GM's $12.75 Million Settlement: A Warning for Connected Vehicle Data Monetization

General Motors has agreed to pay $12.75 million in civil penalties to settle a California lawsuit over the nonconsensual collection and sale of driving data from its OnStar program. The settlement, announced on May 10, 2026, also imposes a five-year ban on selling driving data to consumer reporting agencies. This is a direct consequence of a 2024 New York Times report that exposed GM's practice of selling data to brokers Verisk Analytics and LexisNexis Risk Solutions, which then marketed the data to auto insurers. In California, insurers are prohibited from using such data to adjust rates, but the practice still violated state privacy laws.

Why this matters for executives: The settlement signals a hardening regulatory stance on connected vehicle data, with potential ripple effects across the automotive, insurance, and data brokerage industries. Companies that rely on telematics data for revenue or risk assessment must reassess their compliance frameworks and data monetization strategies.

Strategic Consequences for GM

GM's settlement is more than a financial penalty; it represents a strategic setback. The five-year ban on selling driving data to consumer reporting agencies cuts off a revenue stream that, while not publicly disclosed, was likely significant given the scale of GM's connected vehicle fleet. Moreover, the requirement to delete all retained driving data within 180 days (except for limited internal uses with consent) erodes GM's data asset base. This could hamper efforts to develop new data-driven services, such as usage-based insurance or predictive maintenance, which rely on historical driving patterns.

However, the settlement also provides clarity. GM can now rebuild its data practices with a clean slate, implementing a privacy program that assesses risks and obtains express consent. This could become a competitive advantage if GM positions itself as a privacy-first automaker, differentiating from rivals that continue to push data monetization boundaries.

Winners and Losers

Winners: California consumers gain stronger privacy protections, with GM required to delete data and obtain consent for future use. California Attorney General Rob Bonta emerges as a champion of privacy enforcement, setting a precedent that may encourage other states to act. Auto insurers in California benefit from the prohibition on using driving data for rate adjustments, avoiding potential backlash from customers who might otherwise see premiums rise based on their driving behavior.

Losers: GM bears the direct cost of $12.75 million and the loss of a data monetization channel. Data brokers Verisk Analytics and LexisNexis Risk Solutions lose a valuable source of driving data, impacting their ability to serve insurers. Auto insurers outside California may face reduced access to GM's driving data, limiting their telematics-based pricing models and forcing them to seek alternative data sources or adjust underwriting strategies.

Second-Order Effects

The settlement is likely to accelerate regulatory scrutiny of connected vehicle data practices across the United States. Other states, particularly those with strong privacy laws like Illinois and Texas, may launch similar investigations. The Federal Trade Commission (FTC), which settled with GM earlier in 2026, may use this case to justify broader rulemaking on automotive data privacy. Internationally, the European Union's GDPR and China's Personal Information Protection Law already impose strict consent requirements; this settlement could push global automakers to adopt uniform high-consent standards.

For the insurance industry, the reduced availability of driving data from GM may slow the adoption of usage-based insurance (UBI) programs that rely on telematics. Insurers may need to pivot to alternative data sources, such as smartphone-based tracking or third-party data aggregators, which could raise their own privacy concerns. Alternatively, insurers could invest in direct partnerships with consumers who opt in, offering discounts in exchange for data—a model that aligns with emerging privacy regulations.

Market and Industry Impact

The settlement reinforces a trend toward data minimization and consent-based data collection. Automakers will likely review their connected vehicle programs to ensure compliance, potentially limiting the types of data collected and the third parties with whom they share it. This could reduce the value of connected car data as a standalone revenue stream, pushing automakers to focus on internal uses such as vehicle performance optimization and customer experience enhancement.

Data brokers specializing in automotive data face an existential threat. If other automakers follow GM's lead and restrict data sales, brokers may need to pivot to anonymized or aggregated data products that fall outside the scope of current regulations. However, regulators are increasingly scrutinizing de-identification claims, so this strategy carries risk.

Executive Action

  • Review your company's connected vehicle data collection and sharing practices against California's privacy laws and the FTC's expectations. Implement express consent mechanisms for any data that could be used for risk assessment or marketing.
  • Assess the impact on your insurance or data brokerage business if access to GM's driving data is curtailed. Identify alternative data sources or develop direct-to-consumer opt-in programs to maintain telematics capabilities.
  • Monitor regulatory developments in other states and at the federal level. Prepare for potential class-action lawsuits or enforcement actions by conducting a privacy audit and ensuring data retention policies align with the principle of data minimization.

Why This Matters

The GM settlement is a clear signal that regulators are willing to impose significant penalties and operational restrictions on companies that misuse connected vehicle data. For executives in automotive, insurance, and data analytics, the window for unconstrained data monetization is closing. Acting now to align data practices with emerging privacy norms is not just about compliance—it's about maintaining customer trust and avoiding costly disruptions.

Final Take

GM's $12.75 million settlement and five-year ban on selling driving data to consumer reporting agencies is a watershed moment for connected vehicle data privacy. It demonstrates that regulators are serious about enforcing consent and data minimization, and that the era of selling customer data without explicit permission is ending. Companies that adapt quickly—by building transparent, consent-based data programs—will turn this regulatory headwind into a competitive advantage. Those that resist will face escalating penalties and reputational damage.



Source: Engadget

Rate the Intelligence Signal

Intelligence FAQ

It signals that regulators are actively enforcing privacy laws in the connected vehicle space. Other automakers should expect increased scrutiny and may need to revise data collection and sharing practices to avoid similar penalties.

In California, insurers are already prohibited from using driving data to set rates, so no direct impact. Nationally, reduced access to GM's data may slow the growth of usage-based insurance programs, potentially keeping rates higher for safe drivers who would otherwise qualify for discounts.