OnStar, Driving Data, and a Business Model Customers Didn't Know About

OnStar launched in 1996 as a safety service — a button on the rearview mirror that connected drivers to live advisors who could call emergency services, unlock a stolen vehicle, or provide turn-by-turn navigation. By 2020, the service had evolved substantially. Modern OnStar-equipped vehicles were streaming continuous data: precise GPS location, speed readings, hard braking events, rapid acceleration, and other granular driving metrics — all of it flowing in real time from sensors embedded throughout the vehicle to GM's servers.¹

GM's privacy disclosures told customers that their data would be used to provide OnStar services. Roadside assistance. Emergency response. Stolen vehicle recovery. Navigation. The disclosures were not entirely false — the data did power those services. What they did not say was that beginning in 2020, GM was also selling that same data — names, contact information, precise geolocation, and driving behavior metrics — to two companies: LexisNexis Risk Solutions and Verisk Analytics.²

LexisNexis and Verisk are not data companies in the general sense. They are consumer reporting agencies whose products are used by the insurance industry to assess risk. The driving data GM sold them was being incorporated into driver-risk scores — scores that auto insurance companies were using to set premium rates. In some cases, drivers were seeing their insurance rates increase based on data their car had collected without their knowledge and shared without their consent.³

The New York Times Report That Changed Everything

In early 2024, the New York Times reported that automakers — including GM — were sharing consumers' driving behavior with insurance companies. The reporting named specific drivers who had seen their rates increase and traced the data trail from vehicle sensors to insurer underwriting systems. The report triggered immediate responses from regulators across the country.

California's Department of Justice, already conducting privacy investigations of connected vehicle manufacturers, partnered with the District Attorneys of Los Angeles, San Francisco, Napa, and Sonoma Counties, and with support from the California Privacy Protection Agency, launched a formal investigation into GM's data practices. What they found formed the basis of the May 2026 enforcement action.⁴

What Laws Were Violated — and Why the Combination Matters

The GM enforcement action was not a single-theory case. The California Attorney General alleged violations of three separate bodies of California law, and the combination is instructive for any business operating in California that collects and shares consumer data.

What the $12.75 Million Settlement Required

The size of the penalty reflects both the scale of GM's data practices and the multi-agency enforcement coalition. But the injunctive terms of the settlement — the behavioral changes GM was required to make — are in many ways more significant for understanding what California expects from businesses that collect and monetize consumer data.

The Two New CCPA Principles That Made This Case — and Why They Apply to Every Business

The GM settlement is the California Attorney General's first enforcement action specifically targeting the data minimization and purpose limitation requirements added to the CCPA by the California Privacy Rights Act, which took effect January 1, 2023. These principles were already in the statute — but until GM, no enforcement action had tested them. Now they have weight.

Which California Businesses Are Covered by the CCPA

The GM case involves a Fortune 500 company, but the CCPA's reach extends far beyond large corporations. Any business that meets one of three threshold tests is covered — and the thresholds are lower than most business owners realize.

The FTC Parallel Action — Federal and State Working Together

California's enforcement action did not occur in isolation. In January 2026, the Federal Trade Commission finalized a separate consent order with GM and OnStar over substantially the same conduct — prohibiting GM from sharing driver data with consumer reporting agencies for five years. The FTC action carried no monetary penalty. California's action, announced four months later, produced $12.75 million in civil penalties on top of comparable injunctive terms.⁵

The parallel enforcement reflects a coordinated approach that California regulators have signaled they intend to continue: federal agencies address systemic practices, California agencies impose financial accountability. For businesses that operate nationally, compliance with FTC guidance is no longer sufficient to avoid state-level liability.

How DiJulio Law Group Helps California Businesses Navigate Data Privacy

The GM settlement is a landmark moment in California privacy enforcement — but the legal framework it applies has been in effect since 2020 and was significantly strengthened in 2023. Businesses that collect consumer data in California, whether through a website, a mobile app, a connected service, or a loyalty program, are operating under obligations that are now being actively enforced with record-level penalties.

DiJulio Law Group advises businesses on business law compliance and contract and regulatory disputes throughout Glendale, Los Angeles, and Southern California. Understanding what the CCPA requires — what data you can collect, how long you can keep it, what you must disclose, and what you cannot do with it — is the foundation of privacy compliance for any California business. The GM case makes clear that regulators are now prepared to enforce those requirements with consequences that extend well beyond technical penalties.

If your business collects personal information from California customers and you are uncertain whether your current data practices, privacy disclosures, or vendor agreements align with current CCPA requirements, the time to assess that is before a regulatory inquiry — not during one.