If you drive a GM vehicle, your car has been watching you. That’s not paranoia, it’s a fact, California Attorney General Rob Bonta confirmed today, announcing the largest penalty in the history of the California Consumer Privacy Act (CCPA).
On May 8, 2026, GM agreed to pay $12.75 million to resolve allegations that, between 2020 and 2024, it secretly sold the names, contact information, geolocation data, and driving behavior of hundreds of thousands of Californians to two data brokers, Verisk Analytics and LexisNexis Risk Solutions. Those brokers, in turn, were building products to help insurance companies set premiums based on how and where people drive.
Here’s what that means, why it matters, and what businesses and consumers should take from it.
What GM Actually Did
GM collected this data through OnStar, the in-car system most drivers associate with roadside assistance, turn-by-turn directions, or summoning an ambulance after a crash. Useful stuff. But behind the scenes, the data being generated: your speed, your braking habits, where you went, when you got there, was being packaged and sold.
According to the complaint, GM made roughly $20 million nationwide from these data sales. Meanwhile, GM’s own privacy policy stated that it did not sell driving or location data and that any such sharing for insurance purposes would occur only at the consumer’s express direction. It did not.
There’s a particular irony here for California drivers: California insurance law actually prohibits insurers from using driving data to set rates. So while drivers in other states reportedly saw their premiums climb based on data GM sold, Californians did not see the same direct financial harm. The harm was the secret sale itself.
Why “Data Minimization” Is the Headline
This is the first enforcement action in California history built on the CCPA’s data minimization principle, added by the 2023 amendments. In plain English, data minimization means this: you can only collect, keep, and use personal data for the purpose you originally told the consumer about. You can’t quietly hold onto it and repurpose it later.
GM allegedly did exactly that. It collected location and driving data to make OnStar work. Then, long after that purpose was served, it kept the data and sold it for an entirely different purpose, insurance rate-setting, that customers were never told about.
Attorney General Bonta put it bluntly: companies can’t just hold on to data and use it later for another purpose.
For any business that has been treating “we already have the data, so we might as well use it” as a strategy, that mindset is now an enforcement risk in California.
What the Settlement Requires
Beyond the $12.75 million in civil penalties, GM has agreed to:
- Stop selling driving data to consumer reporting agencies for five years, including to data brokers like Verisk and LexisNexis.
- Delete retained driving data within 180 days, except for narrowly defined internal uses, unless the consumer affirmatively consents.
- Ask Verisk and LexisNexis to delete the data that has already been sold.
- Build and maintain a privacy program that documents and mitigates the risks of OnStar data collection.
- Report privacy assessments to the California DOJ, the partner District Attorneys, and the California Privacy Protection Agency (CalPrivacy).
Notice that last point. This isn’t a one-time fine. GM is now under ongoing supervision — and so is its compliance program.
Why Every Business Should Care
A few things make this settlement worth paying attention to, even if you have nothing to do with cars or auto data.
First, the regulators are coordinating. This action involved the Attorney General, four District Attorneys (San Francisco, Los Angeles, Napa, and Sonoma counties), and CalPrivacy. That kind of multi-agency cooperation signals that California’s privacy enforcement is maturing into something that looks a lot more like the SEC or FTC model: coordinated, well-resourced, and willing to share investigative work.
Second, the privacy policy itself was central. GM did not get in trouble simply for selling data. It got in trouble because what it told consumers in its privacy policy did not match what it was actually doing. If your public-facing privacy notices and your internal data flows aren’t perfectly aligned, that gap is now an enforcement theory.
Third, “we collected it for X, so we can use it for Y” is dead in California. Data minimization and purpose limitation are no longer abstract principles imported from European law. They are live, enforceable, multi-million-dollar standards.
What Consumers Can Do
For California residents, the state has launched the Delete Request and Opt-out Platform (DROP) at privacy.ca.gov/drop. With a single request, Californians can ask more than 575 registered data brokers to delete their personal information.
The Bigger Picture
This is the eighth CCPA enforcement action under Attorney General Bonta, joining settlements with Sephora, DoorDash, Disney, and others. The pace, the dollar amounts, and now the legal theories are all escalating.
Modern cars are, as San Francisco DA Brooke Jenkins put it, rolling data collection machines. But cars are just one front. Connected appliances, wearables, smart TVs, mobile apps, and anything that generates a continuous stream of personal data are on the same regulatory trajectory.
If your organization collects personal data, today is a good day to ask three questions:
- What did we tell consumers we would do with this data?
- What are we actually doing with it?
- Do we still need to keep all of it?
In California, those answers had better match.