Unpacking California's Record CCPA Settlement with GM Over Connected Vehicle Data Sales

In the largest proposed settlement under the California Consumer Privacy Act (CCPA) to date, General Motors LLC and its subsidiary OnStar will pay $12.75 million in civil penalties for allegedly collecting, retaining and later selling driver- and driving-related data from hundreds of thousands of California OnStar subscribers. The May 8 enforcement action filed by the California Attorney General and district attorneys of several counties, with the support of California Privacy Protection Agency (CPPA) asserts violations of the CCPA, California’s Unfair Competition Law and California’s False Advertising Law. The complaint alleges that from 2016 to 2024 GM collected and retained data including names and contact information, driving behavior, and GPS location information showing where consumers drove and parked, and in 202 sold the data to third-party data brokers. The proposed final judgment also requires GM and OnStar to agree to a five-year moratorium on the sale of data to consumer reporting agencies, to submit privacy assessments to the state, and to delete or destroy certain previously retained data.

Key Takeaways

California’s enforcement action against General Motors and OnStar is more than a connected-car case. It illustrates how California regulators are thinking about data monetization, sensitive personal information, purpose limitation, data minimization and the practical limits of a notice-and-consent privacy model.

• The lawsuit is the first brought to enforce the CCPA’s data minimization principle. The California Attorney General alleged that GM retained driving and location data longer than necessary to provide OnStar and Smart Driver services, and then sold that data for a purpose that was unrelated to the reason the data was collected.
• The complaint treats purpose limitation as a substantive restriction, not merely a disclosure obligation. The complaint specifically states that even if GM had disclosed the insurance-related use, developing an unrelated driver-rating service would not have been compatible with the original reason GM collected the data.
• The settlement reflects the continued focus by California regulators on hidden data flows. GM allegedly told consumers that their data would only be used for OnStar services, driver insights, emergency support, navigation, safety and service improvement, while allegedly selling driving behavior data and precise geolocation data to third parties.
• The enforcement action should be viewed alongside California’s broader concern with location data and downstream economic uses, including surveillance pricing. The complaint comes on the heels of the Federal Trade Commission (FTC) settlement with Kochava over its use of sensitive location data and reinforces that state and federal regulators remain focused on the harms that can arise from the use of this data.

What Happened?

According to the complaint, in 2020 GM began selling driving data from its OnStar Smart Driver connected vehicle service to data brokers for auto insurers to use in developing products that rate drivers based on driving behavior. The data included the names and contact information of hundreds of thousands of drivers, precise geolocation data for where they drove and parked, and data on their driving behavior such as speeds, instances of rapid acceleration and hard braking, use of seat belts, late-night driving, and trip data including time and duration. The automobile manufacturer allegedly made an estimated $20 million from the sale of this data.

California law prohibits insurers from using driving behavior data to set insurance rates, and California insurers allegedly did not use the data broker products for California drivers, likely preventing California residents from experiencing the premium increases that reportedly occurred in other states. Nonetheless, the complaint asserted that GM violated California law by selling the data without proper notice, opt-out rights, purpose limitation or data minimization controls.

The $12.75 million in civil penalties imposed by the proposed final judgment, which requires court approval, is the largest CCPA settlement to date. Under the terms of the proposed final judgment, GM also agreed to stop selling data to consumer reporting agencies for five years, maintain a privacy program, conduct privacy-focused assessments and submit them to the state, delete or destroy certain previously retained covered driving data, and obtain consent before collecting, using or disclosing covered driving data for unrelated services or features. While GM is permitted to share personal data for research and other analytics purposes without consent, data must be in de-identified form.

Who Should Be Paying Attention?

The enforcement action directly applies to GM and OnStar, but its implications are much broader.

Companies should pay particular attention if they:

• Collect precise geolocation, behavioral, telematics, device, sensor, biometric, health, financial or other sensitive data
• Collect data to provide one product or service and later seek to monetize that data through licensing, sale, analytics, scoring, model development, advertising, insurance, pricing or data broker relationships
• Rely on privacy policy disclosures to support secondary uses of data that may not be reasonably expected by consumers
• Operate in regulated industries where downstream use of data may be prohibited, restricted or legally sensitive

This is not just a connected car case. It is a data monetization case. The core concern is that a business collected data for one consumer-facing purpose, retained it and later tried to extract additional value from it through third-party data sales.

What Should Companies Do Next?

Companies should treat this action as a prompt to move beyond privacy policy review and conduct a more substantive assessment of their data collection, retention, use and disclosure practices.

1. Revisit data use cases with purpose limitation requirements in mind.

Where data collected for one purpose is later used for another purpose, companies should document the original purpose for collection and evaluate whether each subsequent use or disclosure is:

• The same as the original purpose
• Reasonably necessary to provide the requested product or service
• Disclosed to consumers
• Compatible with the context in which the data was collected
• Lawful in the jurisdictions where affected consumers reside

For multistate products, the analysis should not stop at whether the data can be used anywhere. In this case, California alleged that GM unnecessarily sold California driving data for an insurance-related purpose when California law prohibited insurers from using that data to set premiums. In theory, the data should have been sold only if it could have been used for the stated purpose.

A line in a privacy policy may not be enough. The complaint makes clear that regulators may view certain secondary uses as incompatible even if they are disclosed.

2. Make data minimization operational.

The action underscores that data minimization is not just a privacy principle. It is an enforceable CCPA obligation. Companies should be able to explain why each category of data is collected, why it is retained, how long it is retained, and why it is necessary for each use or disclosure.

3. Validate opt-out and limitation mechanisms.

GM allegedly provided a mechanism for consumers to opt out of sales, but the state alleged that the mechanism did not stop the sale of driving data at issue in the complaint. Companies should test whether opt-out, “Do Not Sell or Share” and sensitive personal information limitation mechanisms apply across all relevant systems, vendors, data feeds and downstream disclosures.

4. Revisit sensitive personal information controls.

Precise geolocation data is sensitive personal information under the CCPA. Companies that collect or disclose precise location data should confirm whether they are providing required notices, honoring limitation rights, and limiting use and disclosure to permitted purposes. California alleged that GM did not allow consumers to limit disclosure of their precise geolocation and that selling such data to data brokers was not an exempt use.

5. Update risk assessment processes.

The complaint alleges that GM had internal privacy policies requiring privacy disclosures, purpose limitation, data minimization and written risk assessments for activities like selling data but could not locate a contemporaneous written risk assessment covering the sale of driving data.

Companies should ensure that privacy impact assessments are not generic check-the-box exercises. They should address actual data flow, business purpose, legal basis, consumer expectations, sensitive data implications, opt-out rights, retention, downstream uses and jurisdiction-specific restrictions. Companies will need to start reporting the status of their risk assessments next year, and we expect that regulators will be focused on the existence and quality risk assessments, particularly where sensitive information is involved.

Bottom Line

For years, U.S. privacy compliance has been dominated by a notice-and-choice model: Disclose the practice, offer an opt-out where required and manage consumer rights. This action shows the limits of that model. Purpose limitations and data minimization obligations have not received even a fraction of the airtime given to opt-out obligations; however, they could be the most disruptive elements of the CCPA. These requirements are also the most fluid. Selling personal information without disclosure or an opt-out is a relatively straightforward CCPA issue. However, navigating purpose limitation and data minimization requires judgment, context and documentation. The requirements give regulators room to scrutinize whether a business should be using the data at all.