In a landmark data privacy ruling, California’s Attorney General secured a $12.75 million settlement against General Motors (GM), the largest CCPA penalty so far. The settlement was against the charges that GM sold sensitive customer data, including thousands of customers’ location and driving data, to data brokers. Doing so, GM contradicted its own privacy policy, stating that it did not sell driving or location data, and any disclosure of such data for insurance purposes was done with the customer’s permission.

The case might be an outlier in its scale and scope, but the settlement reflects a broader trend of regulatory focus on transparency, consent, and the sale or sharing of sensitive customer data. Colorado and even Canada are now getting proactive about enforcement when it comes to data-sharing behavior in public-facing websites. Therefore, companies across industries should understand what data they collect, how long they retain it, and who they share it with.

Compliance Problems Hiding in Plain Sight

This case highlights the proactive, coordinated approach regulators are taking to data privacy enforcement. We’re seeing similar patterns in other jurisdictions, both within and outside the U.S., where businesses are collecting and monetizing customer data.

• Data minimization: This case marks California’s first major enforcement action centered on the data minimization principle. Regulators are now actively focusing on retention of data beyond its original purpose or repurposing it later.
• Transparency: Regulators are increasingly operationalizing transparency requirements by comparing public privacy commitments against actual data handling practices. Businesses should expect greater scrutiny of whether disclosures, consent flows, and downstream data-sharing practices truly align.
• Sale and sharing of data: While the GM case may be unusual in scale, the underlying enforcement focus is familiar. Regulators continue to closely examine how organizations sell, share, or repurpose consumer data beyond the expectations communicated to users.
• Connected devices: Connected technologies, including vehicles, wearables, and smart home devices, are expanding the privacy risk surface because they continuously generate behavioral and location-based data that may be shared with third parties.
• Proactive enforcement: Regulators are becoming more proactive in identifying privacy violations, including through coordinated sweeps and automated scans of publicly accessible websites and systems for compliance failures.
• Multi-agency coordination: Privacy enforcement is increasingly being coordinated across agencies and jurisdictions, allowing regulators to pursue larger and more complex investigations.

Avoid Becoming the Next Privacy Headline

Businesses today operate in an extraordinarily complex data environment. The rules around what can be collected, retained, and shared have evolved rapidly. In many cases, the changes are faster than what the internal compliance programs can keep pace with. The privacy principles responsible for the GM settlement offer a clear blueprint for what regulators expect. Here’s where businesses should start:

• Audit your data: Take stock of every type of data you collect, including behavioral, locational, and transactional. Ask hard questions. Why is it being collected? How long has it been retained? Who has access to it? If your answers are vague, your compliance posture is vulnerable.
• Review your privacy policy: This document is increasingly being treated as a binding commitment. Any gap between what it says and what your business actually does is a liability. A thorough review, ideally with legal counsel, should be a priority, not a periodic checkbox.
• Minimize what you collect: California law now explicitly prohibits retaining data beyond its original purpose. If data isn’t actively serving the function it was collected for, it shouldn’t be sitting in your systems, and it certainly shouldn’t be finding new commercial uses.
• Scrutinize third-party sharing: Data broker relationships, affiliate partnerships, and third-party integrations all carry risk. Businesses need clear contractual terms, defined use cases, and regular oversight of how shared data is being used downstream.
• Build a real compliance program: The settlement required GM to develop and maintain a formal privacy program, complete with documented risk assessments reported to regulators. This is the new baseline expectation.
• Take connected devices seriously: The investigation that triggered this case began with connected vehicles, but the regulatory interest extends far beyond cars. Any product that passively collects behavioral data, including wearables, smart appliances, and fleet trackers, should be treated as a high-priority compliance area.

Act Before Enforcement Does

The GM case involved the Attorney General, four District Attorneys, and a dedicated state privacy agency working in coordination. While the settlement may be an outlier in scale, it reflects a broader trend toward more coordinated, proactive, and operational privacy enforcement. Regulators are increasingly examining whether businesses truly understand the data they collect, whether they genuinely need it, and whether customers have meaningful control over how it is used. Organizations that prioritize transparency, data minimization, and accountable data governance will be better positioned to reduce regulatory exposure and build long-term customer trust.