Buckle Up: Takeaways from California’s Record General Motors Privacy Settlement
by: Dave Radmore
On Friday, May 8, 2026, California’s attorney general Rob Bonta, along with a number of District Attorneys and the California Privacy Protection Agency, announced the state’s settlement of an enforcement action against General Motors (GM) that includes a record $12.75 million payment of civil penalties and an injunction restricting GM’s use of consumer data. The settlement follows on from a similar FTC consent order that was entered against GM earlier this year. This article highlights some key takeaways from the enforcement action to which businesses beyond the connected-vehicle industry should pay attention to ensure continued compliance with California’s privacy regime.
What happened?
The enforcement action against GM arose from California’s enforcement sweep into privacy practices of connected vehicles that started in 2023. The state regulators alleged that GM sold the names, contact information, geolocation data and driving behavior data of its customers to data brokers Verisk and LexisNexis without consent. California also alleged that GM collected significantly more data about drivers of its connected vehicles than was needed to provide the services drivers had signed up for. GM further misled consumers by implying that the sold data would only be used to provide GM’s OnStar subscribers with services and the GM privacy policy affirmatively stated that it did not sell any driving or location data. Finally, GM retained consumers’ driving and location data longer than necessary to operate OnStar but continued to sell the retained data to the two data brokers.
What are the takeaways for CCPA compliance for businesses?
1. Data Minimization Will Be Enforced by California Regulators
California’s press release specifically announced that this was its first enforcement of CCPA’s data minimization principles, but it likely will not be the last. With this signal from the California regulators, it is more critical than ever that a business is able to answer, and evidence, for every category of data: (1) the specific purpose or purposes justifying collection, (2) whether the data is still being used for the purpose(s), and (3) if the data is still held and no longer used for the purpose(s), why it has not been deleted. Businesses should ensure that they have mapped each data element to a documented business purpose and a defined retention period.
2. Data Retention Practices Are a Target
One of the key requirements of GM’s settlement is that it is compelled to retain driver data for no longer than 180 days after collection, unless required to retain the data for legal reasons or some narrow rights to use deidentified data for product improvement. This is a significant development in enforcement, as it signals the first time California has imposed a defined retention period in an enforcement action—and remember that the CCPA text does not require specific retention periods, rather than data is retained for no longer than is reasonably necessary. It seems likely that the 180-day retention period will be unique to this settlement (noting that the FTC order from earlier this year also imposed a 180-day retention period) but we can expect that retention practices more generally will be a focus for regulators going forwards. What this means for other businesses is that you should retain the data you collect only as long as necessary and make sure your retention periods are definable and properly communicated to consumers.
3. The Entire Data Transfer Chain Is In Scope
Another notable element of the settlement agreement is that GM is required to instruct Veris and LexisNexis to delete the data that they received from GM under the wrongful sales, and GM is forbidden from disclosing any further data to the data brokers until the deletion request is honored. This shows that regulators will follow data downstream. Particularly for companies that act as service providers to others, when your business relies on data received from another source, be aware that a violation upstream could obligate you to delete the data and ensure you have contractual safeguards should that occur.
4. Your Disclosures Must Reflect Your Practices
Finally, while not a new concept, the GM settlement reinforces that a business’s privacy policy must accurately disclose its privacy practices and ensure it does in fact do what it represents it does to the public. California included in its enforcement action against GM unfair competition law claims based on GM’s misrepresentations that it did not sell consumers’ driving data and note that the FTC order referenced the same misleading disclosures. Meaning that the regulators are looking at what you put in your privacy policy and will hold you to those representations. That means it is critical to ensure that your policies, internal and external, aren’t just paid lip service by the business but are properly followed. It is advisable to implement procedures documenting and evidencing that the business’s privacy compliance program is being complied with, part of which should include regular reviews of the privacy policy and internal privacy procedures (and as we’ve seen in prior enforcement actions, these should be conducted at least annually).
Conclusion
It would be easy to read the GM settlement as a connected-vehicle issue, but that would be far too narrow a read. The privacy principles underpinning the enforcement action (data minimization, adequacy of disclosures, documented privacy governance, and downstream accountability) are not unique to the connected vehicle industry, but in fact apply across any business that collects consumer personal information. The size of the penalty and the joint enforcement structure indicate California will continue to press these principles, and the business that waits for a signal in its own industry runs the real risk that it will be the next target.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE. This summary does not constitute legal advice.