California regulators recently announced the largest settlement to date for alleged violations of the California Consumer Privacy Act (CCPA): a $12.75 million settlement with General Motors.
The settlement, announced by California Attorney General Rob Bonta and several California district attorneys with support from the California Privacy Protection Agency (CPPA), is significant for several reasons. Most notably, it is the first major CCPA enforcement action focused on the law's data minimization requirements.
For businesses that collect consumer, employee, applicant, or website visitor information, the settlement offers important insight into where California privacy enforcement may be going.
What Was the Alleged Conduct?
The enforcement action centers on GM's OnStar platform, a vehicle connectivity service that provides features such as navigation, roadside assistance, and emergency response services.
California regulators alleged that GM disclosed or sold personal information—including names, contact information, precise geolocation data, and driving behavior data—to third-party data brokers between 2020 and 2024.
Regulators alleged that GM:
- Shared or sold consumer information without providing adequate notice or obtaining appropriate consent;
- Represented to consumers that certain driving and location information would not be sold;
- Retained data longer than necessary to provide OnStar services; and
- Used retained data for purposes that were allegedly inconsistent with the reasons for which the information was originally collected.
GM entered into the settlement without admitting any violation of law or wrongdoing.
Why Is This Settlement Significant?
Although the settlement involves a vehicle services platform, the legal theories underlying the enforcement action apply broadly across industries.
Organizations that collect personal information through websites, mobile applications, employee monitoring systems, wellness platforms, AI tools, connected devices, customer analytics platforms, or other technologies may face similar scrutiny.
The settlement highlights two enforcement priorities that every business should understand: transparency and data minimization.
What Is the First Enforcement Priority: Transparency?
The CCPA requires businesses to provide consumers with clear notice regarding:
- What information is collected;
- Why the information is collected;
- How the information will be used; and
- Whether the information will be shared or sold to third parties.
According to regulators, one of the central issues in the GM matter was the alleged mismatch between what consumers were told and how data was actually being used.
The settlement serves as a reminder that privacy policies are no longer viewed as merely disclosure documents. Regulators increasingly compare a company's actual data practices against its public-facing privacy representations.
As a result, businesses should ensure that privacy policies, notices at collection, vendor agreements, and operational data practices remain aligned.
What Is the Second Enforcement Priority: Data Minimization?
The settlement is also notable because it places significant emphasis on the CCPA's data minimization and purpose limitation requirements.
Under California law, businesses generally may collect, use, retain, and disclose personal information only to the extent reasonably necessary and proportionate to achieve the purposes disclosed to consumers.
Stated differently, businesses should not collect information simply because it might become useful someday. Likewise, information collected for one purpose should not automatically be repurposed for a different business objective without additional disclosures and, in some circumstances, additional consumer consent.
According to the Complaint, GM collected driving and location information to provide OnStar services. The state alleged that retaining that information and subsequently providing it to data brokers exceeded the purposes for which the information was originally collected.
Whether or not similar facts exist in another industry, the broader lesson is clear: businesses should evaluate not only what data they collect, but also why they collect it, how long they retain it, and whether future uses remain consistent with the original purpose of collection.
Why Does This Matter Beyond Consumer Data?
Many employers focus on the CCPA's impact on customer information but overlook the fact that the law also applies to certain information collected from California employees, applicants, contractors, and business contacts.
Organizations increasingly use technologies that collect:
- Location information;
- Productivity metrics;
- Device usage information;
- Behavioral analytics;
- Biometric information;
- AI-generated insights; and
- Other forms of sensitive personal information.
As privacy enforcement evolves, regulators are likely to examine whether businesses have adequately disclosed these practices and whether the information is being retained and used consistently with those disclosures.
What Questions Should Businesses Be Asking?
This settlement presents an opportunity for organizations to evaluate their privacy programs.
Key questions include:
- Does our privacy policy accurately describe our actual data practices?
- Do we know all of the categories of personal information we collect?
- Are we sharing personal information with vendors, analytics providers, advertisers, or other third parties?
- Have we provided all required notices and consumer rights associated with those disclosures?
- Are we retaining information longer than necessary?
- Are we using information for purposes that differ from the reasons originally disclosed to individuals?
- Do our contracts with vendors accurately reflect our privacy obligations and operational practices?
- Have we assessed compliance with the CCPA's data minimization and purpose limitation requirements?
What Should Businesses Do Now?
In light of this settlement, businesses should consider taking the following steps:
Conduct a data inventory. Identify what personal information is collected, where it is stored, why it is collected, how long it is retained, and with whom it is shared.
Review privacy disclosures. Confirm that privacy notices accurately reflect actual business practices and adequately describe all intended uses of personal information.
Evaluate retention practices. Determine whether personal information is being retained beyond the period reasonably necessary to accomplish the disclosed purpose.
Review third-party relationships. Assess contracts and data-sharing arrangements with vendors, analytics providers, advertising partners, and other recipients of personal information.
Assess higher-risk data uses. Businesses that collect sensitive personal information, location data, behavioral information, or use AI-driven analytics should evaluate whether additional risk assessments or compliance obligations apply.
Takeaway
California's record CCPA settlement demonstrates that privacy enforcement is increasingly focused on how businesses operationalize their privacy commitments, not simply what their privacy policies say.
The settlement signals heightened scrutiny of data retention practices, secondary uses of personal information, vendor relationships, and disclosures regarding data sharing. Businesses that proactively audit their data collection, retention, and disclosure practices now will be better positioned to reduce risk and respond to California's evolving privacy requirements. For questions regarding how this settlement affects your business, contact us at Eanet, PC.