California authorities announce largest CCPA fine to date

California Attorney General Rob Bonta along with the California Privacy Protection Agency and local district attorneys announced a USD12.75 million California Consumer Privacy Act settlement with General Motors over allegations of unlawful collection and sale of Californians' driving and location data. The settlement represents the largest CCPA fine ever issued.

A joint investigation looked into GM's handling of data collected through its OnStar Smart Driver connected vehicle services. The automaker allegedly sold drivers' geolocation data, driving behavior data and other personally identifiable information to data brokers, including Verisk Analytics and LexisNexis Risk Solutions, without obtaining consumer consent.

"We're talking about data that not only shows how a person drove, but also precisely where they drove, which could easily be used to paint a picture of their everyday habits and movements," Bonta said during a press conference. He added while GM's privacy notices stated the company would not sell driving or location data, the company "kept driver's data beyond what is needed for OnStar services … and then sold it with the intent to use it for insurance rate setting."

The settlement includes corrective measures, including commitments to stop selling consumer driving data to credit reporting agencies for five years, delete specific driving data collected within the last 180 days and request that data brokers delete consumer data sold by GM.

In a statement to the IAPP, a GM spokesperson indicated it discontinued the Smart Driver program in 2024 due to customer feedback while also ending collaborations with data brokers LexisNexis and Verisk. They said the settlement "reinforces steps we've taken to strengthen our privacy practices."

"Vehicle connectivity is central to a modern and safe driving experience, which is why we're committed to being clear and transparent with our customers about our practices and the choices and control they have over their information," the spokesperson added.

Enforcement in context

Many of GM's new undertakings align with its prior U.S. Federal Trade Commission settlement over similar allegations around nonconsensual data sales. 

GM agreed to FTC orders to obtain customer consent before sharing data collected by its connected car system and allow consumers to opt-out of location sharing. When the settlement was announced January 2025, GM said it is "more committed than ever to making our policies and controls clear and accessible as we continue to evolve the driving experience for our customers."

Other states, including Arkansas and Texas, have ongoing litigation over GM's practices.

For California's part, the settlement is a continuation of broader scrutiny of connected vehicle data practices. CalPrivacy Executive Director Tom Kemp said the agency began its efforts to look into how connected cars collect, retain and share sensitive information in 2023, leading to enforcement actions against Honda and Ford.

"California's privacy laws are designed to give people meaningful control over their personal information, and enforcement actions like this one, and like our cases against Ford and Honda, make that promise real," Kemp said.

The latest CCPA fine potentially represents an escalation in privacy enforcement that California regulators previously forecasted. At the IAPP Global Summit 2026, CalPrivacy Deputy Director of Enforcement Michael Macko highlighted CCPA fines "could become a cost of doing business if they're not higher."

During the GM press conference, Bonta said while fines are an important aspect of enforcement, the injunctive provisions could be more significant in deterring companies from actions that could violate the CCPA. He noted regulators "feel very confident that it will stop the conduct from happening again that we addressed here."

Los Angeles County District Attorney Nathan Hochman also highlighted companies' consent obligations around data collection, noting California regulators will maintain steady enforcement to keep user rights from being undermined.

Hochman said for automakers "who want to speed off with your data without your consent, these penalties should serve as a warning. No matter how big of a company you are, you will be held accountable in California."

Organizational outlook

The coordinated work from Bonta, CalPrivacy and local district attorneys shows regulators will exhaust all resources and capabilities to ensure meaningful enforcement.

"I think this settlement represents not only a recognition that California's privacy regulators are willing to push higher and higher for fines and injunctive relief against perceived violations of the CCPA, but also an extension of their keen focus on data brokerage and, more broadly, businesses' transparency in relation to data monetization and downstream sharing practices," said Greenberg Traurig Shareholder Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS. "This is no surprise given regulators' separate but closely related focus on the state’s updated data broker law."

Abernethy added while companies previously worked to develop privacy notices that could "put them in the middle of the pack," implementing efficient and compliant safeguards should be a key priority moving forward alongside limiting secondary or incompatible data use.

Privacy4Cars founder and CEO Andrea Amico told the IAPP the latest enforcement action "intentionally underlined this is the first settlement focused on data minimization and purpose limitation: companies should expect this will be an area of continued attention."

"(California enforcement) demonstrates that every time a retail transaction results in a consumer driving away in a rolling data collection platform, consumers must be prominently presented — not as a courtesy, but as a legal obligation — easy to understand, vehicle-specific privacy disclosures: a practice adopted today only by few independent and franchised dealers that clearly needs to become an industry standard of care," Amico added.