California Announces Largest CCPA Penalty To Date And First Data Minimization Enforcement Action

• California regulators characterize this settlement as the “largest CCPA penalty in California history” and the state’s first data minimization enforcement action.
• The settlement signals heightened scrutiny for connected vehicle data, including precise geolocation (including parking location) and driving behavior signals (for example, hard braking and acceleration).
• The settlement underscores three recurring enforcement themes: (1) accurate disclosures, (2) meaningful consumer choice (notice and opt-out where required), and (3) purpose limitation and data minimization (retain and use only what is reasonably necessary and proportionate).
• For businesses that collect device and location data, this action underscores the need to align (i) consumer representations made during product enrollment or activation, (ii) consent practices and (iii) data retention practices with the company’s actual collection, use and disclosure of the data.
• As businesses increasingly seek to use existing datasets for AI, analytics, and other secondary purposes, this action underscores the need to review and update privacy disclosures before repurposing data, rather than relying on historical collection for new or expanded uses.

On May 8, 2026, California Attorney General Rob Bonta, together with several county district attorneys (DAs) and the California Privacy Protection Agency (CalPrivacy), announced a $12.75 million settlement with General Motors (GM) to resolve allegations that the company sold driving data of hundreds of thousands of California motorists to data brokers without their consent. Regulators characterized the settlement as the largest California Consumer Privacy Act (CCPA) penalty in California history to date and the state’s first data minimization enforcement action.

Specifically, California regulators alleged that GM collected consumers’ names, contact information and geolocation data, including precise geolocation information such as where consumers drove and parked their vehicles, as well as driving behavior data such as speed, hard braking and rapid acceleration through its OnStar connected vehicle platform between 2020 and 2024 and sold it to LexisNexis Risk Solutions and Verisk Analytics, despite privacy disclosures suggesting such data would only be used to provide requested services (such as emergency assistance, navigation and driver support) or shared at the consumer’s express direction. Regulators alleged that the data brokers intended to use the information to develop driver-risk scoring products marketed to auto insurers. Although California law prohibits such “usage-based insurance,” regulators noted that drivers in other states were reportedly impacted by premium increases tied to similar data-sharing practices. Regulators also stated that GM reportedly made a total of approximately $20 million nationwide from these data sales.

The complaint alleges that GM violated California’s Unfair Competition Law (UCL), False Advertising Law (FAL) and multiple provisions of the CCPA through misleading disclosures, unlawful secondary uses of personal information and inadequate data governance practices. Regulators further alleged that GM failed to provide consumers with legally required notice and opt-out rights regarding those sales and omitted reference to the data-sharing arrangements during inquiries from CalPrivacy regarding its connected vehicle practices. CalPrivacy announced connected vehicle investigations back in 2023 (see here for our article on these investigations) and began engaging with GM and other manufacturers. The California Department of Justice (DOJ) and partner DAs later opened a joint investigation after media reporting about automakers sharing driving behavior data with insurers.

Regulators also alleged that GM violated the CCPA’s purpose limitation principle by collecting consumer data to provide OnStar services but later repurposing that information for undisclosed, insurance-related driver scoring and premium-setting purposes that were unrelated to the original service purpose. The complaint further alleges violations of the CCPA’s data minimization and purpose limitation requirements, asserting that GM retained driving and geolocation data longer than reasonably necessary to provide OnStar services and later sold that data for undisclosed, insurance‑related uses that were not reasonably related to the purposes for which the data was collected. Regulators specifically highlighted GM’s sale of precise parking-location data, which they noted could reveal highly sensitive information about consumers’ private activities and movements, including visits to homes, medical facilities, places of worship and political events. The complaint highlights that Verisk contractually prohibited the transfer of precise geolocation data, which regulators characterized as a compliance warning sign that GM and its privacy personnel allegedly failed to appropriately address. In announcing the resolution, the California AG emphasized data minimization as a central theme: “companies can’t just hold on to data and use it later for another purpose.”

Beyond the monetary penalty, the settlement imposes operational and governance obligations on GM. The company must stop selling driving data to consumer reporting agencies and data brokers for five years, direct LexisNexis and Verisk to delete relevant driving data and delete retained driving data within 180 days unless consumers provide affirmative express consent for additional retention. GM is also required to develop and maintain a comprehensive privacy compliance program designed to assess, mitigate and document risks associated with connected vehicle data collection and sharing practices. The agreement further requires GM to conduct and submit ongoing privacy assessments to California regulators, including California Department of Justice (DOJ) officials, participating DAs and CalPrivacy.¹ The settlement follows a similar agreement reached earlier this year between GM and the Federal Trade Commission (FTC) and comes amid broader regulatory scrutiny of connected vehicle data practices, including a recent California privacy settlements involving Ford. The lawsuit brought by the State of Texas against GM based on similar allegations is still pending.

Next Steps

Los Angeles District Attorney Nathan Hochman has pointed to the agreement as an indication that companies should expect higher penalties in the future. The enforcement environment is also expected to intensify as California expands consumer privacy tools and enforcement mechanisms, including the upcoming August 1, 2026, rollout of the Delete Request and Opt-out Platform (DROP), which will require more than 500 registered data brokers to process centralized consumer deletion and opt-out requests.

Akin’s cybersecurity, privacy & data protection practice continues to advise clients on navigating the rapidly evolving privacy landscape, including compliance with the CCPA and other state privacy laws, data governance and minimization obligations, connected device and geolocation data practices, and regulatory investigations and enforcement actions.

Footnote

1. The proposed judgment defines “Covered Driving Data” to include (among other items) precise geolocation and certain driving behavior signals linked or reasonably linkable to a California OnStar customer, including hard braking, hard acceleration, crossing a designated high-speed threshold, seat belt usage, late-night driving, and trip time and duration. It also defines “Covered OnStar Data” to include identifiers disclosed with Covered Driving Data, such as name, mailing address, phone number, email address and vehicle identification number (VIN).