For most of the California Consumer Privacy Act’s life, enforcement has followed a familiar script: a company suffers a breach, or fails to honor opt-out requests, or buries its privacy notice somewhere unreadable, and the state extracts a penalty. The $12.75 million settlement California Attorney General Rob Bonta announced with General Motors breaks that pattern. GM was not penalized for losing control of data. It was penalized for collecting data it had no business collecting — and then selling it.
This is the largest CCPA penalty in California history to date, and it is the first enforcement action centered on the law’s data-minimization principle. That distinction matters far more than the dollar figure.
What GM actually did
General Motors operates OnStar, the connected-vehicle service built into millions of GM cars. Through OnStar and related telematics systems, GM collected precise geolocation data and detailed driving-behavior data — hard braking, rapid acceleration, speed, trip timing, the granular signals that describe not just where you drive but how.
According to the state, GM retained that data well beyond what was needed to actually operate the service, and then sold it to third-party data brokers. Those brokers, in turn, are the same pipeline that feeds insurance pricing, risk scoring, and the broader market in behavioral profiles. Drivers who bought a car did not meaningfully understand they were also enrolling in a surveillance product whose output would be sold to companies that could raise their premiums.
The settlement requires GM to delete retained driving data within a defined window and to stop the practices that gave rise to the case. But the remedy is less important than the legal theory.
Why “data minimization” changes the game
The CCPA — and its successor framework under the California Privacy Rights Act — contains a deceptively simple requirement: a business’s collection, use, retention, and sharing of personal information must be “reasonably necessary and proportionate” to the purpose for which it was collected. For years, that clause sat largely unenforced. Companies treated privacy compliance as a matter of disclosure: tell people what you collect, offer an opt-out, and you are covered.
Bonta’s action says that is not enough. Even with perfect notice and a working opt-out, collecting more than you need — and retaining it longer than you need — is itself a violation. You cannot disclose your way out of over-collection.
That is a fundamentally different compliance posture. Disclosure is cheap; you write a longer privacy policy. Minimization is expensive, because it forces companies to justify every field they capture and every day they keep it. The default corporate instinct — collect everything, keep it forever, figure out a use later — is exactly what the data-minimization principle exists to kill.
The connected-car problem in one case
Modern vehicles are among the most aggressive data collectors most people own. A car can generate location traces, biometric signals, in-cabin audio, contact lists synced from a phone, and a continuous behavioral record of how its driver operates it. The driver agreed to almost none of this in any informed sense; it arrives bundled in a terms-of-service click during a stressful, high-pressure purchase.
The GM case is the first major regulatory acknowledgment that the connected-car data economy is a privacy problem of its own category. Driving-behavior data sold to brokers is not an abstract harm — it surfaces as higher insurance quotes for people who never knew they were being scored. The settlement draws a line: telematics data collected to provide a safety service cannot be quietly repurposed into a product sold to the highest bidder.
What this means going forward
For companies, the lesson is direct. If your data practices depend on collecting broadly and retaining indefinitely, California has now demonstrated it will treat that as an independent violation — no breach required. Retention schedules, collection justifications, and the ability to actually delete data are no longer back-office hygiene. They are front-line legal exposure.
For drivers and consumers, the case is a rare instance of enforcement reaching the root of the problem rather than its symptoms. Most privacy penalties punish companies after the damage is done. This one punishes the accumulation that makes the damage possible.
The broader 2026 enforcement trend confirms the direction. Regulators are no longer testing only the language in a privacy notice; they are testing retention, deletion, product design, and whether a company can justify what it holds. The era when “we told you in the policy” was a complete defense is closing. GM is the first large company to learn that the hard way. It will not be the last.
