California’s 8 May 2026 settlement with General Motors turned CCPA data minimization into an enforcement fact. In the settlement announcement, the California Attorney General said GM will pay $12.75 million after allegedly selling drivers’ location and driving-behaviour data collected through OnStar. For privacy, compliance, product, and marketing leaders, the point is wider than connected cars. If your team keeps personal data after the operational reason has ended, or reuses it for a later commercial idea, this case is the clearest warning yet.
What happened in the GM settlement on 8 May 2026
According to California’s complaint against GM and OnStar, the company collected names, contact details, precise geolocation, and driving-behaviour data from OnStar users, then sold much of that information to LexisNexis Risk Solutions and Verisk between 2020 and 2024. The state’s complaint says those brokers intended to use the data to build driver-rating products for insurers. California says GM made about $20 million nationwide from the sales.
The state says three things made the conduct unlawful. First, drivers were not clearly told that their data would be sold for insurance-related uses, despite privacy statements that implied the data was used to provide requested services. Second, California says GM did not give consumers an effective way to opt out of those sales. Third, the complaint says GM kept driving and location data longer than necessary and then sold it for a purpose that was incompatible with the original reason for collection. The Attorney General described the case as the first action enforcing the CCPA’s data minimization principle and the largest CCPA penalty to date.
Why regulators said GM crossed the line
Data collected for a service was later used for a different business model
The complaint draws a sharp line between the original OnStar purpose and the later insurance-rating purpose. Under Civil Code section 1798.100(c), a business may use personal information for the purpose it was collected for, or for another disclosed purpose that is compatible with that original context. California says selling driving data to support insurance products failed that test. The article on California CCPA/CPRA basics covers the wider statute, but the GM case shows what incompatibility looks like in practice.
Notice and actual practice did not match
The state also says GM’s privacy messaging and its actual data flows pointed in different directions. In the complaint, California alleges that GM’s opt-out mechanism did not stop the transfers to Lexis and Verisk. The filed complaint matters here because it turns a familiar policy-writing problem into an enforcement one: if the notice says one thing and the operational pipeline does another, the notice will not save you.
Retention mattered as much as sharing
Many organisations still treat retention as a records-management footnote. California did not. The complaint says GM retained driving and location data longer than needed to operate OnStar and Smart Driver, then sold that retained data later. That point is important because data minimization under section 1798.100(c) is about collection, use, retention, and sharing. A dataset that was justified in January can become unjustified in July if the service need has ended.
Sensitive location data raised the stakes
California also highlighted precise geolocation. Under Civil Code section 1798.121, consumers have the right to limit the use and disclosure of sensitive personal information to what is necessary to provide the goods or services an average consumer would expect. The complaint says GM did not let consumers limit disclosure of their location data to the brokers. That makes this more than a generic data sale case. It is also a warning about sensitive data being reused outside customer expectations.
What the case says about CCPA data minimization and purpose limitation
The cleanest way to read the case is this. Purpose limitation asks why you are using the data. Data minimization asks whether you need this data at all, in this amount, for this long, and with this third party. California’s updated CCPA regulations, effective from 1 January 2026, give those questions more operational weight. The GM settlement is the first high-profile example of regulators applying them to a real commercial data flow.
That matters beyond automotive. A SaaS company may collect usage logs to troubleshoot support tickets. It cannot assume those same logs can later feed a separate analytics product just because the data is already in the warehouse. A retailer may collect location or behaviour data to run a loyalty app. It still needs to ask whether later sharing, later retention, and later monetisation are reasonably necessary and proportionate. California’s CCPA enforcement roundup shows the penalty trend. GM adds a new lesson: “useful later” is not a defence.
Four checks managers should run now
- Map each dataset to one operational purpose. If the purpose is vague, such as “service improvement” or “future commercial analysis”, tighten it now.
- Review retention against the live service need. If a team cannot explain why a dataset still needs to exist after the service event ends, set a deletion date.
- Test whether privacy notices, opt-out controls, and consent flows match the real third-party transfers. Check the system behaviour as well as the policy wording.
- Escalate any reuse that would surprise a reasonable customer. That includes broker sharing, insurance use, profiling, and new commercial products built from old operational data.
Which teams should care beyond automotive
This case is relevant to any team that holds detailed behavioural, location, or account-usage data. Product teams. Mobile-app owners. Insurers. HR functions using monitoring tools. Marketing teams stitching together customer signals across platforms. The common risk is simple: data collected for one customer-facing function gets retained and repurposed because the business later spots a second use. California has now shown that this is exactly the pattern regulators will test.
What a defensible response looks like
A defensible response starts with documents, but it cannot end there. Keep a retention schedule tied to each purpose. Require review before any secondary use goes live. Make sure vendor terms cover deletion, purpose limits, and audit rights. Train staff who propose data-sharing or monetisation ideas so they know that a legal notice is not a magic fix after the fact. The GM settlement is a reminder that privacy risk often appears after the original collection step, when old data gets a new commercial job.
Sources
- California Attorney General settlement announcement, 8 May 2026
- California complaint against General Motors LLC and OnStar LLC, filed 8 May 2026
- California Privacy Protection Agency: CCPA updates and related regulations, effective 1 January 2026
- California Civil Code section 1798.100
- California Civil Code section 1798.121
