The thought that the car parked outside your home has been making notes about you is a little unnerving. Where do you spend Tuesday nights? How forcefully you apply the brakes at that particular intersection close to the school. Whether you have a tendency to speed off the line at green lights a bit too quickly. That wasn’t paranoia for hundreds of thousands of Californians who purchased General Motors cars between 2020 and 2024. According to California, that was precisely what was taking place.
By no means is the $12.75 million settlement that California Attorney General Rob Bonta announced on May 8 the biggest corporate fine in American history. However, it may be among the most important. It’s the largest CCPA penalty ever collected by regulators, and more significantly, it’s the first time California’s privacy law’s data minimization clause has been used to draw blood. For years, businesses have been cautioned about it. They have a number to look at now.
Part of the reason it hurts is that what GM allegedly did was straightforward. OnStar collected names, contact information, precise geolocation pings, hard-braking incidents, abrupt acceleration, and speed when it was marketed to drivers as a roadside safety service. Verisk and LexisNexis, two companies that collaborate closely with auto insurers, then received that information. According to reports, GM took home about $20 million from those deals. Twenty million dollars spread over four years. It’s a rounding error for a company the size of General Motors, which somehow exacerbates the situation.
It’s difficult not to imagine what that data looked like once it left Detroit. Probably anonymized columns. spreadsheets that appear innocent. However, the abstraction breaks down as soon as a car has precise location stamps. You are aware of a person’s sleeping quarters, their place of prayer, and the location of their child’s after-school appointment that they would prefer not to talk about. The district attorney for San Francisco, Brooke Jenkins, put it plainly when she referred to contemporary automobiles as “rolling data-collection machines.” She is correct. Functionally, the dashboard’s infotainment screen is a tiny computer that is connected to almost all of the car’s sensors.
Customers were allegedly informed by GM’s privacy policy that the company would not sell this type of information. According to the Attorney General’s office, that is precisely what it was doing. Regulators appear to have noticed that writing one thing while doing another involves a certain kind of corporate hubris. The settlement mandates that GM create an actual privacy program with documented assessments, ask brokers to do the same, and remove retained driving data within 180 days unless drivers actively opt in. The final factor may be more important than the money.
Additionally, this is not GM’s first experience with the problem. Similar agreements were reached by the FTC in 2025, and regulators in Arkansas and Nebraska have been circling. Observing this unfold gives us the impression that we are at the beginning of something rather than its conclusion. It’s highly likely that other automakers are using the same strategy, or a similar one. This week, none of them have said anything. It’s a loud silence.
It’s still genuinely unclear what will happen next. Because state law already prohibits insurers from basing rates on driving telematics, Bonta pointed out that drivers in California won’t experience immediate insurance increases. Other states’ drivers are not as fortunate. In 2024, the New York Times conducted an investigation and discovered individuals whose premiums had suddenly increased without their knowledge. That’s the part that stays. The small, everyday betrayal of a machine you relied on to get you home—not the settlement amount or the legalese.
