California settles $12.75M CCPA case against General Motors
California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors LLC on May 8, 2026, resolving allegations that the automaker unlawfully collected, retained, and sold Californians' driving and location data in violation of the California Consumer Privacy Act White & Case. The settlement represents the largest CCPA penalty to date and marks a significant regulatory enforcement action focused on data minimization and consumer privacy rights.
Record Penalty and Core Allegations
The California Attorney General's office, alongside the California Privacy Protection Agency and local district attorneys, alleged that GM violated core CCPA principles by collecting, retaining, and selling covered driving data—including location information—without adequate legal basis or consumer consent White & Case. The enforcement action is notably described as the state's first enforcement action centered on the CCPA's data-minimization principle, highlighting regulators' focus on preventing unnecessary data collection at the source NatLawReview.
GM's OnStar service came under scrutiny for its practices surrounding driver and location data. The settlement requires GM to pay the full civil penalty and implement significant operational constraints on future data practices.
Settlement Terms and Compliance Obligations
Under the settlement, GM shall not sell or disclose covered driving data to consumer reporting agencies for five years absent consumer consent White & Case. The company must also delete or destroy all previously retained covered driving data within 180 days of the settlement's effective date, subject to limited legal exceptions White & Case.
Additionally, GM is required to obtain explicit consumer consent before collecting, using, or disclosing covered driving data for separate services or features, and must provide clearer privacy notices to California consumers. The automaker must also establish and maintain a comprehensive privacy program with ongoing reporting obligations to state regulators.
Broader Enforcement Implications
The settlement signals an escalation in California's CCPA enforcement posture, particularly regarding data practices tied to connected vehicles and location tracking. As automated systems increasingly drive data collection and retention decisions, regulators are targeting the operational mechanisms—including AI-adjacent decision-making—that enable large-scale data misuse. The outcome underscores that even major corporations face substantial financial and operational consequences when data minimization principles are violated.
This case demonstrates California's willingness to deploy record penalties to reshape privacy practices in regulated industries, with implications extending beyond automotive into any sector relying on continuous data collection.
