May 11, 2026 15:20:00

GM pays a 2 billion yen fine for selling driving data without consent.

The California Attorney General's office has announced a settlement with General Motors (GM) in a case where driving data acquired from 'connected cars' that are constantly connected to the internet was sold to data brokers without the explicit consent of the drivers. GM will be fined $12.75 million (approximately 2 billion yen).

When It Comes to Data Privacy, Consumers Must Be in the Driver's Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement | State of California - Department of Justice - Office of the Attorney General

https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general

GM agrees to pay $12.75M in California driver privacy settlement | TechCrunch

https://techcrunch.com/2026/05/09/gm-agrees-to-pay-12-75m-in-california-driver-privacy-settlement/

An investigation by the California Department of Privacy Protection revealed that between 2020 and 2024, GM sold the names, contact information, location data, and driving behavior data of hundreds of thousands of California residents to data brokers Verisk Analytics and LexisNexis Risk Solutions.

The New York Times reported that 'the data was shared with insurance companies and used to revise premiums,' but this was the case of a user residing in Washington state. California prohibits the use of driving data when setting insurance premiums, so it appears that the user was not affected by premium revisions due to the sale of data.

It has been alleged that manufacturers such as GM, Honda, Kia, and Hyundai are sharing driving data with insurance companies without explicit consent, and that this data is being used to review insurance premiums - GIGAZINE

However, it was discovered that GM did not notify data brokers that it was selling data, and misled consumers by suggesting that 'the data acquired will only be used to provide necessary services to subscribers of OnStar, a support service for connected cars.'

GM has been found to be selling driving data without user consent, causing insurance premiums to skyrocket - GIGAZINE

Furthermore, in its data sales, the company violated the purpose limitations and data minimization requirements added to the California Consumer Privacy Act (CCPA) in 2023.

Subject to court approval, GM will be required to implement the following measures under the settlement:

- Payment of a $12.75 million (approximately 2 billion yen) fine
- We will suspend the sale of our operational data to consumer research institutions, including data brokers such as Verisk and LexisNexis, for five years.
Unless explicitly consented to by the consumer, the company will delete all driving data it holds within 180 days, except for specific, limited internal use.
- Requested Verisk and LexisNexis to delete driving data.
- Develop and maintain a robust privacy program necessary to mitigate, assess, and document the risks of data collection through OnStar, and to ensure that GM complies with the CCPA.
- Report the privacy assessment to the Department of Justice, the State Attorney General, and the California Privacy Protection Agency.