California Issues Record $12.75M CCPA Fine to GM for Unlawful Data Sales
California authorities have levied a record $12.75 million fine against General Motors under the California Consumer Privacy Act (CCPA) for unlawfully collecting and selling drivers' geolocation and behavioral data. The settlement, which includes corrective actions, highlights a growing focus by regulators on data minimization and purpose limitation, particularly within the connected vehicle industry. This action signals an escalation in privacy enforcement and a warning to companies regarding their data handling practices.
Record CCPA Fine Signals Heightened Enforcement
California's Attorney General, Rob Bonta, alongside the California Privacy Protection Agency (CalPrivacy) and local district attorneys, announced a landmark $12.75 million settlement with General Motors. This represents the largest CCPA fine to date and stems from allegations that GM unlawfully collected and sold Californians' driving and location data through its OnStar Smart Driver services. The investigation revealed that GM allegedly sold personally identifiable information, including geolocation and driving behavior, to data brokers like Verisk Analytics and LexisNexis Risk Solutions without obtaining proper consumer consent. This action underscores a significant push by California regulators to enforce consumer privacy rights and hold large corporations accountable for their data practices.
Corrective Measures and Industry Implications
Beyond the substantial monetary penalty, the settlement mandates several corrective measures for GM. These include a five-year prohibition on selling consumer driving data to credit reporting agencies, the deletion of specific driving data collected within the last 180 days, and requests for data brokers to delete consumer data previously sold by GM. GM stated it had already discontinued its Smart Driver program in 2024 due to customer feedback and ended collaborations with the implicated data brokers, indicating a proactive, albeit reactive, step towards compliance. This case serves as a critical precedent, signaling to other companies, especially those in the connected vehicle sector, that robust privacy practices, transparency, and adherence to consent obligations are paramount.
Auditor's Perspective: Key Takeaways for Assurance Professionals
For internal audit and assurance professionals, this settlement offers several crucial insights:
- Data Minimization and Purpose Limitation: The enforcement action explicitly emphasizes the importance of data minimization and purpose limitation. Companies must ensure they collect only necessary data and use it strictly for the stated purpose, with clear, explicit consent for any secondary uses. Auditors should scrutinize data collection policies and practices to confirm alignment with these principles.
- Transparency and Consent Management: GM's alleged failure to obtain proper consent and its misleading privacy notices highlight the need for clear, easily understandable privacy disclosures and robust consent management frameworks. Assurance professionals should assess the effectiveness of consent mechanisms and the clarity of privacy policies, particularly for complex data ecosystems like connected devices.
- Third-Party Data Sharing: The case underscores the risks associated with sharing consumer data with third parties, especially data brokers. Auditors should evaluate vendor management programs to ensure that data-sharing agreements with third parties include stringent privacy clauses and that third parties adhere to the same privacy standards as the primary organization.
- Escalating Enforcement Landscape: This record fine, coupled with ongoing litigation in other states and previous actions against other automakers, indicates a growing and aggressive enforcement environment for privacy regulations. Internal audit functions should proactively assess their organization's compliance with evolving privacy laws like CCPA and CPRA, recognizing that fines are becoming a significant cost of doing business for non-compliance.
The coordinated effort by California authorities demonstrates a commitment to leveraging all available resources for meaningful enforcement. Companies must prioritize efficient and compliant safeguards, focusing on transparency and limiting incompatible data uses to avoid similar penalties.
Read more