GM's $12.75M Fine on $20M in Sales

Introduction

GM's own 2019 Global Privacy Policy required written risk assessments before sharing consumer data with third parties. Between 2020 and 2024, GM sold four years of driving and location data on hundreds of thousands of California OnStar subscribers to insurance data brokers. When California regulators eventually asked to see the risk assessments that policy required, GM couldn't locate a single one.

If you drove a GM vehicle with OnStar between 2020 and 2024, this is your data. Where you parked, which hospitals you visited, how hard you braked, what time you left for work, every bit of it packaged and sent downstream to insurers.

How the Self-Contradiction Looks Up Close

The California Attorney General filed suit against GM and OnStar in Napa Superior Court on May 8, 2026, with a $12.75 million civil penalty attached. That's the largest fine in the seven-year history of the California Consumer Privacy Act. The prior record, Disney at $2.75M, gets beaten almost five times over.

Read past the headline number and the structure of the violation gets stranger. According to Paragraph 28 of the California complaint, GM's 2019 Global Privacy Policy required the company to "inform individuals how the personal information will be used [and] the types of third parties that may receive it," and required data to be used "consistent with the context of collection." It also mandated written privacy risk assessments before activities like selling consumer data to outside parties. The complaint says GM "could not locate a contemporaneous written risk assessment covering the original decision to sell consumer data to Lexis and Verisk." GM had the rules in writing and ignored them; California's case is built on that gap.

The data sales ran from 2020 through March 11, 2024, the same day the New York Times broke the story and GM halted the program. The contracts with LexisNexis Risk Solutions and Verisk Analytics were structured with royalty-style continuing payments, meaning GM kept getting paid as the brokers sold driver scores to insurers downstream. We covered the FTC's separate consent-order case against GM earlier this year, which focused on how the "Smart Driver" enrollment screens were designed to trick people into opting in. The California case runs on a different theory. Even if every consent box had been honest, GM still wasn't allowed to retain the data and resell it for a purpose unrelated to providing OnStar services.

The Math the Press Release Skipped

The AG's press release doesn't run the simple division. GM's $12.75 million fine sits on top of approximately $20 million in revenue, stated as a single figure in Paragraph 13 of the complaint. The penalty equals about 64 cents on every dollar GM made from the program. The remaining 36 cents, roughly $7.25 million, stays with GM.

When the punishment costs less than the profit from breaking the law, the punishment is a licensing fee.

The CCPA's statutory cap is $7,988 per intentional violation. Multiplied across hundreds of thousands of California drivers, the theoretical maximum sat in the high nine figures. The California AG settled for $12.75M. GM agreed to it on the same day the lawsuit was filed, a sign that both sides had already negotiated the figure before the complaint hit the docket. The settlement also imposes a five-year data sales ban, a 180-day data deletion deadline, a compliance program, and annual reports going to GM's CEO and General Counsel. Those guardrails only apply going forward; the four years of sales already happened.

An Insurify analysis cited in coverage of the broader scheme found that drivers flagged in LexisNexis Telematics OnDemand reports paid 12% to 21% more on average than drivers without those flags. California insurance law happens to bar carriers from using telematics in pricing, so no California driver experienced a rate increase from this data. Other states didn't have the same shield. Romeo Chicco in Palm Beach County saw his premium nearly double after multiple carriers rejected him over his LexisNexis report. He bought a Cadillac in 2021 and didn't learn about the data sharing until 2023.

What Data Minimization Actually Says

The complaint cites Civil Code § 1798.100(c), the data minimization provision added by the California Privacy Rights Act and effective January 1, 2023. The statute says a business can only collect, use, retain, and share personal information that is "reasonably necessary and proportionate" to the purpose for which it was collected. Plainly stated, a company can't grab data for one reason and later monetize it for an unrelated reason, which is exactly what GM did.

