California regulators just told every company with a connected product that a privacy policy is not a governance record.
That distinction matters more than the $12.75 million.
The settlement is not just about cars, telematics, or OnStar. It is about what happens when a company collects product data for one set of purposes, later finds a monetization path, and cannot produce a category-level governance record showing why that use was authorized.
The lesson is simple:
Disclosure is not the same thing as governance.
The Brief
What changed: California announced a proposed $12.75 million settlement with General Motors and OnStar over the sale of connected-vehicle location and driving-behavior data.
Why it matters: The enforcement targets the gap between what companies disclose and what their data systems actually do.
What decisions this affects: product telemetry, data monetization, broker relationships, privacy notices, opt-out flows, retention schedules, and board-level privacy oversight.
What Happened
On May 8, 2026, California announced a proposed $12.75 million settlement with General Motors LLC and OnStar LLC over the sale of Californians' location and driving-behavior data.
The California Attorney General described the settlement as the largest CCPA penalty in California history to date and the first CCPA data-minimization case.
The proposed settlement was announced by the California Attorney General, four County District Attorneys, San Francisco, Los Angeles, Napa, and Sonoma, and the California Privacy Protection Agency.
The alleged conduct centered on OnStar data sold between 2020 and 2024 to Verisk Analytics and LexisNexis Risk Solutions. GM did not admit wrongdoing, and the settlement remains subject to court approval.
The forward obligations matter as much as the penalty. If approved, the settlement would require GM to stop selling driving data to consumer reporting agencies for five years, including data brokers such as LexisNexis and Verisk. It would also require deletion of retained driving data within 180 days absent affirmative consent and annual compliance reports reviewed by the Chief Privacy Officer, approved by the General Counsel and CEO, and reported to the Attorney General, the four County District Attorneys, and CalPrivacy.
That is not just a fine.
It is a forward-looking governance order.
The Reframe: Disclosure Did Not Fail. Governance Did.
GM had a privacy policy, a Chief Privacy Officer, and a formal compliance program.
That was not enough.
The issue was the governance record.
When regulators examined data collected through a connected-vehicle program and sold to data brokers whose products are used in insurance-related workflows, the question became more than whether the company had disclosed data collection. The question was whether the company could justify the downstream use, sale, retention, and transfer of each data category.
That is the shift.
A company can disclose that it collects data and still face enforcement if it cannot defend what it does with that data after collection.
For connected products, this is the new operational risk. The privacy notice tells consumers what the company says. The governance record proves what the company actually approved, why it was allowed, where the data went, and who had authority to stop it.
The Pattern Regulators Are Building
Two signals make this settlement broader than GM.
The first is data minimization.
California framed this as the first CCPA enforcement action focused specifically on data minimization. That matters because the case is not only about disclosure or opt-out mechanics. It is about whether the company retained and used data beyond what was reasonably necessary for the disclosed purpose.
The alleged retention period matters. OnStar began collecting data years before the monetization path developed. The regulatory question became whether the company had a documented purpose basis for retaining and later selling that data.
That turns retention into an enforcement issue.
The second signal is the multi-regulator structure.
This settlement was not announced by one agency acting alone. It involved the California Attorney General, four County District Attorneys, and CalPrivacy. That enforcement model is replicable. Other states watching California's recent privacy actions can adapt the same structure under their own statutes.
Read this together with the Ford opt-out settlement from March 2026. Ford was fined for adding an email-verification step to a "do not sell or share" opt-out flow. The policy language passed review. The product flow did not.
Ford and GM point in the same direction:
Regulators are moving from policy review to system review.
They are testing flows, data paths, retention logic, vendor relationships, and the company's ability to produce evidence.
What Decisions This Affects
For connected-product companies, this settlement changes four decisions.
1. Whether product telemetry can be collected by default.
Collection is no longer just a product-design question. If the company cannot explain why a category of data is reasonably necessary for the disclosed purpose, the retention itself may become the enforcement problem.
2. Whether collected data can be repurposed for monetization.
A later business use does not automatically inherit the original collection rationale. If a product team collects data for safety, diagnostics, personalization, or service delivery, the company should not assume that the same record supports sale, sharing, or broker transfer.
