California announces landmark US $12.75 million CCPA settlement with General Motors, the largest settlement to date

Alert
|
3 min read
F. Paul Pittman |
Yuhan Wang

California Attorney General Rob Bonta, together with the California Privacy Protection Agency (“CalPrivacy”) and local district attorneys, has announced a US$12.75 million CCPA settlement with General Motors (“GM”) over allegations of unlawful collection and sale of Californians’ driving and location data. This is the largest CCPA fine ever issued. The settlement is also California’s first data minimization enforcement action.

Background

In 2023, CalPrivacy announced investigations into the privacy practices of connected vehicles and began engaging with GM and other car manufacturers. In 2024, while those investigations were underway, the New York Times reported that automakers, including GM, were sharing consumers’ driving behavior with insurance companies, with some insurers raising consumers’ rates based on this data. The investigation revealed that from 2020 to 2024, GM sold the names, contact information, geolocation data, and driving behavior data of hundreds of thousands of Californians to two data brokers (Verisk Analytics, Inc. and LexisNexis Risk Solutions) from whom GM reportedly made approximately US$20 million nationwide. The investigation determined that GM failed to give consumers any notice of these sales and misled consumers by implying that data would only be used to provide OnStar subscribers with requested services and even stated in its privacy policy that it did not sell driving or location data. GM also retained Californians’ driving and location data long after its use to operate OnStar and then sold this retained data to brokers intending to sell it for insurance rate-setting, violating the CCPA’s purpose limitation and data minimization requirements added in 2023.

Key Terms of the Settlement

GM shall pay a total of US$12,750,000 in civil penalties by wire transfer to the California Attorney General’s Office no later than 30 days after the Effective Date. GM shall not sell or disclose Covered Driving Data to a Consumer Reporting Agency for a period of five years, absent consent. Within 180 days of the Effective Date, GM must delete or destroy all prior-retained Covered Driving Data, subject to limited exceptions such as litigation holds, legal compliance, and vehicle safety diagnostics. GM must obtain consumer consent prior to collecting, using, or disclosing to a third party any Covered Driving Data, with each separate, unrelated service or feature that collects, uses, or discloses such data requiring its own consent. GM shall provide California OnStar customers with clear and conspicuous privacy notices as part of the enrollment process, written in plain, straightforward language and avoiding technical or legal jargon. Within 180 days of the Effective Date, and for a period of five years thereafter, GM shall implement and maintain a privacy program addressing the requirements of the judgment. On an annual basis for a period of four years, GM shall produce a report to CalPrivacy describing the privacy-focused assessments it performed over the past year, reviewed and approved by GM’s Chief Privacy Office.

Implications for Businesses

Many of GM’s new obligations align with its prior FTC settlement over similar allegations around nonconsensual data sales. Other states, including Arkansas and Texas, also have ongoing litigation over GM’s practices. Today’s settlement represents the eighth enforcement action under the CCPA. The latest fine potentially represents an escalation in privacy enforcement that California regulators previously forecasted, with CalPrivacy’s Deputy Director of Enforcement having highlighted that CCPA fines “could become a cost of doing business if they’re not higher.” Attorney General Bonta noted that while fines are an important aspect of enforcement, the injunctive provisions could be more significant in deterring companies from future violations.
Companies collecting consumer data through connected products should immediately audit their consent frameworks, data retention schedules, and downstream sharing arrangements. Implementing efficient and compliant safeguards now be a key organizational priority.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech & Digital Assets, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Yuhan Wang
Associate|Silicon Valley
Services
Intellectual Property, Technology, Data, Privacy & Cybersecurity, Litigation, Mergers & Acquisitions
Top