The California Privacy Protection Agency announced on May 8, 2026 that it had reached a $12.75 million settlement with General Motors over the company’s OnStar connected vehicle program — the largest penalty ever issued under the California Consumer Privacy Act and the state’s first enforcement action targeting data minimization violations directly.

The settlement resolves allegations that GM collected granular driving behavior data from millions of California vehicle owners through OnStar, then sold that data to insurance companies and third-party data brokers without obtaining valid consumer consent. The case marks a decisive shift in how California regulators view data collection: not just as a consent problem, but as a proportionality problem. Companies are now on notice that collecting more data than a service requires — regardless of whether a disclosure was buried in a privacy policy — constitutes a violation in its own right.

What GM’s OnStar Program Actually Collected

OnStar is GM’s connected vehicle platform, offered across Chevrolet, Buick, GMC, and Cadillac vehicles. Beyond its emergency response and navigation functions, the platform collected an extensive record of driving behavior: precise GPS traces, trip duration, speed at any given moment, hard braking events, acceleration patterns, and driving scores calculated from aggregated behavior over time.

This data has significant commercial value to insurers. Programs like LexisNexis Risk Solutions and Verisk Analytics purchase driving behavior data from automakers and OEM telematics providers to build actuarial models that influence insurance premiums. A driver whose insurer has access to OnStar data may face higher rates based on behavioral profiles the driver did not knowingly provide and cannot easily contest.

California’s investigation found that GM was enrolling vehicles in data-sharing arrangements — in some cases automatically, through default opt-in settings — and that consumers who sought to opt out faced unclear processes, inconsistent confirmation, and in some cases continued data collection after they believed they had withdrawn consent.

The CPPA’s enforcement case against GM rested on three distinct legal theories under California law.

Failure to obtain valid consent for sensitive data sharing. Under the CCPA as amended by Proposition 24 (CPRA), selling or sharing personal information — including geolocation and behavioral data — requires clear disclosure and a meaningful opportunity to opt out. Where sharing affects sensitive personal information, the bar is higher. California regulators found that GM’s disclosures were inadequate: they did not clearly communicate that driving behavior profiles were being sold to insurers, did not obtain consent at the point of enrollment, and did not provide a simple, confirmed opt-out pathway.

Data minimization violations. This is the enforcement first. California’s CPRA, in effect since January 1, 2023, codified a data minimization principle: companies may collect personal information only to the extent reasonably necessary for the purposes disclosed to the consumer. The CPPA found that GM collected data well beyond what OnStar’s safety and navigation services required, and retained it far longer than any legitimate service purpose would justify. The agency’s enforcement action is the first time it has formally cited a company for exceeding collection and retention limits — a principle that has existed in the law for three years without a test case.

Lack of transparency about data broker relationships. California’s Delete Act, which took effect in 2024 and expanded data broker registration requirements, was cited in the investigation context. GM did not adequately disclose its downstream commercial data-sharing relationships, making it impossible for consumers to exercise their rights against the brokers receiving their data.

Why This Penalty Is Structurally Different

Most CCPA enforcement to date has focused on consent mechanics — missing opt-out buttons, undisclosed sale relationships, inadequate privacy policy disclosures. The GM settlement goes further by establishing that even properly disclosed collection can violate California law if it exceeds what the service legitimately requires.

This is the data minimization principle operating as a genuine enforcement tool rather than an aspirational standard. In practice, it means every data element a company collects must be defensible against a regulator asking: “Why do you need this? What legitimate service purpose does it serve? How long do you need it?”

For automotive OEMs and connected device manufacturers, the implications are direct. Telematics platforms that collect behavioral data as a byproduct of connectivity — not because the consumer purchased a data-collection service — will need to audit what they collect, how it is used downstream, and whether those uses are proportionate to disclosed service functions.

The Data Broker Pipeline and Insurance Industry Context

GM is not uniquely positioned in this market. Multiple automakers have operated similar programs. The data broker pipeline connecting OEM telematics to insurance underwriting is well-established: companies like LexisNexis Risk Solutions and Verisk’s DriveAbility product have contracts with multiple vehicle manufacturers to receive driving behavior data at scale.

A 2023 New York Times investigation first brought widespread public attention to how driving data collected by automakers was being used to raise insurance premiums without consumers’ knowledge. At the time, GM confirmed it shared data with LexisNexis and Verisk. The California enforcement action is the formal regulatory response to that pipeline.

Other automakers that have operated similar telematics data-sharing programs should treat this settlement as a preview of their own exposure. The CPPA has demonstrated both the legal theory and the willingness to pursue it. Companies relying on the same commercial data-sharing model — absent clear consumer consent and a proportionate service justification — are exposed.

California’s Enforcement Posture Is Maturing

The CPPA has moved from establishing its enforcement apparatus to using it aggressively. In the two years since the agency took over primary CCPA enforcement from the California Attorney General, it has pursued cases across a range of violation types: cookie consent dark patterns, improper sale relationships, inadequate privacy notices, and failure to honor deletion requests.

The GM settlement adds two new categories to that record: data minimization and data broker transparency. Both will now attract regulatory scrutiny in future investigations.

The $12.75 million figure is notable in context. CCPA civil penalties are capped at $2,500 per violation (unintentional) and $7,500 per intentional violation. With millions of affected consumers and a pattern of conduct that regulators treated as intentional, the settlement amount reflects a negotiated outcome rather than per-violation arithmetic — but it establishes a reference point that future respondents will be measured against.

Compliance Implications for Organizations

The GM enforcement action creates several immediate compliance obligations for any organization collecting behavioral, location, or usage data from consumers.

Audit collection against purpose. For each data element you collect, document the specific service function it supports. If a data element is collected because it might be commercially useful rather than because it is necessary to deliver the disclosed service, that collection is now legally vulnerable in California.

Review downstream data relationships. If you share data with data brokers, analytics firms, or insurers — directly or through intermediary platforms — those relationships must be disclosed clearly and specifically. Burying them in a general “we may share with third parties” clause is insufficient.

Examine default settings. Opt-in versus opt-out architecture matters. For sensitive data and for data sharing with commercial third parties, passive enrollment through default settings does not constitute valid consent under California law.

Confirm opt-out mechanics work. Consumers who opt out of data sharing must actually be removed from data flows. Continued collection or sharing after opt-out has been a recurring finding across CCPA enforcement actions.

Assess retention policies. Data minimization applies to how long you keep data, not just what you collect. Retention schedules that default to “keep until legal obligation requires deletion” are inadequate. Each data category needs a justified retention period tied to the service purpose.

Document insurance and actuarial data uses separately. If any behavioral or usage data is or could be used by insurance underwriters — directly or through intermediaries — that use must be disclosed as a distinct purpose and must have independent consent or opt-out architecture.

What Comes Next

The GM settlement will not be the last CCPA action based on a data minimization theory. The CPPA has signaled that this principle will be an enforcement priority going forward. Industries with high telemetry data collection — automotive, fitness, smart home, financial services, healthcare adjacent apps — should expect scrutiny.

The settlement also lands as other states are adopting their own data minimization requirements. Indiana, Kentucky, and Rhode Island all enacted comprehensive privacy laws with data minimization obligations that took effect on January 1, 2026. Colorado, Connecticut, and Virginia have had similar requirements for longer. The California action provides a concrete enforcement reference point that regulators in other states can point to when justifying their own investigations.

For organizations that have treated data minimization as a compliance checkbox rather than an operational constraint, the GM settlement is a reminder that the principle has teeth — and that the largest privacy enforcement action in California history was built on it.

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations.