California regulators have secured what attorneys say is the largest enforcement settlement to date under the state’s landmark privacy law, signaling a major escalation in scrutiny of companies that collect, monetize and share consumer data with third parties.
The proposed $12.75 million settlement announced May 8 between California Attorney General Rob Bonta, the California Privacy Protection Agency and General Motors over GM’s connected vehicle service, OnStar, resolves allegations that the automaker improperly collected and sold sensitive driver data without adequate consumer notice or consent.
According to an analysis published by Clark Hill, the settlement marks a turning point in California Consumer Privacy Act enforcement because regulators targeted not only the collection of data, but the broader ecosystem of data brokerage, downstream sharing and internal governance failures associated with monetizing consumer information.
The case centered on GM’s alleged sale of connected vehicle telemetry and location data gathered from hundreds of thousands of California drivers between 2020 and 2024. Regulators alleged the company transferred names, contact information, precise geolocation data and detailed driving behavior metrics to data brokers including LexisNexis Risk Solutions and Verisk Analytics. Those transactions allegedly generated about $20 million in nationwide revenue.
The driving data allegedly included hard braking and acceleration events, speed threshold crossings, seatbelt usage, late-night driving activity and trip duration information.
The Clark Hill analysis noted that while connected vehicle data was the immediate focus, the settlement’s broader implications extend well beyond the automotive industry. Attorneys described the case as a “convergence of compliance failures” touching nearly every major element of modern privacy regulation, including data broker relationships, sensitive personal information, opt-out mechanisms, data minimization, purpose limitation, de-identification standards and internal governance obligations.
One of the settlement’s most significant aspects is regulators’ focus on upstream data suppliers rather than solely on brokers purchasing the information. The complaint targeted GM for furnishing data to brokers, reinforcing California regulators’ growing interest in policing the entire commercial data supply chain.
Related: States Step Up Scrutiny of Businesses’ Compliance With Data Opt-Out Signals
That focus comes as California prepares to intensify oversight of the data broker industry through its Data Broker Registration Program, or DROP, with additional enforcement expected after the program’s August 1 compliance deadline.
The settlement also reinforces regulators’ increasingly strict interpretation of consumer opt-out rights under the CCPA. According to the complaint, GM disclosed that it sold personal information and provided consumers with opt-out mechanisms, but regulators alleged those tools did not actually stop all data transfers to brokers.
Clark Hill said the case underscores a growing enforcement principle that privacy controls must function comprehensively across all relevant data flows rather than only partially restricting transfers. The analysis compared the GM case to prior California enforcement actions involving The Walt Disney Company and Sling TV in which regulators similarly challenged incomplete opt-out implementations.
Another major development involves California’s increasingly aggressive treatment of precise geolocation information as sensitive personal data. Regulators specifically challenged GM’s handling and sale of location data, reinforcing expectations that businesses provide consumers with meaningful tools to limit disclosure and use of sensitive information.
The enforcement action also marks the first major application of the CCPA’s purpose limitation and data minimization requirements. Regulators alleged GM collected data for operation of OnStar services but later used the same information for undisclosed insurance risk-scoring purposes while retaining and sharing more data than necessary.
Clark Hill said the settlement provides an early indication of how California regulators may enforce the CCPA’s new mandatory risk assessment requirements that took effect in January. Under the agreement, GM’s annual compliance reports must be reviewed by the company’s chief privacy officer and provided to both the general counsel and chief executive officer.
The analysis also emphasized that compliance with federal laws such as the Fair Credit Reporting Act does not create blanket immunity from CCPA obligations, particularly for businesses involved in data analytics or risk-scoring activities.
Clark Hill said the settlement demonstrates that California regulators are prepared to pursue increasingly large and complex enforcement actions where multiple privacy obligations intersect, particularly when sensitive consumer data is monetized through broker relationships.
