⚖️ General Motors $12.75M settlement

In partnership with

Background on the GM Data Privacy Settlement

In a major privacy-related settlement, General Motors (GM) has agreed to pay $12.75 million in civil penalties following an investigation led by California Attorney General Rob Bonta. The settlement addresses allegations that GM’s OnStar program surreptitiously collected and sold the geolocation and driving behavior data of hundreds of thousands of drivers to data brokers like LexisNexis and Verisk Analytics. While this practice reportedly generated roughly $20 million in revenue for the automaker, it sparked significant public outcry and regulatory scrutiny after reports surfaced that such data was being used by insurance companies to potentially hike premiums. Although California's specific insurance laws prevented these rate increases within the state, the settlement underscores a broader crackdown on deceptive data practices, following a similar final order from the Federal Trade Commission (FTC) that banned GM from selling specific consumer data to reporting agencies.

Strategic Insights for Data-Driven Startups

For startup founders, this case serves as a stark warning about the risks associated with "data monetization" as a secondary revenue stream. The core legal failure here wasn't just the collection of data, but the breach of the data minimization principle—a cornerstone of modern privacy laws like the CCPA and GDPR—which dictates that companies should only collect and retain data necessary for a specific, disclosed purpose. GM’s experience illustrates that even if a practice is technically profitable in the short term, the resulting "privacy debt" can lead to massive settlements, brand damage, and restrictive five-year bans on certain business operations. Founders must recognize that regulatory bodies are increasingly looking past fine-print disclosures to determine if a consumer’s "meaningful consent" was actually obtained before their personal information was commercialized.

Risk Mitigation for Founders

The most immediate action for any founder handling user data is to conduct a "Data Retention and Consent Audit" to ensure that the information you hold is being used exactly as promised at the point of collection. You should establish clear, transparent opt-in mechanisms rather than relying on pre-checked boxes or buried clauses, as regulators like AG Bonta are explicitly targeting companies that reassure users of privacy while simultaneously selling their insights. Practically, this means you should implement a data deletion schedule to purge any information that no longer serves its primary functional purpose, thereby reducing your liability in the event of a breach or investigation. Finally, when drafting your privacy policy, avoid vague language about "improving user experience" if the ultimate goal is third-party data sharing, as the delta between stated intent and actual practice is now a primary trigger for multi-million dollar enforcement actions.

In addition to our newsletter we offer 60+ free legal templates for companies in the UK, Canada and the US. These include employment contracts, investment agreements and more