California Reaches Record $12.75 Million CCPA Settlement with General Motors Over Driver Data

California has reached the largest settlement in the history of the California Consumer Privacy Act (CCPA). The $12.75 million agreement with General Motors, announced May 8, 2026, resolves allegations that GM sold drivers’ location and behavioral data to third-party data brokers in a manner that conflicted with its privacy policy representations to consumers.

The action was brought by California Attorney General Rob Bonta, alongside the California Privacy Protection Agency (CalPrivacy) and the district attorneys of San Francisco, Los Angeles, Napa, and Sonoma Counties. The penalty is nearly five times the previous CCPA record, set by a $2.75 million Disney settlement in February 2026, and it marks the first time California has pursued the law’s data minimization and purpose limitation requirements through enforcement. It is the eighth CCPA enforcement action to date.

Background

The case revolves around GM’s use of data collected through its OnStar platform, which provides drivers with connected vehicle features including emergency assistance and navigation. According to the complaint, GM allegedly collected personal data from OnStar subscribers between 2016 and 2024, including names, home addresses, phone numbers, precise GPS coordinates (including where people parked), and driving behavior signals such as speed, hard braking, rapid acceleration, and seat belt usage. Regulators further alleged that starting in 2020, GM began selling that data to two data brokers, Verisk Analytics and LexisNexis Risk Solutions, which intended to use it to build driver-risk scoring products for auto insurers. GM reportedly made around $20 million nationwide from those sales.

Central to the complaint was an alleged mismatch between GM’s data practices and what consumers were told in the privacy policy. The company’s privacy policy stated it would not sell driving or location data for insurance purposes. While GM’s website did include a general opt-out mechanism, regulators alleged it had no actual effect on data flowing to the brokers, leaving consumers without a meaningful way to exercise their rights.

When CalPrivacy asked GM in 2023 about its connected vehicle data practices as part of a broader industry sweep, regulators alleged the company’s response made no mention of the broker arrangements. The investigation was reopened after The New York Times reported on the practice publicly in March 2024.

Regulators also raised concerns about purpose limitation, alleging that its alleged use for third-party insurance scoring fell outside the scope of what consumers had agreed to when enrolling in OnStar. Parking location data was highlighted as particularly sensitive, given that it can reveal information about medical visits, religious practice, and home address. The complaint further alleged that GM had maintained a formal internal privacy program since at least 2019 that required written risk assessments, but was reportedly unable to produce documentation covering its decision to share data with the brokers.

The Alleged Violations

The complaint alleged violations across three California statutes:

• CCPA: GM allegedly failed to disclose data sales to third parties, failed to provide consumers with functioning opt-out rights, used data for purposes alleged to be beyond the scope of its original collection, and retained data longer than the law’s minimization requirements permit. The CCPA’s data minimization and purpose limitation provisions were introduced by the California Privacy Rights Act (CPRA) and took effect January 1, 2023.
• California Unfair Competition Law (UCL): GM’s conduct was alleged to constitute unlawful and unfair business practices.
• California False Advertising Law (FAL): GM’s privacy disclosures, which represented that driving and location data would not be sold, were alleged to be misleading to consumers.

The complaint also noted that Verisk had written a clause into its contract with GM prohibiting the transfer of precise geolocation data, which regulators identified as a compliance requirement that allegedly went unaddressed.

The Settlement Terms

The proposed settlement, subject to court approval, requires GM to:

• Pay $12.75 million in civil penalties.
• Stop selling driving data to any consumer reporting agency or data broker for five years.
• Delete all retained covered driving data within 180 days, unless consumers specifically consent to limited internal uses.
• Direct Verisk and LexisNexis to delete the consumer data they received from GM.
• Provide clear privacy notices at OnStar enrollment and obtain explicit consent before collecting or sharing covered driving data, with separate consent required for each distinct use.
• Build and maintain a privacy compliance program for five years, with annual reports reviewed by GM’s Chief Privacy Officer, shared with the General Counsel and CEO, and submitted to California regulators.

Regulatory Context

This settlement is part of a wider enforcement framework.  In January 2026, the FTC finalized a separate order over substantially the same alleged conduct, which also prohibited GM from selling driver data to consumer reporting agencies for five years, though that agreement carried no monetary penalty. California’s decision to pursue significant financial penalties alongside injunctive relief reflects the state’s increasingly active enforcement posture in this space.

GM also faces ongoing litigation in Texas over similar allegations. CalPrivacy had previously reached enforcement actions against Honda ($632,500, March 2025) and Ford ($375,703, March 2026) over connected vehicle opt-out violations, making this part of a sustained pattern of regulatory engagement with the automotive industry.

California drivers were not directly affected by insurance rate increases, since state law prohibits insurers from using driving behavior data to set premiums. Not all states have laws that contain that prohibition.

GM had already wound down the Smart Driver program in 2024 following customer feedback and had ended its data-sharing arrangements with Verisk and LexisNexis before the settlement was announced. In a statement, the company said the agreement “reinforces steps we’ve taken to strengthen our privacy practices.”

Key Takeaways

CCPA penalties are growing significantly. At $12.75 million, this is the largest CCPA penalty on record, nearly five times the $2.75 million Disney settlement that held the record just months earlier. California regulators have signaled openly that fines should be substantial enough to serve as genuine deterrents, and penalties will likely continue to increase.

Data minimization and purpose limitation are now active enforcement priorities. The CCPA’s minimization and purpose limitation provisions were introduced by the CPRA and have been in effect since January 2023. This settlement is the first action that enforces the data minimization principle. The amount of data collected and how it is used relative to the purpose for which it was collected is now clearly within the scope of regulatory scrutiny.

Opt-out mechanisms need to cover all data flows. A key element of the complaint was the allegation that GM’s provided notice of sales to data brokers and its opt-out did not extend to the data being shared with brokers, leaving consumers without an effective way to act on their rights. Regulators are examining whether opt-out rights function across every channel through which personal data is shared or sold, not just the most visible ones.

Documented privacy programs need to be reflected in practice. The complaint alleged a gap between GM’s documented compliance program and how data was actually handled. Regulators focused on that disconnect as a significant factor in the case, underscoring that documentation and operational reality need to be aligned.

State-level enforcement is an increasingly important consideration. The FTC resolved the same underlying allegations without a financial penalty. California’s settlement includes $12.75 million, a five-year ban, mandatory deletion, and accountability requirements that extend to the CEO level. For organizations operating in states with robust privacy laws, state enforcement activity is worth close attention.

What This Means for Businesses Going Forward

This case is a useful reference point for any organization that collects data through connected products or is thinking through how existing datasets might support new initiatives.

One area the complaint brings into focus is data retention. Regulators alleged that GM retained OnStar data well beyond the period reasonably necessary to support its original purpose, and treated that extended retention as part of the violation itself. Organizations may find it worthwhile to review whether their retention practices are clearly tied to defined, documented purposes and whether those timelines are actively enforced.

The question of repurposing data is also worth considering carefully. As more organizations explore how existing data can support AI, analytics, or new product development, the CCPA requires that any material change in purpose be accompanied by updated disclosures and, where applicable, fresh consent. Building that step into the planning process early can be more efficient and effective than addressing it later.

Finally, California is not the only jurisdiction moving in this direction. Texas, Virginia, Maryland, Oregon, and several other states have enacted laws with comparable data minimization and geolocation provisions. Organizations operating across multiple states will want to ensure their privacy programs account for this broader regulatory landscape.