For years, General Motors told its customers what they wanted to hear about their data. The privacy policy for OnStar — GM’s connected services platform embedded in tens of millions of vehicles — stated clearly that the company did not sell driving or location data. That statement was false. From 2020 to 2024, GM earned approximately $20 million selling precise location records and detailed driving behaviour to two data brokers: Verisk Analytics and LexisNexis Risk Solutions, both of which then sold that data to insurance companies and other downstream customers.
California Attorney General Rob Bonta announced a $12.75 million civil penalty settlement on May 8, 2026, the largest penalty ever secured under the California Consumer Privacy Act’s data minimisation provisions. Beyond the dollar figure, the legal theory behind the case matters more than the settlement itself.
What GM Actually Sold — and to Whom
OnStar collects a remarkable breadth of data from enrolled vehicles. The system logs GPS coordinates, trip duration, start and end points, speed, braking patterns, acceleration behaviour, and seatbelt usage. Every enrolled vehicle generates a continuous stream of granular movement and behaviour data — data that GM pitched to insurers as a tool for risk assessment.
Verisk Analytics operates a programme called Verisk Data Exchange that aggregates connected-car data from multiple manufacturers and packages it for insurance underwriters. LexisNexis Risk Solutions does something similar under its Telematics Exchange. Both companies buy raw telematics feeds and sell derived risk scores and driving profiles to auto insurers, who use them to adjust premiums, deny coverage, or flag policyholders for investigation.
What makes the GM case distinctive is the gap between what OnStar customers were told and what actually happened. The privacy policy in effect during the relevant period stated that GM does not sell personal information — a statement that was directly contradicted by the data-sharing contracts GM had executed with Verisk and LexisNexis.
The CCPA Data Minimisation Theory
Privacy enforcement in the United States has historically focused on data breaches, deceptive practices, and consent violations. The California AG’s office is using this case to establish something new: that data minimisation — collecting and using only the data necessary for a disclosed purpose — is an enforceable obligation under CCPA, not merely a best practice.
The CCPA requires that data collection and use be “reasonably necessary and proportionate” to the purpose disclosed to consumers. OnStar’s stated purpose — providing navigation, emergency response, and vehicle diagnostics — does not reasonably encompass selling detailed driving behaviour to insurance underwriters. The AG argued successfully that GM violated the minimisation principle by repurposing data collected for one purpose and monetising it for another entirely.
This is the first time California has prevailed on a data minimisation theory in CCPA enforcement. If the precedent holds — and other state AGs or the FTC pick it up — it creates a new pressure point for any company whose data practices extend beyond what their stated purpose would naturally imply.
Who Is Actually Hurt By This
The insurance data pipeline matters because it produces consequences most consumers never see and cannot contest.
Insurers using telematics profiles from LexisNexis and Verisk can raise premiums, tighten underwriting criteria, or decline coverage renewals based on algorithmic risk scores derived from location and braking data. The individual receives no notice that a connected-car data feed influenced their quote. They have no mechanism to review the profile, challenge its accuracy, or opt out retroactively. In states without robust insurance data transparency requirements, the entire pipeline is invisible.
For lower-income drivers — who are more likely to live in areas with GPS-trackable commuting patterns that flag as statistically riskier — the downstream effects include higher premiums they cannot afford and fewer coverage options. The data broker intermediaries insulate the insurer from direct responsibility: the insurer bought a score, not raw data, and claims the score provider is responsible for how it was assembled.
What the Settlement Does and Doesn’t Do
The $12.75 million penalty is substantial for a CCPA action but modest relative to GM’s scale. More meaningful are the injunctive provisions: GM must revise its privacy disclosures to accurately describe its data sharing practices, implement a consent mechanism for telematics data collection, and maintain documented data flow records subject to AG audit.
The settlement does not unwind the data already sold to Verisk and LexisNexis. Insurance underwriting decisions made using GM telematics data from the 2020–2024 period remain in place. Policyholders who had premiums raised or coverage changed based on that data have no direct remedy under this settlement.
The case also has no direct effect on other connected-car manufacturers pursuing similar data monetisation strategies. Ford, Stellantis, and others operate comparable telematics programmes; how and whether they disclose those practices varies. The AG’s action is a signal, not a prohibition that covers the industry.
Why This Matters Beyond California
The connected vehicle market is accelerating rapidly. By 2026, the majority of new vehicles sold in the US are connected. The data each vehicle generates is increasingly detailed — newer EVs with camera systems log environmental data far richer than simple GPS coordinates. The insurance telematics industry has grown substantially on the assumption that this data is available, minable, and resellable.
The GM settlement introduces regulatory risk into that assumption. If data minimisation can be enforced against a major manufacturer selling data that customers didn’t know about, the economic model supporting the broker pipeline becomes less stable. Insurers buying telematics profiles now have to account for the possibility that their data providers obtained those profiles in ways that may not survive regulatory scrutiny.
For consumers, the immediate takeaway is practical: if you drive a connected vehicle, check whether you are enrolled in any data sharing programmes and what the opt-out process is. OnStar’s telematic data sharing is opt-in by default in California following this settlement; in other states the defaults vary. The data your car generates about your movement patterns is worth money to people you have never heard of, and the legal protections governing that market are still being written.
The California AG’s enforcement action against GM is available at the California Department of Justice website. The settlement was announced May 8, 2026.
