TLDR
On May 8, 2026, California's Attorney General announced a $12.75 million settlement with General Motors - the largest CCPA penalty ever and the first case enforcing data minimization. GM sold hundreds of thousands of Californians' precise location and driving data to brokers without consent, despite telling consumers it would never do so. Every business that collects personal data, not just automakers, should treat this as a direct warning.
What Happened
California Attorney General Rob Bonta, partnered with district attorneys from San Francisco, Los Angeles, Napa, and Sonoma counties, and the California Privacy Protection Agency (CalPrivacy), reached a settlement with General Motors over its sale of driver data in violation of the California Consumer Privacy Act (CCPA) and California's Unfair Competition Law.
The facts are striking. From 2020 to 2024, GM collected precise geolocation data and driving behavior from hundreds of thousands of Californians through its OnStar connected vehicle service. OnStar is marketed as a safety and navigation assistant.
Instead of using that data exclusively to deliver those services, GM sold it to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. Both brokers intended to package the data into driver-rating products and sell them to auto insurers for rate-setting. Nationwide, GM reportedly earned approximately $20 million from these data sales.
California drivers were not directly harmed by rate increases (California law prohibits insurers from using driving data to set rates), but the privacy violation itself was clear: GM collected data for one purpose and monetized it for a completely different one, without telling consumers.
What Is Data Minimization and Why Does It Matter?
This settlement carries a historic distinction beyond the penalty size: it is California's first enforcement action under the CCPA's data minimization principle.
Data minimization is a foundational concept in modern privacy law. It holds that companies should collect only the personal data they genuinely need, use it only for the specific purpose for which it was collected, and delete it once that purpose is fulfilled.
California added formal data minimization and purpose limitation requirements to the CCPA in 2023. These rules state that:
The GM case is the first time California regulators enforced these provisions. That makes this settlement a line in the sand. Regulators have now shown they will pursue data minimization violations with the full weight of the law.
"Companies can't just hold on to data and use it later for another purpose."
— California Attorney General Rob Bonta
The Core Violations: What GM Did Wrong
Three distinct failures drove this settlement.
1. Selling data without notice or consent
GM gave consumers no disclosure that their location and driving data would be sold to Lexis or Verisk. This directly violated the CCPA's transparency requirements.
2. Actively misleading consumers
GM's own privacy policy stated it did not sell driving or location data. It went further, saying that any disclosure for insurance purposes would only happen at the consumer's express direction. Those statements were false.
3. Retaining and repurposing data beyond its original purpose
GM collected OnStar data to power safety and navigation services. It held that data long after those services were delivered, then sold it to data brokers for insurance rate-setting - completely unrelated use. This directly violated the CCPA's purpose limitation and data minimization requirements.
GM also had an internal privacy compliance program that required it to inform consumers of third-party data recipients. It bypassed its own program.
5 Lessons Every Business Must Take from This Case
This case is about a car company, but its implications reach every business that collects personal data — which, today, means nearly every business online.
Lesson 1: Your privacy policy is a legal commitment
GM's policy said it would not sell driving data. It did. That gap between stated policy and actual practice is what transforms a compliance failure into a fraud allegation. Your privacy policy must accurately reflect what you do, not just what sounds good.
Lesson 2: Consent is specific, not general
Consumers who signed up for OnStar consented to safety and navigation services. They did not consent to their data being packaged and sold to insurance companies. Broad, vague consent language does not cover secondary uses. Each distinct purpose requires its own clear disclosure — and, where required, its own opt-in.
Lesson 3: Data you don't delete is a liability
GM retained driving data long after OnStar services were delivered. That retained data became the asset it monetized — and the evidence that regulators used against it. Data you hold beyond its useful life is not an asset. It is exposure.
Lesson 4: Data minimization is now actively enforced
Before this case, data minimization was a widely cited principle with no enforcement record under the CCPA. That is no longer true. If your business retains data "just in case" or repurposes it opportunistically, you now face demonstrated regulatory risk.
Lesson 5: Coordinated enforcement is the new reality
This case involved the state AG, four county district attorneys, and a dedicated privacy agency working in concert. CCPA enforcement is not a theoretical risk managed at the margins, it is a coordinated, multi-agency priority.
