Five Lessons From California’s OnStar Privacy Settlement

Key Takeaways

California has reached a $12.75 million settlement with General Motors over the company’s treatment of OnStar driving data. This case follows a similar settlement between the company and the Federal Trade Commission, finalized in January.

According to CalPrivacy’s press release, GM collected both contact information and geolocation and driving‑behavior data from OnStar users. The summary of facts from CalPrivacy aligns with the FTC’s description of GM’s OnStar program. According to the FTC’s complaint, OnStar users could decline to accept the OnStar terms and privacy policy, but if they did, the FTC alleged the enrollment process was confusing and did not clearly explain which features would work and which would not work.

Both California and the FTC allege that the OnStar data was sold to two data brokers: LexisNexis and Verisk. These entities, they argued, used the data for driver‑rating products marketed to auto insurers. This despite, according to CalPrivacy, the fact that this sharing was not disclosed in the GM privacy policy.

GM has settled with CalPrivacy, as it did with the FTC. It has agreed to pay $12.75, the largest CCPA penalty to-date (subject to court approval). There are many lessons about regulatory expectations that companies can learn from the settlement terms. These are helpful in the connected device space – and beyond:

Assess how you will minimize data collection and retention: Regulators are concerned about the amount of information companies collect and retain. Here, in what CalPrivacy is stating is the first CCPA case about data minimization, GM agreed to delete previously-retained driving data (subject to limited exceptions) and to request that LexisNexis and Verisk delete the driving data they received from GM. For the next five years, GM has also agreed not sell driving data to consumer reporting agencies for 5 years.
Evaluate your process for obtaining consent: Providing notice and getting…

Source