Data Minimization as a Mandate: Lessons From California’s Record $12.75 Million Enforcement Action Against General Motors

In its enforcement action against General Motors (GM), California signaled that data minimization is no longer an abstract privacy principle but an operational requirement with real enforcement consequences. On May 8, California Attorney General Rob Bonta, four district attorneys from Los Angeles, San Francisco, Napa and Sonoma counties, and the California Privacy Protection Board (CalPrivacy) (collectively, California Authorities) announced a settlement with GM for alleged violations of the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law (UCL). The action stems from GM’s collection of subscriber personal information — including names, contact information, precise geolocation and detailed driving behavior (collectively as described in the settlement as Covered Driving Data) — and the sale of that information to two prominent data brokers between 2020 and 2024.

The investigation was triggered in part by 2024 news reports revealing that automakers were sharing consumers’ driving behavior with insurance companies, enabling some insurers using that data to raise premiums. According to the complaint, GM earned approximately $20 million nationwide from these data sales. The complaint alleged that the two brokers intended to use the data to build driver-rating products marketable to auto insurers for rate-setting purposes. The Federal Trade Commission also simultaneously investigated GM and reached a settlement with them in January 2026.

Background

The complaint alleges GM committed multiple violations of the CCPA and UCL, including (1) affirmatively misleading consumers by stating in its privacy policy that GM did not sell Covered Driving Data and that any disclosure to insurers would occur only at the consumer’s express direction; (2) selling Covered Driving Data to data brokers contrary to its own internal privacy compliance program, which required disclosing data uses and third-party recipients to consumers; and (3) retaining Covered Driving Data beyond the period necessary to provide and then monetize it, therefore violating the CCPA’s purpose limitation and data minimization requirements as amended in 2023.

Subject to court approval, the settlement requires GM to:

• Pay $12.75 million in civil penalties — the largest CCPA fine issued to this date.
• Cease the selling of any Covered Driving Data to any consumer reporting agencies (including data brokers) for a period of five years.
• Delete all retained Covered Driving Data related to driving within 180 days, except for limited uses (e.g., to respond to government requests, necessary to provide to emergency responders) unless consumers provide affirmative, express consent.
• Not sell any personal information as defined by the CCPA to the third parties that have not deleted this Covered Driving Data.
• Develop and maintain a comprehensive privacy program to assess, mitigate and document the risks of data collection through third parties and to ensure ongoing CCPA compliance.
• Periodically report the results of privacy assessments to the California Authorities.

What Businesses Should Do Now

This settlement carries several important implications for businesses, especially those operating in California:

• Data minimization policies and procedures must be established and enforced. The 2023 amendments to the CCPA added explicit purpose limitation and data minimization requirements — companies may only collect data necessary for a disclosed purpose, may not retain it longer than needed and may not repurpose it for unrelated uses. This settlement marks the first time that the California attorney general and CalPrivacy have enforced these CCPA provisions. Regulators have signaled they intend to continue to scrutinize in the future how businesses collect and share personal information with third parties. Companies should evaluate what policies and procedures they have in place related to data minimization and ensure proper implementation.
• Privacy policies must match practice. Businesses should conduct regular audits to ensure that external-facing privacy policies accurately describe all personal information sharing and sales, including to third-party data brokers.
• Connected products face heightened scrutiny. CalPrivacy launched investigations into connected vehicle privacy practices in 2023. Businesses offering products or services with embedded data collection capabilities — whether in vehicles, smart home devices, wearables or industrial equipment — should expect similar scrutiny.
• Data broker relationships require rigorous oversight. The CCPA imposes obligations both on the businesses selling data and, in some contexts, on the brokers receiving it. Businesses that sell consumer data to third parties should ensure they have appropriate consumer disclosures and consent mechanisms in place and that contractual arrangements with brokers include appropriate use restrictions to comply with California’s Delete Act, which allows consumers to compel data brokers to delete their personal information.
• Multi-agency enforcement is now the norm. This case involved coordinated action by the state attorney general, four county district attorneys and CalPrivacy. That alignment of enforcement resources substantially increases exposure for companies that fall short of California’s privacy requirements.
• Context matters for penalty magnitude. Although this settlement is the highest privacy penalty assessed by California yet, the scale appears attributable to the breadth of consumers affected, the four-year duration of the alleged violations, the sensitivity of Covered Driving Data, alleged harm to consumers and allegations of affirmative misrepresentations to consumers. Businesses should treat these factors as markers of enforcement risk.

Paul Hastings' Data Privacy and Cybersecurity practice regularly advises companies on compliance with consumer privacy laws at the federal, state and international levels, and is uniquely positioned to counsel companies on connected product data practices, enforcement defense and proactive compliance strategies. If you have any questions about the implications of this settlement or connected vehicle privacy obligations, please do not hesitate to contact any member of our team.