On May 8, 2026, California Attorney General Rob Bonta, together with the District Attorneys of San Francisco, Los Angeles, Napa, and Sonoma Counties, and with support from CalPrivacy, announced a $12.75 million settlement with General Motors LLC and OnStar LLC (collectively “GM” to resolve alleged violations of the CCPA, the Unfair Competition Law, and the False Advertising Law. The settlement, subject to court approval, arises from GM's alleged collection and sale of driving and location data from hundreds of thousands of California consumers through its OnStar connected vehicle service to two data brokers without adequate notice or consent. You can read the complaint here and the proposed settlement here. Below are some key observations.

1. The Massive Penalty

At $12.75 million, this is by far the largest CCPA penalty in California history, nearly five times the prior record set by the Disney settlement earlier this year. The penalty is also only part of the story. The settlement imposes substantial injunctive obligations on GM going forward, including restrictions on how it collects, uses, and shares connected vehicle data. Particularly notable is the contrast with the FTC, which in January 2026 finalized an order settling substantially similar allegations against GM with no monetary penalty. California is not standing still, and I don't see federal privacy preemption happening anytime soon.

2. The First True Connected Vehicle Case

There have been prior CCPA actions involving automakers but those arose from alleged opt-out and website violations. This case is specifically about vehicle-generated data, including precise geolocation, hard braking, hard acceleration, speed threshold crossings, seat belt usage, late-night driving, and trip time and duration. If you manufacture, sell, service, or build software for connected vehicles, this case is directly applicable to you.

3. A Perfect Storm of Violations

Even if you aren't in the connected vehicle industry, this case has important takeaways. There are takeaways relating to data brokers, notice and opt-out, sensitive data, purpose limitation, data minimization, investigatory response, data governance, de-identification, downstream obligations, and federal preemption. Together they explain why the penalty is so large. I further explore these takeaways below.

4. Data Brokers

Data broker cases are all the rage, and here we have one with real teeth. According to the complaint, from 2020 to 2024 GM sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians to LexisNexis Risk Solutions and Verisk Analytics, making approximately $20 million nationwide. Interestingly, the case was brought against the consumer facing brand selling data to a data broker, not the data broker itself. With the DROP deadline around the corner (August 1), expect more data broker cases.

5. Notice and Opt-Out

Another action involving failure to provide notice and opt-out for sales. But this one has a unique twist since it is for a connected vehicle, not a website, app, or CTV. GM's website privacy policy stated that GM sells personal information and provided an opt-out, but at the same time represented that consumer vehicle data would only be used to operate OnStar services. The opt-out had no effect on data flowing to the brokers, and, accordingly, consumers had no way to fully effectuate their opt-out rights. The takeaway is similar to that in Disney and Sling: an opt-out that doesn't cover all of your data flows isn't an opt-out.

6. Sensitive Data

While geolocation data has attracted significant regulatory attention in recent years, this case is the first CCPA case to expressly discuss geolocation data. According to the complaint, GM sold consumers' precise geolocation data, including the locations where consumers parked their vehicles, to Lexis without providing any mechanism for consumers to limit that disclosure. If your business collects or sells precise geolocation data, you need to review the CCPA's obligations for limiting the use and disclosure of sensitive personal information. The timing of this case isn't surprising. Virginia, Maryland, and Oregon all recently banned the sale of geolocation data. This is an area to pay attention to.

7. Purpose Limitation

This is the second CCPA enforcement action to address purpose limitation, following the AG's settlement with Healthline. According to the complaint, consumers understood their data was being collected to operate OnStar services, but they had no reason to expect it would be sold to data brokers to help insurers set premiums.

Purpose limitation requires that personal information be used only for the purposes for which it was collected, or for another disclosed purpose compatible with the context of collection. The complaint identifies three ways GM violated this principle. First, the insurance-rating purpose was never disclosed to consumers at all. Second, even if it had been disclosed, the complaint argues it likely still would have failed the compatibility test. Third, and most notably, the complaint states that disclosing driving behavior data to set premiums is an unlawful purpose and an unlawful purpose likely can never satisfy purpose limitation.

This is a stringent reading of purpose limitation and is an area that I expect privacy professionals and businesses will dig deeper into over the coming months.

8. Data Minimization

The complaint emphasizes that this is the first lawsuit to enforce the CCPA's data minimization principle. According to the complaint, GM violated data minimization by retaining data beyond the timeframe reasonably necessary and proportionate to the purposes for which data was collected. Specifically, GM began collecting driving and location data in 2016 but did not start selling it until 2020, years after it should have been deleted. Moreover, GM allegedly sent precise geolocation data to Lexis when Lexis did not need that data for its driver-rating product. The contractual permission to send data is not the same as a legitimate need to send it. This is the first enforcement of data minimization under the CCPA and it won't be the last.

9. Investigatory Response

This case also involves an alleged misrepresentation to a regulator. As part of its 2023 connected car sweep, CalPrivacy specifically asked GM about its collection, use, and disclosure of driving and geolocation data. According to the complaint, GM's response made no mention of its sales to Lexis or Verisk. CalPrivacy only reopened the investigation after the New York Times broke a story on this matter publicly in March 2024. It's worth noting that the individuals responding to CalPrivacy's inquiry may not have had full visibility into GM's data practices. That gap highlights why regulatory investigations require cross-functional preparation. The right people need to be in the room, and companies need to be confident in what they represent to regulators.

10. Data Governance

This case is a cautionary tale about privacy programs. According to the complaint, GM had a formal internal privacy program since at least 2019, which included restrictions around data use and requirements for written impact assessments, but failed to comply with it. A privacy program is only as good as its implementation and a document alone is not sufficient. The complaint also notes that GM could not provide a risk assessment covering its decision to sell driving data to Lexis and Verisk. This is an important point since this case is now the second to expressly reference the CCPA risk assessment enforcement requirement. The CCPA requirement to conduct risk assessments took effect on January 1, 2026, and companies will need to begin filing attestations by April 1, 2028. The settlement goes further, requiring that GM's annual compliance reports be reviewed and approved by its CPO and provided to the offices of the GC and CEO, a meaningful reminder that privacy program accountability now runs to the top of the organization.

11. De-identification

One of the more practically significant aspects of this settlement is the role de-identification plays in the injunctive terms. Unlike some FTC enforcement actions under the Biden administration that resulted in algorithmic disgorgement, the GM settlement preserves meaningful utility for de-identified data. GM is not required to obtain consent, and is not required to delete data, where it uses de-identified data for research or product improvement, provided that only de-identified data is disclosed to third parties for that purpose and marketing is excluded. Where data is not de-identified and consent is not obtained, deletion is the default outcome. For businesses thinking about how to structure their data practices going forward, this is a meaningful signal from California regulators.

12. Downstream Obligations

The settlement imposes obligations on GM that flow downstream. For example, GM cannot sell or disclose data to any third party to which it previously sold vehicle data until that party confirms receipt of deletion instructions. The settlement also requires GM to ensure that its dealer-facing documents, training materials, and incentive programs all instruct dealership personnel to give customers the opportunity to review and consent to applicable privacy notices before being enrolled in OnStar. The takeaway is that settlements have implications on many parties, not just the named defendant.

13. Federal Preemption

One last interesting point. The complaint includes a discussion of the relationship between the CCPA and FCRA. Per the complaint, being a regulated business does not provide a blanket CCPA exemption. This is notable because unlike many other state privacy laws, the CCPA does not provide entity-level exemptions for regulated industries. If you operate in a regulated industry and assumed your federal compliance provides a state privacy shield, this case is worth a careful read.