How to Build a CCPA-Compliant Data Practice
The GM settlement reads like an enforcement checklist. Here is how to get ahead of it, and how Consentmo turns each step from a manual burden into an automated process.
1. Audit what you collect and why
Map every data point your business collects to a specific, documented purpose. If you cannot articulate a clear reason for collecting a piece of data, do not collect it.
Consentmo's Tracker Manager automates this step for your website. It scans your store automatically, detects every active cookie and tracker, and categorizes each one by type (analytics, marketing, functional, necessary) so you have a clear, current record of exactly what is running and why.
2. Keep your privacy disclosures accurate and current
Your privacy policy, cookie notice, and consent requests must reflect your actual data practices in real time. Any change to how you collect, use, or share data should trigger an immediate policy review.
Consentmo generates ready-to-use compliance pages, including a Privacy Request Pages and a "Do Not Sell or Share My Personal Information" page, that align with CCPA/CPRA requirements out of the box. These pages update alongside your consent configuration, so your public disclosures stay consistent with your actual data flows.
3. Get explicit, purpose-specific consent
GM's core failure was treating broad service sign-up as blanket consent for data monetization. The CCPA requires that consent be specific to the purpose for which data is collected.
Consentmo's Cookie Banner and Preferences Popup give visitors granular control from the moment they land on your site. Users can accept all, reject all, or toggle individual categories independently. The preferences popup ensures consumers understand exactly what they are consenting to, category by category, not just a generic "I accept cookies" prompt. Consentmo also supports automatic translations in 40+ languages, so consent is always presented in the visitor's own language.
4. Block trackers before consent is granted
One of the most common CCPA violations is firing marketing pixels and analytics tags before a consumer has made a choice. That is data collection without consent, and it is exactly the kind of practice regulators look for.
Consentmo's Auto-block Tracking feature prevents this entirely when setting up your Cookie banner. Third-party scripts (ad pixels, analytics tags, retargeting trackers) are held back until the visitor actively grants consent. No guesswork, no gray areas.
5. Honor opt-outs and deletion requests promptly
The CCPA's "Do Not Sell or Share My Personal Information" right is one of its most enforceable provisions. Businesses that ignore or delay these requests face direct regulatory exposure.
Consentmo provides a Do Not Sell compliant opt-out flow built into the cookie banner. It also includes a Data Subject Access Request (DSAR) log that records every consumer request (access, deletion, correction) with timestamps, so you have auditable documentation if regulators ever ask.
6. Use Smart Geotargeting so the right rules apply to the right visitors
Not every visitor to your site is a California resident, and not every regulation applies in every country. Showing a CCPA-specific opt-out to a visitor in Germany, or a GDPR consent banner to someone in Texas, creates friction and compliance confusion.
Consentmo's Smart Geotargeting detects visitor location and automatically displays the correct consent experience for that jurisdiction - CCPA for California, GDPR for the EU, LGPD for Brazil, and more, from a single configuration.
7. Track consent with logs
Compliance is not a one-time setup. Regulators expect businesses to monitor, assess, and improve their data practices continuously. GM's settlement requires exactly this: an ongoing privacy program with documented assessments.
Consentmo's Consent Records feature gives you a detailed, timestamped log of every consent interaction — acceptance rates, opt-out trends, and consent breakdowns by category and region. This data lets you identify where consumers are declining consent, refine your disclosures to be clearer, and demonstrate to regulators that your privacy program is active, not static. In line with CCPA requirements, all consent records are automatically deleted after 365 days, ensuring your own data practices stay lean, lawful, and proportionate.
Conclusion
The $12.75 million GM settlement is not an anomaly. It is a signal. California has now demonstrated it will enforce data minimization, pursue companies that mislead consumers about their data practices, and coordinate enforcement across multiple agencies to do it.
The question for every business is not whether regulators will eventually scrutinize your data practices. The question is whether your practices will hold up when they do.
Collect only what you need. Use data only for the purpose consumers agreed to. Delete it when that purpose is served. Tell consumers the truth about all of it.
That is not a burden. It is the foundation of trust - and trust, in 2026, is a competitive advantage.
Stay ahead of privacy regulation changes. Explore how Consentmo helps businesses of all sizes build consent-first data practices that satisfy the CCPA, GDPR, and more.
