California’s GM Settlement Puts Data Minimization Front and Center
With the largest CCPA penalty issued to date, California regulators signaled that retaining and repurposing personal information beyond the original collection context can create significant exposure under both the CCPA and UCL.
On May 8, 2026, California Attorney General Rob Bonta, joined by the California Privacy Protection Agency and four district attorneys, announced a proposed $12.75 million settlement with General Motors arising from GM’s alleged sale of Californians’ driving and location data. The case is significant not only because it is the largest CCPA penalty announced to date, but also because it is the first enforcement action centered on the CCPA’s data minimization requirements.
Subject to court approval, the settlement would require GM to pay $12.75 million in civil penalties, stop selling driving data to consumer reporting agencies for five years, and delete retained driving data within 180 days of the effective date of the settlement unless consumers provide affirmative express consent.
The complaint alleges that GM collected precise geolocation and driving behavior data through its OnStar telematics services. After using the data for operational OnStar functions, GM allegedly then retained it and later sold it to LexisNexis Risk Solutions and Verisk Analytics for insurance-related uses, despite public statements indicating that such data would not be sold. The California Attorney General contends that these practices violated the CCPA’s notice, purpose limitation, and data minimization requirements. The complaint also asserts claims under California's Unfair Competition Law and False Advertising Law.
Background: Data Minimization Requirements under California Privacy Law
The California Privacy Rights Act (CPRA), which amended the CCPA effective January 1, 2023, introduced the first enforceable, substantive data minimization requirement in any U.S. consumer privacy law. Under § 1798.100(c):
A business's collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
This is an affirmative, ongoing obligation. It is not satisfied by a one-time lawful collection but instead requires that every subsequent use, retention, and disclosure also be independently justified against the original or a compatible disclosed purpose.
The CPPA's implementing regulations at 11 CCR § 7002 flesh out the standard. A business evaluating whether its practices comply must assess:
The minimum personal information necessary to achieve the identified purpose, i.e., whether collection/retention of less data would suffice.
The possible negative impacts on consumers from collecting or processing the data.
Whether additional safeguards exist to mitigate those negative impacts.
Critically, the regulation requires businesses to apply this analysis to every purpose for which they collect, use, retain, or share personal information, not just at the point of initial collection.
Purpose Limitation
Closely related to the CCPA’s data minimization requirements is its purpose limitation, codified in the same provision. A business may only use data for (a) the purpose it was collected for, (b) another compatible disclosed purpose, or (c) a purpose to which the consumer separately consented. Retaining or monetizing data for purposes inconsistent with the original collection, even if the data collected is not sold, violates this requirement.
Penalties
Violations carry civil penalties of up to $2,663 per violation and $7,988 per intentional violation or violations involving minors' data, enforced by both the AG and the CPPA under a shared enforcement structure established by the CPRA.[1] Scaling across large numbers of affected consumers, such penalties can increase substantially.
Practical Takeaways
The settlement with GM, which remains subject to court approval, illustrates that California regulators are treating data minimization as an operational compliance obligation, not merely a drafting issue for privacy notices. It also reinforces the CPPA's 2024 Enforcement Advisory No. 2024-01, which directed businesses to apply data minimization to every purpose for which they collect, use, retain, and share personal information.
For companies subject to the CCPA, the GM settlement highlights the following immediate areas for review:
Retention. Data must be deleted when it is no longer necessary for the purpose for which it was collected. A business cannot retain data indefinitely on the theory that it might be useful later or that it was lawfully obtained at collection. This principle is illustrated by the fact that GM's continued retention of OnStar data after the operational purpose ended was itself a violation.
Third-party disclosure. Sharing or selling retained data to brokers or other third parties is treated as a separate act subject to the purpose and minimization analysis. This means that if the downstream use is inconsistent with the original collection purpose, the disclosure violates § 1798.100(c) regardless of whether the initial collection was proper.
Key action item: Companies should review whether retention schedules align with actual business needs, confirm that downstream disclosures are consistent with the purpose(s) stated at collection, and test whether consumer-facing statements accurately reflect real-world data flows, retention, and vendor relationships.
Stephanie Alvarez Salgado is a litigator representing companies in complex commercial, intellectual property, and privacy disputes. She writes about legal developments involving data privacy, technology platforms, and digital media.
***
[1] Penalty amounts are subject to adjustment in odd-numbered years based on the California Consumer Price Index; these figures may change in 2027.