If your company collects location or behavioral data from connected products and sells or routes it to data brokers, the California Attorney General just published a detailed playbook for what enforcement looks like. On May 8, 2026, Attorney General Rob Bonta announced a $12.75 million settlement with General Motors, the largest California Consumer Privacy Act civil penalty to date.

The settlement resolves claims that GM collected precise geolocation and driving-behavior data from OnStar customers and sold it to third-party data brokers without legally sufficient disclosures or meaningful consent mechanisms. The final judgment and permanent injunction runs five years and reaches back to require deletion of previously sold data.

The AG’s settlement is the latest in a string of actions brought against GM, and serves as a reminder for companies and their compliance officers about the importance of auditing data collection practices and testing consent flows and opt-out mechanisms.

The enforcement action, brought by the AG and participating district attorneys, alleged that GM collected geolocation and driving data through connected vehicle services and GM-branded mobile applications and sold that data to consumer reporting agencies and data brokers. The state’s core theory was a mismatch between what GM told customers and what it actually did: The consumer-facing representations about driver data use conflicted with the actual collection and disclosure practices, in violation of both the CCPA and California’s Unfair Competition Law.

What Injunction Requires of GM

Beyond the $12.75 million penalty, the injunctive relief is the part that matters for compliance officers. For up to five years, GM must:

• Obtain affirmative consent before collecting, using, or disclosing "covered driving data," subject to narrow operational and safety carve-outs.
   
• Refrain from selling covered driving data to third parties, including consumer reporting agencies (absent consent) and ensure prior recipients delete previously sold data.
   
• Delete or destroy previously retained covered driving data unless retention is strictly necessary for enumerated legal, safety, or operational purposes.
   
• Allow California OnStar customers to disable precise geolocation and remote vehicle data collection through specified mechanisms.
   
• Implement and maintain a CCPA-compliant privacy program, conduct periodic privacy-focused assessments, and provide annual compliance reports to regulators and senior leadership.

Related Enforcement Actions

The GM settlement follows the FTC’s January 2026 enforcement action involving the collection and sale of geolocation and driving-behavior data, and the California Privacy Protection Agency’s (CPPA’s) October 2025 $1.35 million enforcement action requiring enterprise-wide governance reforms. California is building a coherent enforcement theory across state and federal regulators: connected products that generate location and behavioral data are high-priority targets, secondary data use requires real consent, and governance failures compound the exposure.

The CPPA has independent enforcement authority under the California Privacy Rights Act and has signaled it will run parallel investigations to AG actions where facts support it.

Three Takeaways for Compliance Officers

First, data minimization has moved from a compliance checkbox to an enforceable standard with teeth. The final judgment operationalizes the California civil code requirement that personal information be collected and retained only as reasonably necessary and proportionate to the disclosed purpose. "Reasonably necessary" is no longer an abstract principle; it is now the subject of a consent order with a five-year monitoring tail.

Second, regulators are not satisfied by consent and opt-out mechanisms that exist on paper. The AG examined whether those mechanisms were operationally effective and consistently applied, not just whether they appeared in the privacy policy. That is a harder standard to meet and a harder gap to spot in an audit.

Third, the retroactive deletion obligation is the provision most companies miss. GM must chase down previously sold data and ensure prior recipients delete it. If your company has a history of selling or sharing location or behavioral data, your exposure does not stop at what you collect going forward.

What Companies Can Do Now in Light of GM Settlement

Companies subject to the CCPA and CPRA, particularly those deploying connected products, analytics platforms, or monetization models that involve third-party data sharing, should:

• Audit whether each category of personal data collected is reasonably necessary for identified business purposes under the section of California civil code dealing with a business’s collection of personal information.
   
• Test consent flows and opt-out mechanisms for operational effectiveness, not just design conformance.
   
• Map downstream data transfers, including any history of data sales, and assess whether retroactive deletion obligations attach.
   
• Assess whether your privacy governance structure, assessments, and executive reporting would withstand regulator review under a five-year injunction model.

The GM settlement is not an outlier. It is a template. California has now produced a detailed enforcement roadmap for connected product data practices, and the CPPA has the authority and institutional capacity to run the same play independently. Companies that have been treating CCPA data minimization and secondary use restrictions as soft obligations should recalibrate.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.