GM Settlement Signals a New Phase of CCPA Enforcement, Focused on Data Minimization and Transparency

Written by: Lee Merreot, Esq., CIPM, CIPP/US, CIPP/E, CDPO

California regulators have announced a landmark $12.75 million settlement with General Motors, marking the largest civil penalty imposed under the California Consumer Privacy Act (CCPA) to date.[1] While the monetary amount is notable, the more important takeaway is what the case signals about the trajectory of privacy enforcement in California.

The enforcement action reflects a clear shift away from narrow, procedural compliance, such as whether a privacy notice technically exists, and toward substantive scrutiny of data governance practices, including retention, data sharing, and alignment with consumer expectations.

Allegations Centered on Undisclosed Data Sharing

The settlement resolves allegations that GM sold sensitive consumer data to third‑party data brokers LexisNexis Risk Solutions and Verisk Analytics between 2020 and 2024.[1] According to California regulators, the data included consumer identifiers, precise geolocation information, and detailed driving behavior derived from connected vehicle and telematics systems.[2]

Authorities alleged that consumers were not adequately informed that their data would be sold to third parties and that GM implied the information would be used only for service‑related purposes, such as safety features and vehicle functionality.[1] Regulators further asserted that consumers were not provided with a meaningful mechanism to opt out of the sale of their data, a core requirement under the CCPA.

The data sold to LexisNexis and Verisk was reportedly used to develop driver risk and behavioral analytics products marketed to insurers, raising concerns about downstream use and consumer impact.[2]

Settlement Terms Emphasize Structural Compliance

In addition to the civil penalty, the settlement imposes sweeping operational requirements intended to reshape GM’s data practices on a long‑term basis.

Key provisions include:

• A $12.75 million civil penalty, the largest in CCPA history
• A five‑year prohibition on selling driver data to consumer reporting agencies
• Mandatory deletion of certain retained driving data within 180 days, subject to limited exceptions
• An obligation to request deletion of previously shared data from third‑party brokers
• Implementation of a comprehensive privacy program, including ongoing oversight and reporting obligations[1]

This structure reflects a mature enforcement posture in which regulators are leveraging settlements to impose sustained governance changes rather than one‑time corrective actions.

A Notable Enforcement of Data Minimization

What makes this enforcement action particularly significant is regulators’ explicit reliance on data minimization and purpose limitation requirements within California’s privacy framework.[1]

According to the state, GM retained personal data longer than necessary for its disclosed purposes and later repurposed that data in ways inconsistent with the context in which it was collected.[1] Specifically, regulators focused on the sale of retained driving and location data for insurance‑related analytics, which they characterized as misaligned with consumers’ reasonable expectations when enrolling in connected vehicle services.

This approach signals that California regulators are now actively evaluating whether the entire data lifecycle is justified, not merely whether disclosures were provided at the point of collection.

Coordinated Enforcement and Broader Scrutiny of Data Brokers

The action was brought jointly by the California Attorney General, the California Privacy Protection Agency, and multiple local district attorneys.[1] The coordinated posture reflects an increasing willingness to pursue complex, multi‑agency enforcement actions involving large data ecosystems.

The GM settlement also highlighted the extent to which automakers were sharing driving and behavioral data with third parties, including insurers.[2] That attention has accelerated regulatory scrutiny of both data sellers and the broader broker ecosystem that monetizes behavioral and location data at scale.

Why Behavioral and Location Data Remains High Risk

The CCPA expressly defines certain categories of sensitive personal information, including precise geolocation, as inherently high risk. Such data, particularly when combined with behavioral data, is often collected continuously, supporting powerful inferences and allowing monetization in ways that meaningfully affect consumers’ financial and legal interests.

The GM case underscores that when this type of data is combined with downstream analytics and secondary markets, it attracts an elevated level of regulatory attention, particularly where consumers are unlikely to anticipate those uses.

Key Takeaways for Organizations

The GM settlement offers several practical lessons for organizations subject to California’s privacy regime:

• Disclosures must reflect reality. Statements about how data “will be used” cannot diverge from actual business practices.
• Opt‑out rights must be functional and meaningful. Paper rights without operational effect remain a primary enforcement target.
• Data minimization is enforceable. Organizations should be prepared to justify collection, retention periods, and secondary uses.
• Data sharing amplifies exposure. Selling or sharing data with brokers significantly increases regulatory risk, particularly where downstream use is opaque.

Bottom Line

The GM settlement represents a clear inflection point in CCPA enforcement. For companies and their counsel, its significance lies not simply in the record penalty, but in the legal theories regulators chose to elevate: data minimization, purpose limitation, and transparency that must be operationally true in practice, not merely defensible on paper. In other words, this is a signal that California is prepared to scrutinize whether an organization’s data uses remain reasonably necessary and proportionate throughout the lifecycle of the data, and whether secondary monetization or analytics uses fit the context in which the information was originally collected.

From a law firm and data privacy advisory perspective, the settlement also signals where enforcement is likely headed next. Regulators appear increasingly willing to test substantive privacy principles against real world data ecosystems, especially where precise geolocation, behavioral data, connected-device telemetry, profiling, or broker-enabled downstream uses are involved. We expect future inquiries to focus not only on notice and opt-out mechanics, but also on retention schedules, internal purpose controls, data broker diligence, product design choices, and whether documented governance actually matches technical and commercial reality.

Businesses should respond by treating privacy compliance as a governance and product design issue, not solely a disclosure exercise. At a minimum, organizations must revalidate what categories of personal information they collect, why each category is necessary, how long it is retained, where it is shared, and whether any downstream use could be viewed as outside consumer expectations. They should test consent and opt-out pathways for real functionality, tighten contractual and operational controls over third-party recipients, and ensure sensitive or high-risk data uses are escalated for legal review before launch. A defensible program should be able to show regulators a coherent line from collection purpose to retention period to sharing rationale, all reflected in a comprehensive privacy notice.

The practical takeaway is that businesses should no longer view data minimization as an abstract principle or a low enforcement obligation. It is becoming a measurable standard against which retention, repurposing, and monetization decisions may be judged. Organizations that build now for traceability, purpose discipline, and transparent consumer choice will be better positioned not only for California enforcement, but for a broader future in which privacy regulators increasingly expect companies to justify the full business case for the data they hold.

References

 

[1]California Attorney General’s Office, When It Comes to Data Privacy, Consumers Must Be in the Driver’s Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement, Office of the Attorney General, State of California (May 8, 2026), https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general/

[2]Bill Toulas, GM Agrees to $12.75M California Settlement Over Sale of Drivers’ Data, BleepingComputer (May 11, 2026), https://www.bleepingcomputer.com/news/legal/gm-agrees-to-1275m-california-settlement-over-sale-of-drivers-data/