California regulators announced the largest CCPA fine in history. General Motors is set to pay $12.75 million to settle allegations that it sold California motorists' driving data to data brokers without proper disclosure or consent.
The size of the fine grabbed headlines. The more important part is why California regulators issued it.
This case signals a meaningful shift in how privacy enforcement may evolve from here. Regulators are no longer focused only on whether businesses disclose what they’re doing with customer data. They’re starting to question whether businesses should be collecting and keeping certain data in the first place.
Modern cars collect a significant amount of data. From where you drive, how fast, how hard you brake, and when you accelerate. GM's vehicles were collecting all that data and, according to the joint enforcement action from the California Attorney General, CalPrivacy, and four district attorneys' offices, selling it to LexisNexis Risk Solutions and Verisk Analytics. Those data brokers package driving data and sell it to insurers.
GM's privacy policy was telling customers a different story. It said the company didn't sell information, that the data powering OnStar and insurer disclosures would be used only with the driver's express permission.
Unfortunately, none of that proved accurate.
There's a temptation to read this case as “large company behaves badly, gets caught.” That’s probably the wrong takeaway because the underlying issue isn’t unique to car companies.
The issue is the gap between what a company’s privacy policy says and what its systems, vendors, pixels, and workflows are actually doing.
That gap exists at far more businesses than most people realize. Privacy policies get written, new tools get added, vendors change, and operational practices evolve faster than disclosures do.
California regulators are now showing they’re willing to compare those two realities directly.
The GM case may signal a much more aggressive phase of CCPA enforcement.
Buried in the GM allegations is something genuinely new: a data minimization claim.
The CCPA says businesses can only collect, use, share, and retain personal information that's "reasonably necessary and proportionate" to the purpose for which it was collected. It also says you can't use that data for any secondary purpose incompatible with the original purpose. These provisions have been in the law for years, but California regulators hadn't really used them as the basis for an enforcement action until now.
GM's stated purpose for collecting geolocation and driving data was to power OnStar. The allegations are that GM kept the data far longer than needed for that purpose, and that selling it to data brokers was a secondary purpose.
This matters because data minimization is a much more aggressive theory than the opt-out failures we've seen in other CCPA enforcement actions. The Disney and PlayOn cases involved businesses that failed to honor opt-out requests. Those are relatively easy to evaluate; either the opt-out works or it doesn't.
Data minimization is different because it introduces judgment. Regulators are no longer evaluating whether an opt-out technically works. They’re evaluating whether businesses needed to collect certain data in the first place, whether they retained it longer than necessary, and whether current uses align with the original reason it was collected.
That gives regulators far more latitude to question routine data collection and retention practices.
A few patterns are worth noting.
Regulators are reading privacy policies and comparing them to reality. The opt-out enforcement we've seen so far required regulators to test whether a button actually worked. This case required them to read the policy, look at what the company was actually doing, and notice the difference. That's a more involved investigation, and the fact that it's happening suggests California has the resources and the appetite to do it.
The data broker pipeline is now something to consider. GM didn't sell data directly to insurers. They sold it to brokers, who then sold it to insurers. The enforcement action treats that whole chain as GM's responsibility. If your business shares data with vendors who then share it further, the disclosures and consents need to reflect the full downstream flow of that data..
Data minimization gives regulators a tool for cases that don't involve a clear opt-out failure. Even if a business has a working opt-out and its banner is configured correctly, a regulator can still ask whether the underlying data collection was necessary in the first place, and that makes a big difference.
The fix isn't complicated, but it does require treating the privacy program as something other than a document you signed once.
Start with what's true. Map where personal data actually flows in your business — every system, every vendor, every downstream recipient. This is unglamorous work, and it's also the foundation of every other privacy obligation. You can't accurately disclose practices you haven't located.
Then update the disclosures to match. If your privacy policy was written before you added Klaviyo, Meta Ads, or your current CRM, it's almost certainly wrong now. Rewrite it to reflect current operational reality, not the business as it existed when the document was first drafted.
Then ask the harder question: should we even be collecting this data? Data you don't have can't be the subject of a data minimization claim. Data you've retained past its useful life is exactly the kind of thing regulators are starting to flag. If you're holding onto information because storage is cheap and someone might want it someday, that's not a defensible position under the current law.
Finally, build the system to keep all of this up to date. New laws continue to pass, marketing teams add new tools, and vendors regularly change their data practices. A privacy program that was accurate a year ago is probably no longer accurate today, and most businesses won’t realize it until something forces them to look.
The GM case is being covered as a story about a large fine. The more important story is what California regulators chose to enforce and how they approached it. They focused on the gap between policy and practice while introducing a data minimization theory that gives regulators broader authority to question collection and retention practices many businesses have never evaluated closely.
Most businesses still think privacy compliance means having a policy and a cookie banner.
California regulators are increasingly evaluating the operational reality behind those disclosures.
The businesses most prepared for where enforcement is headed will be the ones that understand where their data flows, why they’re collecting it, how long they retain it, and whether their disclosures still reflect how the business actually operates.
TrueVault helps businesses maintain privacy programs that stay aligned as systems, vendors, and regulations continue evolving.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
