General Motors to pay $12.75 million over driver data sales

General Motors has agreed to a $12.75 million settlement with California over allegations that it unlawfully sold drivers’ location and behavioral data to brokers, marking the largest penalty in the history of the state’s Consumer Privacy Act. Prosecutors say GM made approximately $20 million nationwide from the sales.

“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians,” Rob Bonta, Attorney General, said.

The settlement, which is subject to court approval, requires GM to stop selling driving data to consumer reporting agencies for five years. The automaker must also delete retained driving data within 180 days unless consumers provide affirmative, express consent for limited internal uses.

In addition, GM must ask LexisNexis Risk Solutions and Verisk Analytics to delete any driving data they received. The company must establish and maintain a privacy program to assess, mitigate, and document risks tied to data collected through OnStar and ensure compliance with the California Consumer Privacy Act. GM must also report its privacy assessments to the California Department of Justice, participating district attorneys, and CalPrivacy.

“It is patently illegal to secretly sell consumers’ personal data,” Los Angeles County District Attorney Nathan J. Hochman said. “To car companies who want to speed off with your data without your consent, these penalties should serve as a warning: No matter how big a company is, it will be held accountable in California.”