What is the OnStar Smart Driver program?

It is an optional telematics program from GM's OnStar that uses vehicle sensors to track driving habits like speed, acceleration, and braking. It was intended to provide feedback to drivers, but the state of California found that the collected data was also shared with third-party data brokers without adequate consumer consent.

How do I know if my driving data was shared?

If you were a California resident enrolled in the OnStar Smart Driver program, your data may have been shared. You can request a copy of your consumer file from data brokers like LexisNexis Risk Solutions to see what information they have collected about you.

Will I receive any money from this $12 million settlement?

No, this settlement is a civil penalty paid directly to the state of California to resolve the legal action. It is not a class-action lawsuit settlement designed for direct consumer payouts. However, it forces GM to change its practices, which benefits all consumers going forward.

Does this settlement only affect GM drivers in California?

The legal action and fine are specific to California law (CCPA). However, GM announced in March 2024 that it would stop sharing Smart Driver data with data brokers nationwide. The settlement's requirements for clearer consent and privacy controls will likely influence GM's policies for all its customers.

The hidden cost of your commute: GM's record $12 million privacy fine explained

A landmark settlement sends a warning to the auto industry

General Motors (GM) has agreed to pay a record $12.1 million penalty to the state of California, resolving allegations that it unlawfully collected and shared the sensitive driving data of its customers without their clear knowledge or consent. The settlement, announced by California Attorney General Rob Bonta on June 7, 2024, is the largest financial penalty ever levied under the California Consumer Privacy Act (CCPA), signaling a new era of enforcement for consumer data rights.

The case centers on GM’s OnStar Smart Driver program, a service that used vehicle telematics to monitor driving habits. While marketed as a tool to help drivers improve their skills, the California Department of Justice found that GM was sharing this detailed behavioral data with third-party data brokers, who in turn sold it to insurance companies. For many drivers, the first sign of this data sharing was an unexpected and unexplained increase in their auto insurance premiums.

Technical breakdown: From the gas pedal to the insurance premium

This incident was not a data breach in the traditional sense—no hackers breached GM’s servers. Instead, it was a fundamental failure of privacy by design and a violation of consumer trust built into the company's data-handling processes. The core of the state's case rested on GM's failure to provide “clear and conspicuous” notice about its data sharing practices, a key requirement of the CCPA.

The data pipeline operated as follows:

Data Collection: GM vehicles equipped with OnStar telematics systems continuously collected granular data points through built-in sensors. This included vehicle speed, instances of hard braking and rapid acceleration, mileage, and time of day the vehicle was in use.
Data Aggregation: This information was transmitted to GM's OnStar subsidiary and aggregated under the Smart Driver program.
Data Sharing: GM then shared this driver behavior data with data brokers, most notably LexisNexis Risk Solutions. This transfer occurred without an explicit, informed opt-in from the vehicle owner.
Data Monetization: LexisNexis and other brokers packaged this data into detailed “risk scores” for individual drivers. These scores were then sold to auto insurance companies, which used them as a factor in setting premiums.

Investigators found that the methods for opting into the Smart Driver program were often opaque. Some drivers may have been enrolled by dealership staff during vehicle purchase, while others may have agreed to lengthy terms of service without realizing the full scope of data collection. Furthermore, the process to opt-out was reportedly difficult to find and navigate, a practice commonly known as a “dark pattern” in user interface design, intended to discourage users from exercising their privacy choices.

Impact assessment: A costly lesson in transparency

The impact of GM’s practices extends to millions of consumers, the company itself, and the automotive industry at large.

For GM vehicle owners in California, the consequences were direct and financial. Many faced higher insurance costs based on a risk profile they had no idea was being created. Beyond the monetary loss, the incident represents a significant violation of personal privacy. A vehicle is a private space, and the data it generates can reveal intimate details about a person's life, from their daily commute to their driving style.

For General Motors, the $12.1 million fine is just the beginning. Under the settlement terms, the company is subject to injunctive requirements that mandate a complete overhaul of its privacy program. GM must now:

Provide clear and prominent disclosures about its data collection and sharing.
Obtain affirmative consent from consumers before sharing their data with third parties.
Maintain an easy-to-use mechanism for consumers to opt-out.
Honor consumer requests to delete their data.

While GM stated that it stopped sharing Smart Driver data with brokers in March 2024, prior to the settlement, the reputational damage is considerable. The case serves as a potent warning to the entire automotive sector, which has been criticized for its aggressive data collection practices. A 2023 report from the Mozilla Foundation labeled cars as “the worst category” of products for privacy, and this settlement validates many of those concerns.

How to protect yourself in a connected car

As vehicles become more like computers on wheels, drivers must become more proactive about protecting their data. Here are several actionable steps you can take:

Audit Your Vehicle's Settings: If you own a GM vehicle, check your enrollment status in the OnStar Smart Driver program through the myGM mobile app or your vehicle’s infotainment system. If you are enrolled and do not consent to the data collection, opt-out immediately.
Review Privacy Policies for All Connected Services: Regardless of your car's manufacturer, treat it like any other smart device. When you purchase a vehicle or enable connected features, take a moment to review the privacy policy. Look specifically for language about data sharing with third parties, data brokers, or for marketing purposes.
Be Cautious of 'Discounts' for Data: Many insurance companies and automakers offer usage-based insurance programs that provide discounts in exchange for monitoring your driving. While this can save money, understand the trade-off. You are exchanging your privacy for a potential discount.
Exercise Your Data Rights: Under laws like the CCPA, you have the right to request a copy of the data a company holds on you and to ask for its deletion. You can submit these requests to both automakers and data brokers like LexisNexis.
Protect Your General Digital Footprint: While your car collects specific data, your overall privacy depends on good digital hygiene. For your general web browsing, using a VPN service can encrypt your connection and mask your IP address, making it more difficult for websites and advertisers to track your activity across the internet.

The General Motors settlement is more than just a large fine; it is a clear declaration from regulators that consumer privacy laws apply forcefully to the automotive industry. It underscores that consent must be knowing, transparent, and easily revocable. For consumers, it is a reminder that in our increasingly connected world, the price of a product is not always the only cost we pay.