Driving Data Settlement, Breach Disruption, Surveillance Growth
Yesterday's privacy news was split between one clear enforcement action and several operational risks. California closed its case against General Motors over connected-car data sales, while schools dealt with the fallout from the Canvas cyberattack and surveillance systems kept widening their reach.
The most concrete move was California's settlement with GM. State prosecutors said the company sold Californians' names, contact information, geolocation data, and driving-behavior data to brokers including Verisk Analytics and LexisNexis Risk Solutions. GM will pay $12.75 million, stop selling driving data to consumer reporting agencies for five years, delete existing driving data within 180 days unless otherwise permitted, and maintain a formal privacy program.
Instructure, which runs the Canvas learning platform, said a criminal intrusion exposed names, email addresses, student ID numbers, and messages on the service. The incident also pushed Canvas into maintenance mode and disrupted schools and universities during finals and end-of-term work. Even where passwords and core coursework were not part of the exposed set, the episode is a reminder that communications and availability are both privacy problems when a platform sits at the center of daily operations.
Surveillance also stayed in view. Las Vegas police expanded their drone-as-first-responder program, increasing live aerial monitoring before officers arrive at a scene. Separate reporting also described DHS use of mobile biometric tools and local license plate reader data in immigration enforcement and protest contexts. That is not the same as a new national rule, but it shows how drones, plate readers, face capture, and data sharing are becoming more tightly connected in routine practice.
Key Points
- California's GM settlement imposes $12.75 million in penalties plus a five-year halt on certain driving-data sales, deletion requirements, and a mandatory privacy program.
- The GM case matters because it targets connected-car data monetization and downstream broker sharing, not just breach response.
- Canvas said exposed data included names, email addresses, student ID numbers, and messages, while outages hit schools during high-stakes academic periods.
- Las Vegas expanded police drone deployment, and fresh reporting kept federal-local use of biometrics and license plate reader data in focus.
Implications
State privacy enforcement is moving further into prescriptive limits on data use, retention, and third-party sharing in connected products.
Education and other platform vendors remain concentrated privacy dependencies, where one intrusion can expose communications and interrupt core services at the same time.
Public-sector surveillance capacity is still growing through procurement and operational practice faster than clear legal limits are being updated.
Things to watch
Watch
Whether other state regulators use the GM settlement terms as a template for connected-car investigations.
Watch
Further detail from Instructure on notification scope, exfiltration findings, and any follow-on risks tied to exposed Canvas messages.
Watch
Potential legal or local governance challenges to expanded drone deployment and cross-agency use of plate-reader or biometric data.