GM's $12.75M CCPA Settlement Exposes Automaker Data Monetisation Practices
General Motors agreed to a $12.75 million settlement with California over alleged CCPA violations stemming from the sale of driver data without proper consent. The case highlights how automotive manufacturers are monetising connected vehicle data as a revenue stream while often failing to obtain explicit consumer permission.
Affected
General Motors' settlement with California's Attorney General reflects a growing tension between automotive connectivity and consumer privacy rights. The alleged violation centred on GM's practice of selling driver behavioural and location data derived from connected vehicles without obtaining affirmative consent under California's Consumer Privacy Act. This indicates GM treated driver data as a legitimate monetisable asset rather than sensitive personal information requiring explicit opt-in.
The technical context matters: modern vehicles generate continuous telemetry including location, speed, acceleration patterns, and vehicle diagnostics. GM's OnStar service collects this data as vehicles operate, creating a comprehensive dataset of driver behaviour. The distinction between data collection for vehicle operation and data commercialisation is legally and ethically significant. CCPA requires businesses to disclose data sales and provide consumers with a right to opt out, yet automakers have historically treated vehicle data collection as an opaque backend process invisible to consumers.
The $12.75 million penalty represents a material cost but likely represents a fraction of GM's data monetisation revenue. This settlement establishes precedent that automotive data sales fall under CCPA's scope and that California will enforce privacy rights in this emerging sector. Other automakers should anticipate similar enforcement actions, particularly those operating in or serving California consumers.
Organisations handling automotive data should treat connected vehicle telemetry as personal information requiring CCPA compliance: explicit disclosure of collection and commercial use, granular consent mechanisms, and user-facing opt-out mechanisms. The automotive industry's historical opacity around data collection now faces regulatory friction that will likely extend beyond California as other jurisdictions adopt similar privacy frameworks. Defenders and privacy officers should audit current data monetisation practices, map which datasets trigger consent requirements, and establish consent infrastructure before regulators target their organisation.
Sources