BlogLine

CCPA Enforcement Reaches Record High: General Motor’s $12.75 Million Settlement

6/2/26

By: Jacob Berlinger and Josette Brooksbank

Companies that collect and monetize consumer data are facing increasing scrutiny under California’s privacy laws, as illustrated by a recent enforcement action against General Motors (GM). Regulators alleged that, while representing that it collected extensive personal and driving data from OnStar subscribers for service-related purposes—such as navigation and emergency assistance—GM in fact collected location information, contact details, and driving behavior and sold that information to third-party data brokers, including LexisNexis Risk Solutions and Verisk Analytics, without adequately disclosing the practice or providing meaningful opt-out rights.

Expansive liability under CA privacy law

This enforcement action highlights California’s expansive approach to liability under the California Consumer Privacy Act (CCPA) and related statutes. The Attorney General, partnering with enforcement agencies, focused on alleged failures to provide clear disclosure of data-sharing practices, offer effective opt-out mechanisms, and limit data use to what is reasonably necessary for disclosed purposes. Regulators also emphasized that sensitive data, particularly precise geolocation, is subject to heightened protections, reinforcing the growing importance of data minimizations and purpose limitation.

Financial and operational exposure

The consequences were significant. GM agreed to pay $12.75 million in civil penalties, the largest CCPA settlement to date, and to implement restrictions on its future collection, use, and sharing of consumer driving data. This outcome underscores the significant exposure companies face when their actual data practices diverge from their public disclosures or consumer expectations.

Steps to reduce risk

In light of this development, companies that rely on consumer data should review their compliance strategies. This includes ensuring that data collection and use align with disclosed purposes, strengthening transparency and consent mechanisms (particularly for sensitive data), monitoring third-party data sharing relationships, implementing data minimization and retention controls, and maintaining documentation of compliance efforts.

The GM settlement signals a more aggressive regulatory environment in California, particularly with respect to transparency, consent, and data minimization. Companies that fail to align their data practices with these requirements face heightened regulatory scrutiny and potentially significant financial and operational consequences.

For more information on this topic you can reach out to Josette Brooksbank at josette.brooksbank@fmglaw.com, Jacob Berlinger at jacob.berlinger@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.