Your Car Sold Your Data to Insurers

Received Stamped Proposed Final Judgment

Key quote:

“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians… companies can’t just hold on to data and use it later for another purpose.”

Why it matters:

Forget the idea that privacy violations only happen on websites or apps. This Memorial Day weekend, the threat’s right under your hood. General Motors just paid a record $12.75 million to settle with California authorities, but the real story isn’t the fine. It’s the realization that your Chevy Impala or GMC truck was quietly acting as a surveillance device, selling your hard braking, rapid acceleration, and precise geolocation to data brokers like LexisNexis and Verisk Analytics.

And this wasn’t a case of accidental data leakage. It was a calculated business model. Between 2020 and 2024, GM raked in roughly $20 million nationwide from these sales, aiming to build driver-rating products for auto insurers. The worst part? GM had an internal privacy compliance program that explicitly forbade this behavior, but it looks like the company ignored its own rules to chase higher margins. They collected data for emergency roadside assistance and then repurposed it for insurance rate-setting, violating the CCPA’s data minimization (PDF) and purpose limitation principles.

The settlement marks a turning point, too. It’s the first time California has enforced data minimization as a hard mandate, proving that keeping data “just in case” is now a liability. Considering the number of data retention schedules I’ve seen, I don’t think this issue is exclusive to GM. Even worse, GM tried to hide this from regulators. When the California Privacy Protection Agency (CalPrivacy) asked about their data practices in 2023, GM omitted the sales entirely. It took a New York Times exposé in 2024 to force the truth out.

Ironically, GM stopped the “Smart Driver” program in 2024 after customers revolted against the creepy surveillance, yet the state still pursued the maximum penalty for the preceding four years of violations. This case proves that a privacy policy’s worthless if the internal controls are ignored. It also signals that the era of “rolling data collection machines” (AKA “cars”) is under fire. If you drive a connected car, your insurer might already know your habits, and if they don’t, the data brokers are ready to sell it to them. The $12.75 million penalty is just the down payment on a new reality where your driving behavior is no longer yours to keep private.

Drive safe out there this long weekend – your car’s watching!