California Announces Record $12.75 Million CCPA Settlement with GM Over Connected Vehicle Data

On May 8, 2026, California Attorney General Rob Bonta, together with several California district attorneys and the California Privacy Protection Agency, announced a $12.75 million settlement with General Motors and its connected vehicle service OnStar. The settlement resolves allegations that the companies violated the California Consumer Privacy Act (CCPA), the California Unfair Competition Law, and the California False Advertising Law by collecting and selling connected vehicle data without adequate consumer notice or consent.

The case focuses on GM’s alleged sale of vehicle-generated data—including precise geolocation and driving behavior—from hundreds of thousands of California consumers to data brokers. However, the settlement, which remains subject to court approval, imposes both a record monetary penalty and significant compliance obligations and interpretations of the CCPA that are relevant to all businesses.

Key Takeaways

Largest CCPA Enforcement to Date

The $12.75 million settlement is the largest CCPA penalty imposed to date. It significantly exceeds prior enforcement actions and underscores California regulators’ willingness to pursue aggressive privacy enforcement.

Notably, the outcome contrasts with a separate January 2026 settlement between GM and the Federal Trade Commission resolving similar allegations without a monetary penalty.

Focus on Connected Vehicle Data

Unlike prior CCPA actions involving automakers, this case centers on vehicle-generated telemetry and location data, including: precise geolocation, hard braking and acceleration events, speed threshold crossings, seatbelt usage, late-night driving, and trip timing and duration. Companies developing connected vehicle services, automotive software, or telematics products may view this enforcement action as a significant regulatory signal; however, the takeaways from this enforcement action apply to all businesses regardless of industry.

A Convergence of Compliance Failures

Even companies outside the connected vehicle industry may take note of the breadth of issues implicated in this case. The complaint raises concerns involving:

• data broker relationships
• consumer notice and opt-out mechanisms
• sensitive personal information
• purpose limitation
• data minimization
• regulatory response obligations
• internal privacy governance
• de-identification practices
• downstream contractual obligations
• federal preemption

Taken together, these issues explain the unusually large penalty.

a. Data Broker Relationships Under Scrutiny

Data broker enforcement has become a central focus of regulators, and this case demonstrates the potential consequences. According to the complaint, from 2020 through 2024, GM sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of California residents to LexisNexis Risk Solutions and Verisk Analytics. These transactions allegedly generated approximately $20 million in nationwide revenue.

The GM enforcement action targets the company supplying the data to brokers, rather than the brokers themselves, reinforcing regulators’ focus on upstream data flows. However, with the upcoming Data Broker Registration Program (DROP) deadline on August 1, additional enforcement activity against registered and un-registered data brokers is likely.

b. Notice and Opt-Out Must Cover All Data Flows

Regulators alleged that although GM disclosed sales of personal information and offered an opt-out mechanism, consumers could not actually prevent data transfers to the brokers. The case reinforces a growing regulatory theme: An opt-out mechanism must effectively stop all applicable data sales or sharing. This position is consistent with prior enforcement actions against Disney and Sling, where regulators found that an opt-out that did not apply across all data flows was not effective.

c. Increased Enforcement Around Sensitive Data

The complaint also addresses the sale of precise geolocation data, which regulators consider sensitive personal information under the CCPA. Companies that collect or share precise location data may review their mechanisms for allowing consumers to limit the use and disclosure of sensitive personal information.

d. Purpose Limitation and Data Minimization

The enforcement action enforces–for the first time–the CCPA’s principles of purpose limitation and data minimization. Regulators allege that GM used data collected to operate OnStar services for a separate, undisclosed purpose—supporting insurance risk scoring. The complaint also asserts that GM retained and disclosed more data and for a longer time period than was reasonably necessary for those purposes. The enforcement action stands as an important reminder that regulators take the CCPA’s data minimization requirement seriously, will evaluate the data collected in light of the disclosed purposes and the timeframes reasonably necessary to effectuate that purpose, and will not simply defer to a business’s judgment regarding same.

e. Privacy Governance and Risk Assessments

The complaint notes that GM maintained a formal privacy program but allegedly failed to follow its own internal requirements, including documented risk assessments.

The case serves as an early signal of enforcement around the CCPA’s risk assessment requirements, which took effect January 1, 2026. The CCPA requirement to conduct risk assessments took effect on January 1, 2026, and companies will need to begin filing attestations by April 1, 2028. The settlement requires that GM’s annual compliance reports be reviewed and approved by its CPO and provided to the offices of the GC and CEO, reinforcing the top-level accountability required under newly adopted CCPA regulations.

f. De-Identification as a Compliance Strategy

The settlement allows GM to retain and use de-identified data for research and product improvement without obtaining consent, provided the data is not used for marketing and only de-identified data is shared with third parties.

This aspect of the settlement signals that regulators continue to view proper de-identification as a viable compliance mechanism under the CCPA.

g. No Blanket Federal Preemption

Finally, the complaint clarifies that compliance with federal laws, such as the Fair Credit Reporting Act, does not create a blanket exemption from CCPA obligations. Because the CCPA does not provide entity-level exemption, FCRA-regulated industries may still have data flows subject to CCPA compliance obligations. Businesses should continue to carefully scrutinize the regulatory status of each data flow.

Practical Implications for Businesses

Companies should consider the following compliance steps:

• Review data flows to data brokers and analytics providers
• Confirm opt-out mechanisms actually stop all applicable data sales or sharing
• Evaluate handling of precise geolocation and other sensitive data
• Document risk assessments and privacy program governance
• Ensure regulatory responses reflect complete and accurate data practices
• Consider de-identification strategies for analytics and product development uses

This case demonstrates that California regulators are prepared to bring large enforcement actions where multiple privacy obligations intersect.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.