The California Attorney General's Office reached an agreement on $12.75 million with General Motors that marks a turning point in the regulation of vehicle telemetry: state authorities concluded that GM, through its OnStar service and the "Smart Driver" program, collected and sold data on the driving and location of California residents to intermediaries such as Verisk and LexisNexis without the notification and consent required by State law.
Beyond the amount - a record in civil fines for privacy in California - the case is relevant because it is the first state compliance action specifically focused on the rule of Data minimization: that is, companies should only collect and retain what is strictly necessary for the stated purpose. The agreement requires GM to stop selling these data for five years, to ask buyers to delete the information already transferred, and to remove the records it retains within 180 days unless consumers give explicit consent for its preservation.
The case confirms a trend that we have seen in the automotive industry and in the data ecosystem: connected vehicles generate valuable information - precise positions, travel patterns, driving behaviour - that can be quickly monetized and end up in driver score products or profiles sold to insurers and other actors. This poses specific risks to people's privacy and physical security, from the identification of daily routines to the possibility of discriminatory use or unchecked commercial surveillance.
For the sector, the lesson is clear: the monetization of telemetry is no longer a grey ground without consequences. Federal and state regulators have intensified monitoring; in this case, the California ruling is in addition to previous sanctions and restrictions of the Federal Trade Commission and other research on data corridors. Companies operating with vehicle data need to incorporate privacy by design, review contracts with third parties and document legal bases and time limits for data retention.
For consumers, the agreement offers practical tools and reminders. Those with connected vehicles should review privacy policies and telemetry options in their manufacturer accounts or services such as OnStar, request data removal and exercise rights under California law (including the right to choose not to sell) where appropriate. The California Attorney General explains how to file complaints and understand these rights in his official note: communiqué from the Office of the Prosecutor-General.
For further information, there are journalistic and technical coverage of the case history and its impact on data corridors and insurers; an accessible and up-to-date summary of the research is available on BleepingComputer: analysis of the agreement. It is also recommended to read the manufacturer's privacy policies to identify how data are collected and used: for example, GM's global privacy statement provides guidelines on options and contacts for privacy requests: GM Privacy.
In regulatory and market terms, expect more control over the relationship between manufacturers, telematics providers and data corridors. Regulators are beginning to apply sanctions for practices that previously remained commercially "acceptable"; the priority now is to demonstrate that collection has a legitimate, proportionate and transparent purpose. For companies, investment in compliance and independent audits will no longer be an optional cost and will become an operational requirement.
Finally, as a specific recommendation: if you have a modern vehicle with connectivity, check your contract and the associated app, disable functions you do not need, document any removal requests you make and keep proof. If you live in California and believe that your rights have been violated, consult the state complaints and, if appropriate, bring the complaint to the competent authorities. The precedent of this agreement shows that privacy in the connected car age is an active regulatory border and that both consumers and companies need to adapt.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...