GM's $12.75M CCPA Settlement: What Automotive & IoT Companies Must Know About Data Privacy in 2026

Introduction: A Landmark CCPA Settlement

In a groundbreaking enforcement action, General Motors (GM) agreed to a $12.75 million settlement with California over allegations that it violated the California Consumer Privacy Act (CCPA) by illegally collecting and selling drivers' location and driving data to data brokers Verisk Analytics and LexisNexis Risk Solutions. The data was collected through GM's OnStar subsidiary and its 'Smart Driver' system between 2020 and 2024, intended for driver-scoring products related to insurance. The California Attorney General stated that GM failed to notify consumers or obtain consent, retained data longer than necessary, and repurposed it for sale, making $20 million nationwide. This is the first enforcement action focused on data minimization rules under the CCPA, and it sends a clear message to automotive and IoT companies: your data collection and sale practices are under scrutiny.

What Happened: GM's CCPA Violations

According to the California Attorney General, GM violated the CCPA in several key ways:

• Illegal data collection and sale: GM collected drivers' precise location, driving behavior, and other personal information through OnStar and the Smart Driver system without proper notice or consent, then sold this data to Verisk Analytics and LexisNexis Risk Solutions for use in insurance scoring products.
• Failure to obtain consent: Consumers were not informed that their driving data would be sold to data brokers. GM did not provide a clear opt-out mechanism or obtain explicit consent for the sale of personal information.
• Data minimization violations: This is the first CCPA enforcement action to focus on data minimization — the requirement that businesses only collect and retain personal information that is reasonably necessary for the purposes disclosed. GM retained data longer than necessary and repurposed it for sale without authorization.

In addition to the fine, GM must stop selling driving data for five years, delete retained data within 180 days unless consumers consent, request deletion from the data brokers, and implement a stronger privacy compliance program. GM discontinued the Smart Driver product in 2024. The FTC had previously banned GM from selling drivers' data for five years in a parallel action.

CCPA Requirements for Data Selling and Opt-Out Rights

The GM case highlights several critical CCPA requirements that all businesses — especially those in automotive, IoT, and connected services — must understand:

1. Notice at Collection

Businesses must provide consumers with a notice at or before the point of collection that explains what categories of personal information will be collected and the purposes for which it will be used. GM failed to disclose that driving data would be sold for insurance scoring.

2. Right to Opt Out of Sale/Sharing

Consumers have the right to direct a business to stop selling or sharing their personal information (the “Do Not Sell or Share My Personal Information” right). Businesses must provide a clear and conspicuous link on their website and honor opt-out requests promptly.

3. Data Minimization

Under the CCPA as amended by the CPRA, businesses must limit collection, use, retention, and disclosure of personal information to what is reasonably necessary for the purposes disclosed. The GM case marks the first time a regulator has enforced this principle, setting a precedent.

4. Retention Limits

Personal information must not be retained longer than reasonably necessary for the disclosed purpose. GM's retention of driver data beyond its initial purpose violated this requirement.

5. Contractual Controls on Service Providers and Third Parties

Businesses must have contracts in place with service providers and third parties that limit their use of personal information. GM's contracts with Verisk and LexisNexis allegedly did not adequately restrict use of the data.

Comparison with FTC Enforcement Actions

The GM settlement echoes the FTC's recent enforcement against data broker Kochava, which was banned from selling precise geolocation data after the FTC alleged it could be used to track individuals in sensitive locations. In both cases, the regulators targeted the sale of sensitive location data without consent. Key parallels:

• Location data is high-risk: Both actions underscore that precise geolocation data is considered sensitive and requires heightened protections.
• Consent is non-negotiable: Both the FTC and California AG required affirmative consent (opt-in) for the sale of sensitive data, not just an opt-out.
• Data broker liability: Regulators are increasingly holding both data sellers and data buyers accountable.

While the FTC action was based on Section 5 of the FTC Act (unfair/deceptive practices), the California action was under the CCPA, which provides a private right of action for data breaches and statutory damages for violations. The GM settlement shows that state regulators are willing to use their enforcement powers aggressively.

Lessons for Automotive and IoT Companies

Connected vehicles and IoT devices generate vast amounts of personal data — location, driving behavior, biometric data, and more. The GM case offers critical lessons:

1. Map your data flows: Understand exactly what data is collected, how it is used, with whom it is shared, and for how long it is retained. Document all data sharing with third parties and data brokers.
2. Obtain meaningful consent: Use clear, specific, and unambiguous consent mechanisms. Pre-checked boxes or buried disclosures will not suffice. For sensitive data, consider opt-in rather than opt-out.
3. Implement data minimization: Only collect data that is strictly necessary for the stated purpose. Avoid repurposing data for new uses without fresh consent.
4. Review contracts with data brokers: Ensure contracts with data purchasers include restrictions on use, disclosure, and retention. Monitor compliance.
5. Prepare for multi-state compliance: With 15+ US states now having comprehensive privacy laws (including Colorado, Virginia, Connecticut, Texas, and Oregon), a patchwork of requirements exists. The CCPA remains the most stringent, but other states have similar data minimization and opt-out rules.

Checklist for CCPA Compliance in 2026

To avoid becoming the next enforcement target, organizations should use this checklist:

• [ ] Update privacy notice to include categories of data collected, purposes, and third parties with whom data is shared.
• [ ] Implement a clear “Do Not Sell or Share My Personal Information” link on your website and mobile app.
• [ ] Establish a process to respond to consumer rights requests (access, deletion, correction, opt-out) within 45 days.
• [ ] Conduct a data inventory and mapping exercise to identify all personal information flows.
• [ ] Review and update data retention schedules to align with data minimization principles.
• [ ] Audit contracts with service providers and third parties for compliance with CCPA restrictions.
• [ ] Train employees on CCPA requirements and data handling procedures.
• [ ] For connected devices, provide clear in-vehicle or in-app disclosures about data collection and sale.
• [ ] Monitor regulatory developments: The California Privacy Protection Agency (CPPA) continues to issue new regulations.
• [ ] Consider using compliance management tools to automate privacy impact assessments, vendor due diligence, and consent management.

How AIGovHub Can Help

Managing multi-state privacy compliance is complex. AIGovHub's Privacy Impact Assessment tool and Vendor Due Diligence Questionnaire Generator help organizations map data flows, assess risks, and streamline compliance with CCPA, CPRA, and other state laws. Our platform also provides real-time regulatory alerts and a comprehensive vendor marketplace to compare privacy solutions. Whether you need to conduct a data inventory, update your privacy notice, or audit third-party contracts, AIGovHub's interactive tools can save time and reduce risk.

Ready to strengthen your privacy compliance program? Explore AIGovHub's compliance toolkit today and ensure your organization is prepared for CCPA enforcement in 2026 and beyond.