What was GM's OnStar Smart Driver program?

OnStar Smart Driver was an optional telematics program offered by General Motors. It collected detailed data on driving habits—such as hard braking, rapid acceleration, and speed—with the stated purpose of providing feedback to drivers to help them improve their skills. However, the data was also sold to data brokers.

What specific data did GM collect and share?

The program collected granular driving behavior data, including instances of hard braking, fast acceleration, speeding, and mileage. This information was then shared with data brokers like LexisNexis, who used it to create consumer risk profiles for insurance companies.

How could this data sharing affect my car insurance?

Insurance companies could purchase risk scores based on your actual driving data from data brokers. If the data indicated habits that insurers consider risky (like frequent hard braking or speeding), your insurance premiums could increase, even if you have never been in an accident or received a ticket.

Can I stop my car from collecting my data?

You can't stop all data collection, as some is necessary for vehicle diagnostics and safety systems. However, you can often opt-out of voluntary data sharing programs like OnStar Smart Driver through your vehicle's infotainment settings or the manufacturer's mobile app. You should also review your car's privacy settings to disable non-essential data transmission.

Does this settlement mean I will get money from GM?

No, this is a settlement between GM and the state of California. The $12.75 million payment goes to the California Consumer Privacy Fund, which is used to enforce the state's privacy laws. It is not a class-action lawsuit that provides direct payments to affected consumers, although separate civil lawsuits may be possible.

GM's $12.75M settlement reveals the high cost of selling driver data

A privacy violation in the fast lane

General Motors (GM) has agreed to a proposed $12.75 million settlement with the state of California, resolving allegations that the automaker illegally collected, shared, and sold the sensitive driving data of its customers without their informed consent. The announcement from California Attorney General Rob Bonta on May 22, 2024, marks a significant enforcement action under the California Consumer Privacy Act (CCPA) and sends a clear warning to the increasingly data-hungry automotive industry.

The investigation centered on GM's OnStar Smart Driver program, an optional service that promised users feedback on their driving habits. However, state prosecutors alleged that GM failed to adequately disclose that this program was a data pipeline, funneling granular details about drivers' behavior to data brokers like LexisNexis Risk Solutions and Verisk. These brokers then packaged the data into "risk scores" and sold them to insurance companies, which could use the information to adjust premiums—often to the detriment of the unsuspecting driver.

The data pipeline: From your car to your insurer

This incident was not a cybersecurity breach in the traditional sense; no external actor hacked GM's servers. Instead, it was a systemic issue of data handling and a failure of transparency. Modern vehicles, including those made by GM brands like Chevrolet, Buick, GMC, and Cadillac, are essentially sophisticated sensor platforms on wheels. The onboard telematics systems, integrated with services like OnStar, capture a vast amount of information.

The OnStar Smart Driver program specifically collected and transmitted a detailed log of driving behavior, including:

Acceleration and Braking Events: Instances of hard acceleration or sudden braking.
Speeding: How often and by how much a driver exceeds speed limits.
Mileage and Time of Use: Total miles driven and the time of day the vehicle is operated (e.g., late-night driving).
Location Data: While not the central focus of the insurance scoring, telematics can track routes and locations.

This data was wirelessly transmitted from the vehicle to GM's servers. From there, it was shared with data brokers who specialize in consumer risk profiling. The core of the CCPA violation, as alleged by the California Attorney General, was threefold:

Lack of Adequate Notice: Drivers were not clearly and conspicuously informed about the extent of the data collection or that their information would be sold to third parties for insurance scoring purposes.
Failure to Obtain Express Consent: The CCPA requires affirmative, opt-in consent before a company can sell a consumer's personal information. Prosecutors argued that enrolling in Smart Driver did not meet this high standard.
Obscured Opt-Out Process: The mechanisms for consumers to prevent this data sharing were not straightforward or easy to access.

This practice came to widespread public attention following a March 2024 report from The New York Times, which detailed how unsuspecting drivers saw their insurance rates skyrocket after their driving habits were secretly monitored and reported by their own cars.

Impact assessment: A costly lesson in consumer trust

The repercussions of GM's data sharing practices extend beyond the $12.75 million penalty, which will be paid into California's Consumer Privacy Fund. The settlement affects a wide range of individuals and organizations.

For GM Drivers: Tens of thousands of California drivers who enrolled in the OnStar Smart Driver program are directly affected. They suffered a significant privacy violation, having their daily movements and driving habits cataloged and commercialized without their full understanding. More concretely, this data could have led to higher insurance premiums, creating a direct financial impact based on information they never explicitly agreed to share for that purpose.

For General Motors: Beyond the financial settlement, the company faces significant reputational damage. This incident erodes consumer trust at a time when automakers are asking customers to embrace connected services and autonomous features that rely heavily on data. Under the settlement, GM must overhaul its privacy practices. This includes providing clear disclosures, obtaining express consent before sharing data, honoring data deletion requests, and undergoing annual independent privacy assessments.

For the Automotive and Tech Industries: This settlement sets a powerful precedent. It signals to all automakers and manufacturers of IoT devices that regulators are applying data privacy laws aggressively to new technologies. The era of burying data sharing permissions in lengthy, unreadable terms of service is coming to an end. Other car companies, many of which have similar data-sharing partnerships, are now on notice to review their own compliance with state privacy laws.

How to protect yourself

As vehicles become more connected, drivers must become more vigilant about their data. While you can't disconnect every sensor, you can take steps to manage your digital footprint.

Scrutinize Connected Services: Before enrolling in any optional program that offers discounts or features in exchange for monitoring—like "safe driver" programs from your automaker or insurer—read the privacy policy carefully. Look for keywords like "share," "third parties," "affiliates," and "data brokers." If the terms are vague, decline the service.
Explore In-Vehicle Settings: Dive into your vehicle’s infotainment system. There are often privacy settings that allow you to limit or disable certain types of data collection and sharing. Consult your owner's manual for specific instructions.
Exercise Your Data Rights: If you live in a state with a privacy law like California (CCPA/CPRA), Virginia (VCDPA), or Colorado (CPA), you have the right to request a copy of the data a company holds on you and to request its deletion. Visit the automaker's privacy portal on their website to submit these requests.
Check Your Consumer Reports: You can request a free copy of your consumer file from data brokers like LexisNexis and Verisk to see what information they have collected on you. You have the right to dispute inaccuracies.
Think Holistically About Digital Privacy: Your car is just one of many connected devices in your life. Protecting your privacy requires a comprehensive approach. For your online activity on phones and computers, using tools that provide strong encryption is a fundamental step in preventing unwanted tracking by ISPs and data collectors.

The GM settlement is a landmark case in the fight for digital privacy in the age of connected devices. It underscores that the data generated by your vehicle belongs to you, and companies that seek to profit from it must do so transparently and with your explicit permission. As technology continues to integrate into every aspect of our lives, the principles of notice, consent, and control will only become more vital.