3. Whether broker or partner contracts map to a documented consent basis.
A broker contract should do more than name the data transferred. It should identify the categories, permitted uses, restrictions, opt-out consequences, and consent or authorization basis supporting the transfer.
4. Whether the company can produce a governance record by data category.
A privacy program is not enough if it cannot answer category-level questions. Who approved the sale? For what purpose? Based on what notice, consent, or statutory basis? What retention rule applied? What opt-out mechanism controlled the transfer?
Those are product, legal, revenue, vendor-management, and board decisions.
Treating them as privacy-policy edits is the mistake.
The 4-Item Governance Audit
1. If product data may be monetized, build the category-level data inventory before any broker or partner agreement is signed.
GM's exposure was category-specific. A generic privacy program did not answer the regulator's question.
The inventory should show:
- source
- category
- collection purpose
- retention period
- downstream use
- sharing or sale recipient
- consent or authorization basis
- opt-out consequence
The record should exist before monetization begins, not after a regulator asks for it.
2. If a data category is sold, shared, or repurposed, document the authorization trail before the use launches.
A privacy policy is not an authorization record.
The authorization trail should connect the business case, legal basis, consent mechanism, user-facing disclosure, internal approval, and downstream contract. If the company cannot produce that trail by data category, it has a governance gap.
That is the gap the proposed five-year ban effectively reaches. The forward obligation is not only "stop doing this." It is "build a record that proves what you are allowed to do."
3. If data goes to a broker, vendor, affiliate, or partner, map the contract to the consent and use basis.
Broker and partner agreements should not sit outside the privacy program.
Each contract should identify:
- exact data categories transferred
- permitted uses
- prohibited uses
- retention limits
- onward-transfer restrictions
- opt-out handling
- audit or reporting rights
If a regulator asks what was sold and the answer is not clear from the contract and the governance record, that absence becomes the issue.
4. If the consumer has a right to opt out, test the product flow end to end.
This is where the Ford settlement matters.
CalPrivacy fined Ford $375,703 in March 2026 for adding an email-verification step to the opt-out flow. A user could click the "do not sell or share" link, submit the form, and still have the opt-out ignored if the user did not click a follow-up confirmation button.
The lesson carries into every connected-product data program.
Opt-out is a product-design requirement. A privacy-policy checkbox does not honor it.
Test the flow from the consumer's perspective:
- How many clicks from any page to completed opt-out?
- Does the opt-out apply on submit?
- Does any confirmation email delay the right from taking effect?
- What tracking still fires after submission?
- What downstream sharing stops automatically?
- What happens if the user never returns after a follow-up step?
The standard is not "the policy says the user can opt out."
The standard is whether the system honors the opt-out when the user exercises it.
What Boards Should Ask
Boards do not need to review every data flow.
They do need to know whether management can produce a governance record for the company's highest-risk data uses.
For connected-product companies, the board or audit committee should ask for three things.
1. A category-level data inventory
This should identify what product data is collected, why it is collected, how long it is retained, and whether it is sold, shared, or repurposed.
2. A downstream data-transfer map
This should show every broker, vendor, affiliate, and partner that receives product data, with the relevant contract, permitted use, and opt-out consequence.
3. A monetization approval record
This should show who approved any revenue-generating use of product data, what legal basis supported the use, what notice or consent mechanism applied, and what controls prevent unauthorized reuse.
The board-level question is not whether the company has a privacy policy.
The board-level question is whether the company can prove its product data is governed before it is monetized.
Closing Perspective
The GM settlement is easy to misread as a connected-car case.
It is bigger than that.
Any company with connected devices, product telemetry, usage analytics, location data, health signals, performance data, or sensor outputs should read the case as a governance warning.
The settlement deadline passes. The governance-record problem does not.
The companies that get this right will not treat connected-product data as a privacy-policy issue. They will treat it as product architecture, vendor governance, and board-level risk.
This article is general educational analysis. It does not provide individualized legal advice, client-specific recommendations, outcome guarantees, or jurisdiction-specific directives without factual context.
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before making compliance decisions based on the developments discussed here.