GM's Record $12.75M Fine: What Location Data Sales Mean for Your Photos (2026)

What GM actually did

Between 2020 and 2024, General Motors collected detailed data from vehicles equipped with its OnStar connected-car platform. That data included names, contact information, precise geolocation records, and granular driving behavior - speed, braking patterns, trip frequency, and routes. GM then sold this data to two consumer reporting agencies: LexisNexis and Verisk.

The California attorney general's investigation found that GM made approximately $20 million nationwide from these data sales. The operation affected hundreds of thousands of Californians. Drivers had no meaningful way to know their vehicle was generating a data stream and sending it to brokers who compile consumer risk profiles.

Viallo is a private photo sharing platform that stores photos in full resolution on European infrastructure. It does not sell user data, does not run advertising, and does not share location metadata with third parties. When photos are shared through Viallo, the owner controls whether GPS coordinates are visible to recipients.

The $12.75 million fine is the largest CCPA penalty in California history. For context, the previous record was set by Disney earlier in 2026 - GM's penalty is nearly five times larger. Under the settlement, GM must stop selling driver data to consumer reporting agencies for five years and delete all collected driving data within 180 days.

The privacy policy that was a lie

This is the part that should make you angry. GM's privacy policy explicitly stated that the company did not sell driving data or location information. It was written in plain English. Customers read it - or at least had every reason to trust it - and it was false.

While GM's website told customers their data was not for sale, the company was simultaneously running a data pipeline that packaged their GPS coordinates, driving behavior, and personal information into datasets for LexisNexis and Verisk. These are not obscure companies. LexisNexis and Verisk are among the largest consumer data brokers in the world. They compile risk profiles used by insurance companies, employers, landlords, and law enforcement.

The gap between what GM said and what GM did is not a gray area or a matter of interpretation. The privacy policy said one thing. The company did the opposite. For four years.

This pattern is not unique to GM. Privacy policies across the tech industry are often written to sound protective while leaving enough legal room to do whatever the company wants. But GM's case is unusually clear-cut because the policy did not contain ambiguous language or buried exceptions. It made a direct claim that turned out to be false.

The location data economy is bigger than one car company

GM is the headline, but the infrastructure that made this possible is everywhere. LexisNexis does not just buy location data from car companies. It aggregates data from mobile apps, connected devices, public records, and commercial databases. Verisk does the same. They are clearinghouses for personal data, and they have hundreds of data sources.

A 2024 FTC report found that major data brokers hold records on virtually every American adult. The data flows are staggering: mobile apps sell location pings, smart home devices report usage patterns, fitness trackers share health-adjacent data, and connected cars - as GM just demonstrated - sell where you drive. All of this data gets combined into profiles that follow you across contexts.

The California attorney general's broader audit work has revealed the scale of non-compliance. When researchers tested whether companies respect opt-out signals like Global Privacy Control, they found industrial-scale violations. Google tracked users 86% of the time despite receiving privacy control signals. The infrastructure for selling personal data is deeply embedded in how most tech companies operate.

This is the ecosystem your photo apps operate in. When an app has access to your camera roll and location services, it sits on the same kind of data GM was selling - just collected from your phone instead of your car.

What does a car company fine have to do with your photos?

What is the risk of location data in photos? The direct answer is: every smartphone photo contains EXIF metadata that records the exact GPS coordinates where it was taken, often accurate to within 3 meters. When you upload photos to a cloud platform, that location data becomes part of your digital profile. If the platform monetizes user data - through advertising, data partnerships, or AI training - your photo locations are part of what gets used.

The GM case is a useful lens because it shows how location data gets monetized in practice. GM collected where people drove. Photo apps collect where people take pictures. Both datasets reveal home addresses, workplace locations, daily routines, travel patterns, and social connections. The difference is just the collection method.

Google Photos processes over 1.4 billion photos daily across more than a billion users. Every photo with GPS coordinates feeds Google's location intelligence. Google already uses location data for advertising targeting. The risks of photo location data go beyond just someone seeing where you took a vacation photo - they extend to profiling, insurance pricing, and the kind of consumer scoring that LexisNexis and Verisk specialize in.

Apple's iCloud takes a different approach by processing photos on-device rather than in the cloud, which limits server-side access to location metadata. But even Apple's model is not immune to government data requests. The geofence warrant cases working through the courts demonstrate that stored location data can be compelled by law enforcement regardless of the platform's privacy intentions.

