California Forces a New Test for Connected-Car Privacy

General Motors has agreed to a $12.75 million settlement with California law enforcement agencies over the collection and sale of driver data, marking one of the clearest state-level signals yet that the connected-car business will face harder limits when consent and data use drift apart. The case centers on allegations that GM, through its OnStar program, sold personal and behavioral information from hundreds of thousands of Californians to data brokers without adequate customer knowledge or permission.

The settlement, announced by California Attorney General Rob Bonta’s office, goes beyond a financial penalty. GM also agreed to stop selling driving data to consumer reporting agencies for five years, delete retained driver data within 180 days unless it secures customer consent, and ask LexisNexis Risk Solutions and Verisk Analytics to delete the data they received. In practice, that combination makes this more than a fine. It is a mandated unwind of a data-sharing pipeline that regulators say should not have existed in its alleged form.

What California Says Happened

According to the settlement description cited in the supplied source text, GM sold names, contact information, geolocation data, and driving-behavior data gathered through OnStar. California alleges the company earned roughly $20 million from those sales. The underlying concern is not simply that the information moved between companies, but that consumers were not meaningfully informed and did not consent to a secondary use that could affect them in consequential ways.

The political and regulatory backdrop matters here. Reporting in 2024 had already drawn national attention to automakers sharing driving-behavior information with insurance-linked ecosystems, raising fears that telematics data could feed pricing or risk-scoring decisions. In California, Bonta’s office said the data at issue likely did not increase insurance premiums because state law prohibits insurers from using driving data to set rates. Even so, the state’s position is that the alleged sale itself violated privacy expectations and California’s data-minimization rules.

That distinction is important. A privacy violation does not need to produce a measurable premium increase to become a major enforcement problem. Regulators increasingly focus on whether companies collected more than they needed, retained it longer than necessary, or repurposed it in ways that consumers would not reasonably expect. The GM settlement fits squarely into that framework.

The Instax Wide 400 builds on instant photography’s simplicity and stretches it, literally | TechCrunch
More in News

Fujifilm’s Instax Wide 400 Bets That Simplicity Still Wins in an AI Camera Era

TechCrunch’s hands-on look at the $175 Instax Wide 400 highlights a familiar tradeoff in consumer imaging: larger instant prints and extreme ease of use, but limited control when lighting conditions get difficult.

Read article

Why This Case Reaches Beyond One Automaker

The larger issue is that modern vehicles have become rolling sensor platforms. Connected services can capture location, trip patterns, driving behavior, and other telemetry that create value for navigation, safety, maintenance, and emergency response. But the same systems can also generate a monetizable stream of consumer data. Once that information flows outward to brokers, analytics firms, or credit-adjacent intermediaries, the line between service delivery and surveillance becomes much harder to defend.

California’s action suggests regulators are no longer satisfied with vague disclosures, buried opt-ins, or broad permissions tied to complex vehicle software ecosystems. If a company tells customers one thing about data handling and does another, that gap itself can become the core liability. Bonta’s statement in the source material underscored exactly that point, alleging GM reassured drivers that it would not sell the data while doing so anyway.

For the auto industry, this creates a practical compliance challenge. Carmakers increasingly rely on software-defined business models and recurring digital services. Those strategies often assume that vehicle-generated data is a strategic asset. But if regulators demand tighter consent boundaries and shorter retention windows, the economics of that data may change quickly. A dataset is less valuable when consumers can refuse it, when firms must delete it promptly, and when downstream sharing becomes legally risky.

The Settlement’s Real Message

The five-year restriction on sales to consumer reporting agencies may prove especially influential. It targets a sensitive category of downstream use, where data can shape decisions that feel less like advertising and more like access, pricing, or risk classification. Even though California said its insurance rules likely blocked rate increases from this specific data flow, the state still treated the arrangement as serious enough to warrant structural remedies.

That remedy also lands after GM previously settled with the Federal Trade Commission over data sales, with a final order that banned GM and OnStar from selling certain data to consumer reporting agencies. Taken together, the federal and California actions show convergence rather than duplication. Washington and Sacramento are not merely punishing past behavior; they are narrowing the acceptable operating model for connected-car data businesses.

Consumers should not assume this is only a GM problem. The connected-vehicle industry has spent years expanding what cars can observe, store, and transmit. That trend is unlikely to reverse. What may change is the regulatory tolerance for opaque data brokering layered on top of those capabilities. Companies will face pressure to make consent explicit, purpose-specific, and revocable, while proving that retention and sharing rules match what drivers were told.

Jensen Huang, chief executive officer of Nvidia Corp., and Olaf, a robotic character from the Disney movie Frozen, during a keynote address at the Nvidia GTC conference in San Jose, California, US, on Monday, March 16, 2026. Nvidia Corp., the company at the center of an explosive build-out of AI computing, expects to generate at least $1 trillion from its Blackwell and Rubin chips through the end of 2027.
More in News

Nvidia’s $40 billion AI deal spree is reshaping the market around its own ecosystem

Nvidia has already committed more than $40 billion to AI-related equity deals in 2026, reinforcing its influence far beyond chips and data centers.

Read article

What Comes Next

For GM, the immediate path is operational: comply with deletion deadlines, halt restricted sales, and rebuild trust in how its connected services handle personal data. For rivals, the lesson is to audit data pathways now, before state regulators do it for them. The settlement shows that even where direct financial harm is disputed or limited, the mere mismatch between collection, disclosure, and resale can trigger significant penalties.

For policymakers, California has added another marker in the evolving governance of digital products that move through the physical world. Cars are no longer just transportation devices. They are data platforms with sensors, subscriptions, and third-party relationships. That reality raises the stakes for privacy law because the information involved is intimate and behavioral, often tied to daily routines, locations, and patterns that people cannot easily conceal.

The GM settlement does not settle every question about connected-car privacy, but it does clarify one thing: regulators increasingly expect automakers to treat telemetry as sensitive consumer data, not as a lightly governed byproduct. That shift could reshape how automotive software businesses are designed, marketed, and monetized over the next several years.

This article is based on reporting by TechCrunch. Read the original article.

Originally published on techcrunch.com