California AG Hits GM with $12.75 Million CCPA Fine, Largest Ever
LegalCybersecurityConsumer TechTransportation

California AG Hits GM with $12.75 Million CCPA Fine, Largest Ever

Pulse
PulseMay 12, 2026

Companies Mentioned

General Motors

General Motors

GM

Federal Trade Commission

Federal Trade Commission

Honda Canada

Honda Canada

Ford

Ford

F

Why It Matters

The record CCPA fine underscores that state privacy regulators are willing to levy substantial penalties for non‑consensual data practices, especially in high‑visibility sectors like automotive. As connected vehicles generate granular location and behavior data, the settlement forces the industry to treat such information as personally identifiable, reshaping data‑sharing business models that rely on third‑party brokers. Beyond GM, the decision sets a precedent for other manufacturers and technology providers that collect vehicle telemetry. Companies will need to redesign data pipelines, embed consent prompts, and invest in audit capabilities to prove compliance, driving a new wave of privacy‑by‑design initiatives across the automotive supply chain.

Key Takeaways

  • California AG Rob Bonta announces a $12.75 million CCPA settlement with GM, the largest fine ever under the law.
  • Regulators allege GM sold geolocation and driving‑behavior data from its OnStar Smart Driver service to Verisk Analytics and LexisNexis without consent.
  • GM must stop selling driving data to credit agencies for five years, delete recent data, and force brokers to erase sold information.
  • The settlement aligns with a 2025 FTC order requiring GM to obtain explicit consent for OnStar data sharing.
  • California's CPPA has previously pursued Honda and Ford, indicating a broader crackdown on connected‑vehicle privacy violations.

Pulse Analysis

The GM settlement marks a turning point for privacy enforcement in the automotive sector, where data has traditionally been treated as a low‑risk byproduct of vehicle connectivity. By applying the CCPA's consent framework to telemetry, California regulators are effectively extending consumer‑privacy rights to a domain previously governed by industry‑specific standards. This shift forces automakers to reconcile two competing imperatives: the commercial value of granular driving data for insurance underwriting and the legal requirement to obtain explicit user permission.

Historically, vehicle manufacturers have leveraged data partnerships to create ancillary revenue streams, often under the assumption that anonymized data falls outside the scope of privacy statutes. The GM case dismantles that assumption, signaling that even aggregated or pseudonymized datasets can trigger CCPA liability if they can be linked back to an individual. As a result, we can anticipate a wave of contractual renegotiations with data brokers, heightened investment in privacy‑compliant analytics platforms, and possibly a slowdown in the rollout of new connected‑car features until robust consent mechanisms are in place.

Looking forward, the settlement could catalyze legislative action at both state and federal levels. Lawmakers may seek to codify stricter definitions of personal data for automotive contexts, while the FTC and CPPA could coordinate to issue joint guidance, reducing regulatory fragmentation. For investors, the enforcement trend adds a new risk vector to automotive and tech stocks tied to connected‑vehicle ecosystems, prompting a reevaluation of valuation models that previously discounted privacy compliance costs.

California AG Hits GM with $12.75 Million CCPA Fine, Largest Ever

Comments

Want to join the conversation?

Loading comments...