On May 8, 2026, General Motors ​(GM) agreed to pay $12.75 million to resolve a California investigation into the fact that the company collected and sold drivers’ geolocation and driving behavior data through its OnStar services, allegedly without their consent. The data was reportedly shared with data brokers and insurance-related companies. 

The information included names, location information, driving behavior, and contact information. It was shared with the data brokers LexisNexis Risk Solutions and Verisk Analytics.

The California Privacy Protection Agency said General Motors misled drivers who paid for the emergency roadside and navigation service OnStar and made approximately $20 million from the unconsented sale of their data between 2020 and 2024.

General Motors’ CCPA settlement is currently the largest publicly announced CCPA settlement.

Let’s delve deeper into the CCPA settlement with General Motors and what it means for data privacy compliance.

2026 General Motors CCPA Settlement: Key Facts Businesses Should Know

California privacy enforcement is no longer focused only on tech companies and ad platforms.

On May 8, 2026, General Motors agreed to pay $12.75 million to settle allegations that it collected and sold drivers' Personal Information without their consent. General Motors didn’t provide adequate notice and opt-out options, violating the California Consumer Privacy Act (CCPA).

GM collected and shared connected vehicle data: names, precise geolocation, driving behavior, contact information, and other data, generated by modern cars.

General Motors unlawfully shared data of hundreds of thousands of Californians to two data brokers, Verisk Analytics, Inc. (Verisk) and LexisNexis Risk Solutions (Lexis), and reportedly made approximately $20 million nationwide from these data sales.

Additionally, GM retained Californians’ driving and location data longer than needed and then sold this retained data to Lexis and Verisk who were intending to sell the data for insurance rate-setting. These practices violated the CCPA’s purpose limitation and data minimization requirements.

This is the biggest penalty to date for CCPA violations.

In February 2026, the California Attorney General announced a $2.75 million settlement with Disney for failing to implement valid opt-out methods

Why General Motors Paid $12.75 Million Under the California Consumer Privacy Act

Regulators alleged that General Motors collected data through connected vehicle systems and shared that information with third parties without notifying consumers. Sharing Personal Information for cross-context behavioral advertising and related uses requires consent, even if companies are related.

General Motors’ privacy settlement concluded that General Motors failed to comply with core CCPA obligations.

Under the CCPA, businesses are required to:

• Inform consumers about the categories of personal information collected.
• Explain why that data is collected.
• Inform consumers about data sharing practices.
• Provide a clear "Do Not Sell or Share My Personal Information" option when applicable.
• Honor opt-out requests.
• Limit the use of sensitive personal information when required.

The settlement requires GM to:

• Pay $12.75 million in civil penalties.
• Stop selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.
• Delete any driving data retained by the company within 180 days, unless explicit consent was obtained.
• Request that data brokers Lexis and Verisk delete driving data.
• Develop and maintain a robust privacy program ensuring that GM complies with the CCPA.
• Assess, mitigate, and document the risks of collecting data through OnStar.
• Report its privacy assessments to DOJ, the aforementioned DAs, and CalPrivacy.

Scan your website for free to see what website cookies and other trackers are used on your website that collect personal information:

How General Motors Allegedly Misused Driver Data Under CCPA

The core issue in driver data misuse was not simply the fact that General Motors collected consumer data. General Motors' data privacy violations stemmed from failing to inform consumers and from failing to provide real control.

According to allegations, GM collected and disclosed sensitive personal information under CCPA, such as:

• Vehicle location data.
• Driving habits and behavior.
• Acceleration and braking patterns.
• Trip history.
• Other connected vehicle telemetry.

This type of information can reveal highly sensitive details about a person's daily life, including visits, routines, and movements, thereby violating driver data privacy.

When businesses collect and share data like this with third parties, even if they have signed contracts, they must inform consumers:

• What data do they collect?
• Why do they collect such data?
• Do any third parties receive this data?
• What third parties receive it?
• How can consumers opt out?

If those disclosures are buried in lengthy privacy policies or otherwise difficult to find, regulators may consider that businesses didn’t inform users about their data collection.

General Motors and CCPA Violations: Lessons from the 2026 $12.75 Million Fine

This CCPA $12.75 million settlement with General Motors gives several practical lessons for businesses when handling privacy issues:

1. Sensitive data must be treated with special care
   Privacy requirements for sensitive personal data are stricter than for personal data. Location data, visited places, and behavioral information are considered particularly sensitive and must be treated accordingly.
2. Consent options must be clear
   Privacy disclosures must be clear and easy-to-find. If they are buried in lengthy privacy policies or users do not understand what they are agreeing to, regulators may consider the consent invalid.
3. Implement the data minimization principle
   Regulators made it clear: if data was collected for one specific service, it cannot be held and repurposed for a completely different function (such as corporate monetization) without affirmative consumer consent.
4. Businesses must offer functional opt-out options
   Businesses must offer a straightforward method to refuse the sale or sharing of consumer personal information. Opt-out options must be easy-to-find and opt-out links must work.
5. Businesses must fully map third-party data sharing
   Third-party sensitive data sharing is heavily regulated. Thus, businesses must know in detail what data they share with third parties. You cannot disclose to consumers what you do not understand. Thus, create data inventories and vendor reviews.
6. Intent does not protect from fines
   Even though the CCPA forbids auto insurance companies from using driving metrics to set consumer rates, regulators issued a record fine for the privacy violation. In this case, insurance companies didn’t use the received data to calculate insurance rates for car owners. Thus, financial damage is not a prerequisite for regulatory enforcement.
7. Any industry can become under scrutiny by regulators
   Industry does not matter anymore. Automakers, retailers, SaaS companies, publishers and digital advertisers are all subject to the same privacy obligations when they process California residents' personal information.

