GM’s $12.75 Million Privacy Settlement Marks a Turning Point for the Connected Car Industry

The California Attorney General’s office accused GM of selling detailed personal information from hundreds of thousands of California drivers to data brokers including LexisNexis and Verisk. According to the state, the data included names, addresses, phone numbers, precise GPS histories, travel patterns, driving speeds and rapid acceleration behavior. Officials alleged that this information was collected through OnStar and related “Smart Driver” products, often without meaningful user awareness or valid consent. California said GM generated approximately $20 million nationwide from these sales between 2020 and 2024.

GM has said the settlement addresses a product it discontinued in 2024 and reinforces steps it has already taken to strengthen privacy practices. However, the financial penalty is only part of the story. The settlement also includes a five-year ban on selling consumer driving data to data brokers, restrictions on future data use, and requirements to delete certain retained information unless customers explicitly consent to continued storage. California regulators described the case as the largest penalty under the California Consumer Privacy Act and the first major “data minimization” enforcement case, meaning companies cannot collect excessive data and later repurpose it for commercial use.

The case highlights how connected vehicles have become major privacy battlegrounds. Modern vehicles continuously generate vast amounts of behavioral and location data through embedded sensors, telematics systems, mobile apps and software subscriptions. Carmakers increasingly view that information as a valuable revenue source, whether through subscription services, insurance partnerships, predictive maintenance or third-party analytics. But regulators are now making clear that data monetization cannot come at the expense of consumer consent and transparency.

This is not GM’s first regulatory setback on the issue. Earlier this year, the U.S. Federal Trade Commission finalized an order requiring GM and OnStar to stop sharing sensitive geolocation and driving behavior data with consumer reporting agencies for five years and imposed stricter disclosure and consent requirements. Together, the federal and California actions suggest regulators are building a coordinated framework around automotive data rights, increasing the compliance burden across the industry.

The broader consequence extends far beyond GM. Every major automaker, from Tesla and Ford to Toyota, Volkswagen and emerging EV companies, is increasingly dependent on software-driven revenue models. Connected services, subscriptions and in-car digital ecosystems are central to future profitability. But if regulators worldwide begin applying stricter privacy rules, some of those monetization strategies may become harder to execute. GM’s settlement therefore serves as a warning to the entire industry: the connected car future may still be lucrative, but only if companies treat consumer data as a trust responsibility rather than a commercial byproduct.