GM Just Paid $12.75M for Selling Driver Data It Shouldn't Have Kept

California's largest CCPA penalty ever just landed on a connected-vehicle data sale that produced more revenue than the fine recovers, and announced the first regulatory enforcement of the data minimization principle.

SACRAMENTO, CA — California Attorney General Rob Bonta announced on May 8, 2026 that General Motors and OnStar LLC have agreed to pay a $12.75 million civil penalty to settle California Consumer Privacy Act enforcement allegations. The state alleges GM collected, retained, and sold the names, contact information, GPS locations, speed data, hard-braking events, and rapid-acceleration data of hundreds of thousands of California drivers between 2020 and 2024, selling the records to data brokers LexisNexis Risk Solutions and Verisk Analytics for use in insurance rate-setting. The settlement is the largest CCPA penalty in California history, nearly five times the prior record.

The most editorially distinctive element is the regulatory theory. This is the California DOJ's first action enforcing the CCPA's data minimization principle, added to the statute in 2023. The state's claim is not just that GM sold consumer data without consent — it is that GM retained Californians' driving and location data long after the operational purpose of OnStar required, then sold the retained data. "Companies can't just hold on to data and use it later for another purpose," Bonta said. Pair this with the UK ICO's nearly GBP 1 million fine against South Staffordshire Water earlier this week, and the trans-Atlantic pattern is concrete: data retention is now an enforced compliance question with multi-million-dollar consequences.

What the state alleges happened

According to the California OAG complaint, GM collected California personal information from OnStar-equipped vehicles from 2016 to 2024 and actively sold it to data brokers from 2020 to 2024. The categories of data sold included names, phone numbers, home addresses, GPS location, speed, hard braking events, rapid acceleration events, and driving behavior. The buyers were LexisNexis Risk Solutions and Verisk Analytics — both consumer reporting agencies whose intended use was insurance rate-setting. GM made approximately $20 million from the sales, per the OAG estimate. The settlement recovers $12.75 million of that, suggesting the civil penalty is calibrated as approximately the proceeds minus disgorgement carve-outs.

The framing of the alleged violation goes beyond standard consumer-consent failure. The OAG complaint argues GM violated three California laws: the CCPA (data minimization and purpose limitation), the state's Unfair Competition Law, and its False Advertising Law. GM had previously made public statements that it would not sell driver data — statements the state argues were false. "General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so," Bonta said in the press release.

Why the data minimization enforcement is the precedent

California added data minimization and purpose limitation to the CCPA in 2023, but until now the principle had not been the basis of a state enforcement action. The GM settlement establishes the template. The DOJ's specific framing is that data minimization "imposes common sense limitations on when and how businesses use, retain, and share data with third parties." Translated for practitioners: data your organization holds for operational reasons must be retained for the duration of that operational need, not held indefinitely for potential future use. Selling retained data for a purpose other than the original collection justification is now an enforceable violation in California.

That framing applies far beyond automotive. Every consumer-data-handling industry — fintech, healthcare, retail, ad-tech, SaaS — operates with retention practices that were standard practice five years ago and are now active enforcement risk. Specific exposure points to audit: customer-data retention beyond active commercial relationship, data sale or sharing with brokers without explicit purpose-limitation contracts, and any practice where data collected for one purpose is later monetized for another. The state DOJs in Texas, Colorado, Virginia, Utah, and Connecticut have parallel statutes with similar enforcement potential. Expect more.

What it signals for the connected-vehicle and IoT industries

OnStar is not unique. Every connected vehicle — Ford Co-Pilot 360, Stellantis Uconnect, Toyota Connect, SiriusXM Connected Services, Hyundai Bluelink, Tesla in-vehicle telemetry — collects detailed driver behavior data. The GM settlement establishes that this data category is now actively enforced under California state privacy law. Boards at every automaker, telematics-platform vendor, fleet-management company, insurance-telematics provider, and connected-IoT-device manufacturer should treat the Bonta announcement as the regulatory baseline they will be measured against. GM had previously settled with the FTC over the same conduct; the California state action layers state-level penalties on top of federal enforcement, establishing the federal-plus-state combination pattern that other consumer-data-handling organizations facing breach scenarios should pre-script.

The CyberSignal Analysis

Signal 01 — Data retention is now a board-level compliance question, not a storage-cost question

For most of the last decade, data retention was managed as a cost-optimization question for engineering teams. The CCPA's data minimization principle inverts that framing: retention beyond operational necessity is now a multi-million-dollar regulatory liability. CISOs and chief privacy officers should run a 90-day compliance review of consumer-data retention practices against current CCPA standards. Document the operational justification for every consumer-data category retained beyond the immediate transaction. Where the justification is weak or absent, plan deletion. The cost of the deletion exercise is bounded; the cost of California-level enforcement is, per the GM precedent, $12.75 million per category of violation.

Signal 02 — The federal-plus-state combo is the 2026 enforcement model

GM faced FTC action first, and now the California state action on the same underlying conduct. That sequence is the template other consumer-data enforcement will follow: a federal investigation establishes the conduct, then a state DOJ stacks state-level penalties on top. Plan for the combination scenario in your incident response and regulatory engagement playbooks. The cost is not the FTC settlement alone, and not the state penalty alone — it is both, plus potentially private class-action exposure under the CCPA's private right of action. Brief boards on the cumulative-exposure math and update vendor risk assessments to reflect that single-regulator scenarios are no longer the modal case.

What to do this week

1. Audit your consumer-data retention practices. For every category of consumer data your organization holds, document the original collection purpose, the current operational justification for retention, and the deletion timeline. Where the chain breaks — where data is retained without active operational need — plan deletion. This is the specific failure mode the California OAG argued against GM.
2. Review your data-broker relationships. If your organization sells, shares, or licenses consumer data to data brokers, audit the contractual purpose-limitation language and consumer-consent posture for each transaction. The GM-LexisNexis and GM-Verisk relationships are now documented enforcement examples. Brief executive sponsors of any active data-broker relationship on the GM precedent.
3. Document your public statements about data sales for the past three years. The California OAG specifically cited GM's prior "we don't sell driver data" statements as part of the Unfair Competition and False Advertising allegations. If your organization's marketing has made similar reassurances, audit them against current practice. Where statements and practice diverge, fix the practice or restate the marketing.
4. For organizations operating in connected-vehicle, telematics, IoT, smart-home, or wearable categories: brief leadership on the GM precedent specifically. The categories of data the California DOJ cited (GPS location, speed, behavioral telemetry) map directly to the data your sensors collect. Update your privacy program governance and customer-disclosure language this quarter.
5. Track parallel state-DOJ enforcement in Texas, Colorado, Virginia, Utah, and Connecticut. Each has CCPA-equivalent statutes with similar enforcement frameworks. The next $10+ million state privacy penalty is unlikely to come from California again in the same quarter; it will likely come from one of these jurisdictions. Update your regulatory tracking accordingly.

Sources