California announces $12.75 million data minimization settlement with GM

Overview

On May 8, 2026, California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors (GM) regarding alleged violations of the California Consumer Privacy Act (CCPA) (Cal. Civ. Code § 1798.100 et seq.). The settlement, which is subject to court approval, is the largest CCPA penalty in California to date.

In its complaint, the California Department of Justice (DOJ) alleged GM collected, stored, and sold California personal information between 2016 and 2024. In its complaint, California alleged GM collected and kept driver- and driver-related data from OnStar, a vehicle connectivity service offered by GM. California alleged this data included names, phone numbers, home addresses, speeds, rapid acceleration, hard braking, and the GPS location of where OnStar subscribers drove and parked their vehicles.

Under the CCPA and its implementing regulations (Cal. Code Regs. tit. 11, § 7000 et seq.), businesses that “sell” or “share” personal information to third parties must disclose such sales, and must offer the ability to opt out of those sales. For certain sensitive personal information (including precise geolocation information), businesses must provide a separate disclosure and an additional opt out. The CCPA also limits a business’s ability to use, retain, and/or share personal information in a manner that is not “reasonably necessary and proportionate” to achieve the purposes for which the personal information was initially collected, or for another disclosed purpose that is “compatible with the context in which the personal information was collected.”

California alleged that GM began selling this data to two large data brokers in 2020, which further developed a product for auto insurers that rated drivers based on driving behavior. California alleged this practice violated the CCPA’s regulations on the sale of personal information and the use and sharing of sensitive personal information. Additionally, California alleged that when the California Privacy Protection Agency (CalPrivacy) first asked GM about its data practices with OnStar, GM omitted mention of selling consumer data to data brokers. California further alleged that this sale of personal information was “wholly unrelated” to the original purposes for which the data was collected, and that the collection itself was not necessary and proportionate to achieve its initially disclosed purposes.

Under the proposed settlement, GM will agree to provide OnStar customers in California with clear and conspicuous privacy notices as part of the enrollment process for OnStar, including the use of any “covered driving data”—data that originates from a GM vehicle or GM-branded app, that includes precise geolocation data, or data on hard braking, hard acceleration, crossing a designated high-speed threshold, seat belt usage, late night driving, and trip time and duration. GM will also agree to obtain consent prior to collecting, using, or disclosing covered driving data to a third party, and that each separate, unrelated service or feature that collects, uses, or discloses covered driving data shall require consent. GM will also agree to delete or destroy all covered driving data collected prior to the date of the settlement. GM will also agree to stand up a privacy program to address the requirements of the settlement, and maintain that privacy program for a period of five years.

Key takeaways and best practices
  • California intends to enforce its data minimization requirements. The complaint against GM is the first lawsuit to enforce the data minimization requirements in the CCPA. “[C]ompanies can’t just hold on to data and use it later for another purpose,” said Attorney General Bonta. All businesses that are subject to the CCPA should audit their data collection practices and disclosures and ensure that usage is limited to disclosed purposes only. Consider all potential secondary use cases your business may have for the data, and determine if the secondary use is necessary and proportionate for the purposes the data was initially collected—and that it is compatible with that initial purpose.
  • Disclosures should be clear and straightforward. Any consumer-facing privacy policy should clearly articulate data usage. Regulators are increasingly holding businesses to the letter of their privacy disclosures. GM failed to disclose sales and shares to third parties, and failed to provide necessary opt outs for those sales and shares. Businesses subject to the CCPA should ensure that all required disclosures and opt outs are in place.
  • California isn’t the only cop on the beat. This enforcement action in California follows last year’s enforcement action in Texas, where the Attorney General alleged Allstate and its subsidiary Arity unlawfully collected, used, and sold precise location data to auto insurance companies. Additional state privacy laws include data minimization provisions similar to those included in the CCPA. A compliant privacy program will need to account for all provisions of all state privacy laws.
  • Driving data is increasingly scrutinized. Regulators are increasingly focusing on data generated by cars. If your business collects or receives such data, ensure that your privacy disclosures contemplate all of your business use cases for the data, and ensure that all opt outs are honored.

If you have questions about your company’s compliance with privacy regulations, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

gazebo17