General Motors Privacy Violations: How to Avoid Similar CCPA Penalties

Most companies do not intentionally violate privacy laws. Problems usually happen because companies underestimate data privacy, or data practices evolve faster than compliance processes.

To avoid similar CCPA penalties, businesses must:

• Maintain an up-to-date data inventory.
• Classify sensitive personal information.
• Review all vendors and data-sharing arrangements.
• Publish accurate privacy notices.
• Provide easily accessible opt-out options.
• Implement a visible "Do Not Sell or Share" link.
• Honor Global Privacy Control (GPC) signals.
• Keep records of consumer requests.
• Audit consent and preference mechanisms regularly.

A certified consent management platform can simplify much of this work by automating disclosures, opt-out handling, and consent records.

CookieScript is a Google-certified CMP with GOLD Tier in the new Google tiering system, included in the list of Google partners.

It has the following features, allowing businesses to comply with the CCPA and other privacy laws:

• Integrations with CMS platforms like WordPress, Shopify, Magento, etc.
• Cookie banner customization
• Google Consent Mode v2 integration
• IAB TCF v2.2 integration
• Google Tag Manager integration
• Global Privacy Control 
• Certification by Google
• CookieScript API
• Cookie Scanner
• Consent recordings
• Third-party cookie blocking
• Geo-targeting 
• Self-hosted code 
• Cookie banner sharing 
• Cross-domain cookie consent sharing 

CookieScript also offers a 14-day free trial.

California Privacy Enforcement Trends in 2026: The General Motors Example

The $12.75 million CCPA settlement between CCPA regulators and General Motors marks a landmark in California’s privacy enforcement. This is the biggest CCPA penalty to date, theoretical compliance with strict technical verification of data collection and sharing practices.

The General Motors settlement reflects several clear enforcement trends:

1. Regulators are targeting real-world data handling practices
   Authorities are looking beyond websites and cookies to connected devices, apps, and embedded technologies.
2. Sensitive personal information is a priority
   Sensitive personal information, such as precise geolocation, visited places, and behavioral data receives close regulatory attention.
3. Strict application of data minimization
   Regulators are looking at whether collected information is truly necessary. If data is collected for a specific service (e.g., emergency navigation), it cannot be reused for secondary monetization or commercial use (e.g., marketing) even within the same company without clear, separate consent.
4. Transparency is a priority
   Regulators increasingly test whether privacy disclosures are understandable. Disclosures stating data is used to "improve services" are no longer a viable defense for secondary use. If companies want to monetize collected data, they must provide upfront, clear disclosures and functional opt-outs.
5. Technical audits over policy reviews
   Regulators are auditing actual technical architecture. They check how long businesses hold data and verify whether consumer opt-out signals are properly propagated.
6. Large settlements are becoming more common
   Privacy violations can lead to substantial financial and reputational consequences. In February 2026, the California Attorney General announced a $2.75 million settlement with Disney for failing to implement valid opt-out methods, General Motors was fined $12.75 million for improper data management practices.
7. Expanding consumer rights platforms
   California’s enforcement landscape continues to evolve. The CPPA introduced the centralized Delete Request and Opt-out Platform (DROP), which allows California residents to submit deletion and opt-out requests to registered data brokers through a single platform.

Frequently Asked Questions

Why did the CCPA set a $12.75 million settlement with General Motors in 2026?

On May 8, 2026, General Motors agreed to pay $12.75 million to resolve a CCPA violation that the company collected and sold California drivers’ geolocation and driving behavior data through its OnStar services, allegedly without their consent. The data was reportedly shared with data brokers and insurance-related companies. Use CookieScript CMP, one of the best CMPs, to obtain user consent and comply with CCPA.

How did General Motors allegedly misuse driver data under CCPA?

According to the CCPA investigation, GM collected and disclosed information such as vehicle location data, driving habits and behavior, acceleration and braking patterns, trip history, and other connected vehicle telemetry. This type of information can reveal highly sensitive details about a person's daily life, visiting places, routines, and movements. Use CookieScript CMP, to obtain user consent and comply with CCPA- it’s a professional and affordable compliance tool.

What can businesses learn from the General Motors CCPA settlement?

Data privacy compliance must match real-world data practices. Businesses should maintain an accurate data inventory, review third-party data-sharing arrangements, provide a working "Do Not Sell or Share My Personal Information" link, and honor consumer opt-out requests. If your company collects behavioral or location data, this case is a strong reminder that regulators expect full transparency and consumer choice. Use a CMP like CookieScript to handle user consent.

What are the trends in California privacy enforcement in 2026?

The recent General Motors settlement reflects several clear enforcement trends: regulators are targeting real-world data handling practices, transparency is a priority, regulators conduct technical audits over policy reviews and check how the data minimization principle is implemented. Use a CMP like CookieScript to handle user consent and comply with CCPA.