CALIFORNIA—On Friday, May 8, the Los Angeles County District Attorney’s Office disclosed that General Motors, LLC will pay $12.75 million to resolve a civil lawsuit alleging that from 2020-2024, General Motors unlawfully sold hundreds of thousands of OnStar subscribers’ personal information and driving data to third party data brokers in violation of California’s privacy, false advertising and unfair competition laws.

The lawsuit, filed by the California Attorney General and the District Attorneys of Los Angeles, Napa, San Francisco and Sonoma counties with support from the California Privacy Protection Agency, alleges that from 2016 to 2024, General Motors collected and kept driver- and driving-related data from hundreds of thousands of Californians who had subscribed to OnStar, a vehicle connectivity service offered by General Motors. This data included names, phone numbers, home addresses, speeds, rapid acceleration, and hard braking, as well as the GPS location of where OnStar subscribers drove and parked their vehicles.

General Motors allegedly affirmatively told OnStar subscribers that it did not sell any driving or location data and that their data would only be used for OnStar services, like summoning an ambulance, providing driving directions or improving driver skills.

In 2020, GM allegedly started selling this data to two data brokers, LexisNexis Risk Solutions and Verisk Analytics, Inc., deceiving consumers by not adequately disclosing that such data would be sold to third parties and not providing an opportunity to opt out of the information sharing.

General Motors reportedly earned approximately $20 million nationwide from these data sales.

Under the settlement, subject to court approval, General Motors must pay civil penalties totaling $12.75 million. With respect to California OnStar customers, General Motors must:

-Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk;

-Delete any driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers;

-Request Lexis and Verisk delete driving data;

-Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar and ensure that General Motors complies with the California Consumer Privacy Act;

-Report its privacy assessments to the California Department of Justice, the California Privacy Protection Agency and the district attorneys’ offices of Los Angeles, Napa, San Francisco and Sonoma counties.

General Motors resolved the matter without admitting liability. Consumers have the right to request a report to find out if your personal data is being collected and how it is being used.

Request LexisNexis report: consumer.risk.lexisnexis.com/consumer.

Request Verisk report: fcra.verisk.com/#/.

The California Consumer Privacy Act (CCPA) vests California consumers with control over the personal information that businesses collect about them, including the right to request that businesses stop selling or sharing their personal information. For more information about the CCPA, visit oag.ca.gov/ccpa. To report a violation of the CCPA to the Attorney General, consumers can submit a complaint online at oag.ca.gov/report.

Californians can now send one request to more than 550 registered data brokers to delete their personal data by using a new, easy-to-use online tool. The Delete Request and Opt-out Platform (DROP), developed by the California Privacy Protection Agency, gives Californians more control over their personal information and helps limit the information that data brokers sell. For more information about DROP and how Californians can submit a deletion request, visit: privacy.ca.gov/drop.