Privacy & Cybersecurity Law Blog

On May 8, 2026, the California Attorney General announced a record $12.75 million settlement with General Motors (“GM”) to resolve allegations that GM illegally sold Californians’ location and driving behavior data without adequate notice or consent, in violation of the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law. The settlement is subject to court approval and represents the largest CCPA penalty to date. This is the first CCPA settlement focused on the law’s data minimization and purpose limitation requirements. 

The Attorney General alleged that GM sold driver data, including names, contact information, precise geolocation information, and driving metrics, such as speed, hard braking and rapid acceleration, to LexisNexis Risk Solutions and Verisk without adequate notice or consent, and for purposes unrelated to the original, disclosed uses, in violation of the CCPA’s data minimization and purpose limitation requirements.

Under the settlement, in addition to the $12.75 million penalty, GM agreed to (i) stop selling driving data to consumer reporting agencies for five years, including to data brokers such as LexisNexis and Verisk; (ii) delete retained driving data within 180 days absent affirmative, express consumer consent; (iii) request deletion of driving data by LexisNexis and Verisk; (iv) develop and maintain a robust privacy program to assess, mitigate and document privacy risks; and (v) complete privacy assessments and comply with certain reporting requirements with respect to such assessments.

The California Attorney General’s action follows a 2025 FTC order prohibiting GM and OnStar from sharing sensitive geolocation and driver behavior data with consumer reporting agencies for five years, along with enforcement actions by regulators in Nebraska and Arkansas over GM’s alleged privacy violations.

Attorney General Rob Bonta stated, “General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians. Today’s settlement requires General Motors to abandon these illegal practices and underscores the importance of the data minimization in California’s privacy law — companies can’t just hold on to data and use it later for another purpose. I am proud to go to bat for the privacy rights of Californians and to collaborate with state and local partners who share the same commitment to consumer protection.”