California has issued its largest California Consumer Privacy Act (CCPA) fine to date 2026

California has issued its largest California Consumer Privacy Act (CCPA) fine to date, sending a strong message to companies that collect and monetize personal data. The $12.75 million settlement with General Motors highlights growing regulatory scrutiny around transparency, consent, and the use of connected device data.

The case focused on GM’s discontinued OnStar Smart Driver program, which allegedly collected sensitive driver information, including precise geolocation data and driving behavior such as braking patterns, speed, and acceleration. According to California regulators, this information was shared with third-party data brokers without obtaining proper consumer consent.

What makes this case particularly significant is that regulators emphasized not only the collection of data itself, but also the lack of clear communication with consumers. Authorities argued that individuals were not properly informed about how their data would be used or sold. In addition, the settlement raised concerns about retaining data longer than necessary and using it for purposes consumers may not reasonably expect.

This enforcement action reflects a broader evolution in privacy regulation. Earlier CCPA investigations often focused heavily on website tracking technologies, cookies, and online advertising practices. Regulators are now increasingly turning their attention toward connected products and Internet of Things services. Modern vehicles, wearable devices, mobile applications, and smart technologies collect enormous amounts of behavioral and location data, and companies are expected to manage that information responsibly.

California authorities also described this as their first major data minimization enforcement action. The concept of data minimization is becoming increasingly important across privacy laws worldwide. Organizations are expected to collect only the information they genuinely need and retain it only for as long as necessary to provide the service. Businesses that continue to gather excessive amounts of data without a clear purpose may face growing legal and reputational risks.

For privacy professionals, the settlement offers an important reminder that transparency and consent are no longer simple compliance checkboxes. Privacy notices must be understandable, accurate, and specific. Consumers increasingly expect companies to explain exactly what information is collected, why it is needed, and with whom it is shared. Regulators are making it clear that consent mechanisms must be meaningful and not hidden within lengthy or unclear policies.

The size of the fine also demonstrates how quickly privacy enforcement is maturing in the United States. Only a few years ago, CCPA penalties were relatively modest. More recent enforcement actions show that regulators are becoming increasingly aggressive, particularly when companies process sensitive personal information or fail to provide adequate transparency.

The implications extend far beyond California. Many privacy laws around the world, including the GDPR and newer U.S. state privacy laws, continue to emphasize accountability, purpose limitation, and consumer rights. Businesses operating internationally are facing rising expectations around governance, risk management, and responsible data practices.

Ultimately, this case highlights how privacy has evolved into a core business issue rather than simply a legal requirement. Organizations that fail to prioritize responsible data use risk financial penalties, reputational damage, and a loss of consumer trust. As regulators continue to expand enforcement efforts, companies that invest in strong privacy programs and transparent data practices will be far better positioned for the future.