If you bought a GM truck anytime in the past decade — a Silverado in the vineyard rows, a Tahoe at the trailhead, a Sierra hauling firewood off the coast — your name, your home address, and a four-year record of where and how you drove most likely passed through a pipeline that ended at an insurance-data broker. That pipeline shut down Friday.
California Attorney General Rob Bonta announces a $12.75 million settlement with General Motors over the unlawful sale of Californians’ driving and location data between 2020 and 2024. Two of Wine Country Daily’s four counties have district attorneys named on the deal: Sonoma’s Carla Rodriguez and Napa’s Allison Haley. The DAs in Lake and Mendocino did not sign on.
GM collected the data through OnStar, the connected-vehicle service included on most of its trucks and SUVs. The company then sold names, contact details, geolocation, and detailed driving-behavior records to two consumer-reporting brokers, Verisk Analytics and LexisNexis Risk Solutions. The brokers turned the records into driver-rating products and resold them to insurers. GM earned roughly $20 million nationwide on the arrangement.
GM’s own privacy policy says the company does not sell driving or location data, and that any sharing with insurers requires the customer’s consent. State investigators say neither claim is true. The settlement marks the California Department of Justice’s first enforcement of the data-minimization principle that took effect under the Consumer Privacy Act in 2023 — the rule that says a company cannot keep personal data longer than necessary, or use it beyond what it originally told the customer.
What GM has to do
Under the terms of the settlement, GM:
- pays $12.75 million in civil penalties;
- stops selling driver data to consumer-reporting agencies for five years;
- deletes retained driving data within 180 days unless the customer gives express consent;
- must ask Verisk and LexisNexis to erase the records they already received;
- must build and submit to oversight of an ongoing privacy-compliance program.
Why this matters in Wine Country
Wine Country runs on GM trucks. Ranch crews, vineyard managers, county roads departments, fleet operators across all four WCD counties — Silverados, Sierras, Tahoes, Suburbans. If you bought new since the mid-2010s, OnStar came on by default. The state has not broken out how many of the “hundreds of thousands” of Californians whose data was sold live in the North Bay, but the answer, in any working count, is a lot.
California already bars insurers in this state from using telematics data the way the brokers’ products invite them to. Drivers in other states have no such protection. So if your adult kid takes the old Silverado out to Reno, or you rent through a peer-to-peer service across the Nevada line, your data may have priced an insurance quote you never saw.
Why two of our DAs joined, and two didn’t
Bonta’s office runs multi-county cases like this with whichever district attorneys choose to sign on. Rodriguez and Haley said yes. The Mendocino and Lake DAs did not. Participating offices share in any office-level cost recovery from the settlement and put their names on a national first — the first time California enforces the CCPA’s data-minimization rule, against one of the largest automakers in the country.
The absence of Lake and Mendocino is not, by itself, a story about negligence. Both offices are smaller, with thinner consumer-protection capacity than Sonoma’s or Napa’s. But it is a story about which prosecutors get to be in the room when the rules of California privacy law are written in court.
What you can do tonight
If you own a GM vehicle, you can request deletion of your driving data through GM’s customer privacy portal. Under the settlement, the company now has 180 days to comply unless you give it express, ongoing consent to keep the data. If GM resists, the California Privacy Protection Agency takes complaints from consumers directly. Either way, the leverage is now in writing: you do not have to argue the principle. The state already won that fight.
—
Editor notes (cut before publish):
- ~660 words.
- Verify Mendocino DA (likely Eyster) and Lake DA before naming. Currently unnamed in body.
- “GM’s customer privacy portal” — confirm URL (privacy.gm.com or similar) before adding link.
- CalPrivacy complaint URL: cppa.ca.gov/complaints (verify).
- Optional sidebar: short box on which other automakers (Ford, Honda, Toyota) have similar OnStar-equivalent telematics. Bonta’s release may name them as next targets.
- Follow-up Monday: short calls to Haley’s and Rodriguez’s offices for an update piece.