GM and Kochava Face Major Consequences for Selling Consumer Data Without Consent

Want to receive these privacy recaps in your inbox each week? Subscribe here.

General Motors and data broker Kochava both recently entered settlement agreements for selling consumer data without proper disclosure or consent, which has led to previous legal consequences for both companies across multiple jurisdictions. Both cases demonstrate that a single data practice can trigger a wave of actions under the United States’ growing multi-jurisdictional privacy framework.

Keep reading to learn more and discover my takeaways.

United states

California AG Bans GM From Selling Consumer Driving Data to Data Brokers.

California Attorney General Bonta reached a $12.75 million settlement agreement with General Motors over the alleged sale of consumer driving data in violation of the California Consumer Privacy Act (CCPA). Specifically, GM allegedly sold data brokers Lexis and Verisk the names, contact information, precise geolocation data and driving behavior that GM collected through the app-based “Smart Driver” feature of its OnStar connected car service. Lexis and Verisk used this data to offer a driver-rating product for insurers, and GM allegedly violated the CCPA by failing to inform consumers that it sold their driving data for that purpose.

GM disclosed only that it shared the data to develop or improve its services and when the consumer elected to receive a service from a third party or authorized a third party to request data from GM. GM also allegedly failed to provide consumers the opportunity to opt out of such sales or to limit the use of their sensitive personal information. Finally, the complaint alleged that GM violated the CCPA’s data minimization requirements by retaining driving and location data longer than necessary to operate OnStar and Smart Driver and by sharing more data than necessary to achieve the insurers’ purposes for that data. 

In addition to the monetary settlement, GM will be banned from selling driving data to any consumer reporting agencies for five years and must delete any retained driving data within 180 days without consumers’ affirmative express consent. 

TAKEAWAY

California isn’t the first jurisdiction to act against GM over this activity. The FTC finalized a settlement with GM and OnStar in early 2026 based on allegations that the companies engaged in unfair or deceptive acts or practices under the FTC Act. That settlement also imposed a 5-year ban on the disclosure of certain data to consumer reporting agencies and required the companies to take certain measures (including obtaining affirmative, express consent from consumers prior to most collection, use, or sharing of connected vehicle data) for the next 20 years.  

The Attorneys General of Nebraska, Texas and Iowa have also taken action against GM over these activities. This exemplifies that, under the multi-jurisdictional privacy model steadily growing in the United States, a single data practice can trigger a domino effect of legal and financial penalties. 

FTC Bans Kochava From Selling Sensitive Location Data.

Ending an almost 4-year legal battle, the FTC and Kochava agreed to settle allegations that the data broker’s collection, use and disclosure of precise location data without consumer knowledge or consent constituted an unfair or deceptive act or practice under the FTC Act. 

Under the settlement, Kochava and its subsidiary, Collective Data Solutions, are prohibited from selling, licensing, transferring, sharing or disclosing sensitive location data in any products or services unless they obtain the consumer’s affirmative express consent and use the data to provide a service directly requested by the consumer.

TAKEAWAY

Class actions in multiple states, including California, Massachusetts and Idaho, have previously settled with Kochava over this activity (providing another example, like GM above, of the multi-jurisdictional consequences that can arise from a single data practice). Even after the 2025 settlements, Kochava continued to defend itself against the FTC claims, most recently asserting, among other arguments, that the actions complained of occurred with the express and/or implied consent of the relevant individual (whether by failing to exercise opt-out, exclusion or deletion rights under applicable state privacy laws or by affirmatively opting in through Apple’s App Tracking Transparency (ATT)).

The court never ruled on that assertion, so we still don’t know the specific legal parameters of consent required to avoid an unfairness claim under the FTC Act. However, under the settlement order, the restrictions apply to any precise location data Kochava collected without Affirmative Express Consent. 

This consent is defined very similarly to GDPR-style consent: “any freely given, specific, informed, and unambiguous indication of an individual consumer’s wishes demonstrating agreement by the individual, such as by an affirmative action, following a Clear and Conspicuous disclosure to the individual” of the categories of information collected, the purposes for which it is collected, used, or disclosed and hyperlinks to a document describing the types of entities to whom information is disclosed and a simple, easily-located means by which the consumer can withdraw consent. This indicates that, at least in the FTC’s view, obtaining consent beyond implied (opt-out) or ATT consent is necessary for sharing sensitive location data.       

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Connecticut Legislature Passes Privacy Amendments 
• Didomi releases a complimentary Forrester Report on privacy regulation and its impact on marketing
• Colorado Legislature Passes Bill Requiring Age Signal Support
• Canada OPC Launches Age Assurance Guidance
• What is the average acceptance rate in the United States in 2026?
• Canada OPC Finds ChatGPT Model Training in Violation of PIPEDA
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.