This is the first time California has enforced the data minimization principle in a CCPA action, a point CalPrivacy emphasized in its own announcement. The doctrine doesn't depend on consent. Even with perfect consent flows (which the FTC found GM didn't have), the minimization principle says the data still couldn't be retained and resold past what OnStar service delivery required. The ceiling is set by necessity, and selling four years of driving data to insurance brokers was never going to clear the necessity test.

Paragraph 15 of the complaint shows how casual the data flow was. The Verisk contract barred GM from sending precise geolocation data, and Verisk insisted GM strip it before transmission. GM sent the geolocation data to LexisNexis anyway, even though LexisNexis didn't use it for the driver-rating product. The two companies held biweekly meetings to discuss data requirements. The complaint reads as if GM simply forwarded everything it had, because no internal process existed (no risk assessment, no minimization review) to catch the question of what should actually be sent and why.

Who Made the Money

GM is the named beneficiary. The complaint only names the corporate entities General Motors LLC and OnStar LLC, with no executive charged and no individual decision-maker named in any public filing. The proposed judgment goes further and releases GM's officers, employees, and agents from related privacy claims upon payment. Whoever signed off on the 2020 program launch is unidentified in the record and faces no personal exposure.

The mechanism is simple. OnStar customers paid for emergency and navigation services. GM had already collected the behavioral and location data those services required. The decision in 2020 was to take an existing data inventory (already paid for by the subscriber base) and license it to data brokers as a separate revenue stream. The $20 million was nearly pure margin, and the fine claws back about two-thirds of it. The data went to LexisNexis Risk Solutions, a subsidiary of RELX, which packaged it into the LexisNexis Telematics OnDemand product and sold it to auto insurers. LexisNexis continues to promote that product and was not named as a defendant in the California action. Verisk reportedly stopped selling its version.

The timing is the part that should bother you. GM halted all sales the same day the New York Times story published in March 2024, and Smart Driver was formally discontinued the following month. The settlement announced two years later formalizes a course of conduct GM had already stopped under public pressure. The five-year ban prohibits a program GM ended voluntarily on its own, which reads more like the company exiting the market and then accepting a price for the years it ran.

What the Fine Ladder Shows

The deterrence question gets clearer when you put the CCPA enforcement record side by side. Honda paid $632,500 to the California Privacy Protection Agency in March 2025 for requiring eight data elements to process an opt-out request. Ford paid $375,703 for demanding email verification before processing opt-outs. Disney, the prior CCPA record, paid $2.75 million in February 2026. GM's $12.75M comes in at roughly 20 times Honda's and almost five times Disney's.

The Honda and Ford fines covered procedural opt-out defects, paperwork-flow problems with technical fixes available. The GM fine covers the secret sale of hundreds of thousands of people's location and driving data, with the company's own privacy policy violated in the process. The conduct is an order of magnitude worse, and so are the dollar figures, but neither category appears to be set high enough to make the violating activity unprofitable in the first place.

The part I keep coming back to is the missing risk assessment. A company can run an internal compliance program, write the policy, train the staff, name a Chief Privacy and Trust Officer, and still produce zero documentation when a regulator asks four years later whether the policy was followed. The 2019 policy existed on paper, the program ran for four years, and nobody internally generated the document the policy required before launching it. The gap between policy and practice was wide enough that $12.75 million didn't close it.

The Bottom Line

The CCPA just secured its largest cash penalty in seven years and California still didn't get the money back to anyone whose data was sold. The $12.75M routes to state subfunds and DA offices, with penalty distribution split across Schedule A of the judgment. GM's net take from the program after the fine is approximately $7.25 million. The data has already moved through LexisNexis and Verisk into insurer pricing models in 49 other states.

The Texas AG and Arkansas AG have parallel suits pending. A federal MDL covering an estimated 16 million drivers is moving in the Northern District of Georgia. If any of those produces a money-back-to-drivers remedy at a meaningful per-person figure, this becomes a different story. If they settle on the same arithmetic California just signed off on, then "privacy enforcement" effectively just sets the wholesale rate that automakers can pay to keep selling driver data.