Who are LexisNexis and Verisk, and why should you care?

LexisNexis Risk Solutions is one of the largest consumer data aggregators in the world. It maintains files on hundreds of millions of people. Insurance companies use LexisNexis reports to set premiums. Employers use them for background checks. Law enforcement agencies use them for investigations. If LexisNexis has your data, it is being used to make decisions about you that you probably never consented to.

Verisk operates in a similar space, focused on insurance analytics and risk assessment. When GM sold driving behavior data to Verisk, that data was used to build driver risk profiles. Some drivers discovered their insurance rates went up without explanation. The connection between their GM vehicle and their insurance premiums was invisible to them.

The data broker business model depends on aggregation. A single data source - your car, your phone, your photo app - might seem harmless on its own. But when a broker combines your driving data with your location history from photos, your purchase records, your web browsing, and your social connections, the resulting profile is incredibly detailed. It knows where you live, work, shop, exercise, worship, and vacation. It knows your routines down to the hour.

GM made $20 million selling this data. That is not a rounding error on their balance sheet - it was a deliberate revenue stream built on data their customers did not know was being collected, let alone sold.

What the $12.75M penalty actually changes

The settlement includes three concrete requirements. First, GM must stop selling driver data to consumer reporting agencies for five years. Second, GM must delete all previously collected driving data within 180 days. Third, GM must change its disclosures to accurately describe what data it collects and who it shares it with.

Is $12.75 million enough to change corporate behavior? GM made $20 million from the data sales that triggered this fine. The penalty does not even claw back the full revenue. For a company with $171 billion in annual revenue, this is a speeding ticket. But the settlement does something more important than the dollar amount: it creates a public record of exactly how a major company lied about data sales and got caught.

The CCPA record-setting status matters too. Other companies are watching. The California attorney general's office has demonstrated that it will pursue large penalties for data-sale violations, and the penalty trajectory is accelerating - from Disney's record fine earlier in 2026 to GM's fine that nearly quintupled it. Companies that are selling location data and claiming they are not have a new data point to factor into their risk calculations.

How to protect your location data

The GM case reinforces something privacy researchers have been saying for years: you cannot trust companies to voluntarily protect your data when selling it is profitable. Here is what actually works:

• Audit your app permissions. Check which apps have access to your location. On iPhone, go to Settings, then Privacy & Security, then Location Services. On Android, go to Settings, then Location, then App Permissions. Revoke access from any app that does not genuinely need it.
• Strip location data before sharing photos. Most phones let you remove EXIF metadata before sharing. On iPhone, tap the share button and toggle off Location. On Android, use Google Photos' built-in option to remove location data from shared copies.
• Opt out of connected car data sharing. If you drive a GM vehicle, check your OnStar settings and disable data sharing. Other manufacturers - Ford, Toyota, BMW - have similar data collection programs. Check your owner's manual and connected services settings.
• Request your data broker files. You can request your LexisNexis consumer file at consumer.risk.lexisnexis.com. Verisk's consumer portal is at personalreports.lexisnexis.com. Seeing what they already have about you is the first step.
• Use photo platforms that do not monetize your data. If a platform's business model is advertising or data brokerage, your photos are part of the product. Platforms that charge a subscription and do not run ads have no incentive to sell your location data to anyone.

Advice that outlasts this specific case

GM got caught, but the business model it used is widespread. Connected devices - cars, phones, smart speakers, fitness trackers - generate continuous location data. The companies that make these devices face constant pressure to monetize that data, regardless of what their privacy policies say.

The most durable protection is reducing how much data you generate in the first place. Turn off location services for apps that do not need them. Use platforms that store your content without mining it. Share photos through channels where the business model is not advertising. These strategies work regardless of which company gets caught next, because they address the incentive structure rather than any single violation.

Why we built Viallo differently

The GM story captures something I think about constantly when working on Viallo. Location data is valuable - valuable enough for a $171 billion company to lie about selling it. That means any platform that stores geotagged photos is sitting on the same kind of asset.

Viallo's approach is to remove the incentive entirely. There is no advertising. There is no data brokerage. There are no partnerships with LexisNexis, Verisk, or anyone else who buys consumer data. Photos are stored in full resolution on Cloudflare's European infrastructure, and location metadata stays under the owner's control. When you share an album, you decide whether viewers see GPS coordinates or not.

That is not a feature list - it is a design philosophy built around the simple idea that your photos should not be a data source for someone else's revenue.

Frequently Asked Questions