be exposed.

Recommendations for Organizations

Security teams and SOC analysts within the automotive and IoT sectors should treat privacy compliance as a core component of their threat model. Organizations must ensure that any telemetry leaving the environment is strictly accounted for within SIEM logs and data loss prevention policies.

1. Data Mapping: Conduct regular audits of all data pipelines to identify where sensitive telemetry is stored and with whom it is shared.
2. Granular Consent: Move beyond blanket terms of service and implement granular, feature-specific consent forms that clearly state the intent of data collection.
3. Vendor Risk Management: Assess the privacy practices of third-party data processors to ensure they adhere to the same compliance standards as the primary data controller.