Navigating CCPA Compliance: Lessons from the GM $12.75M Settlement

Overview

The California Consumer Privacy Act (CCPA) is a landmark privacy law that gives consumers more control over their personal data. In a high-profile enforcement action, General Motors (GM) agreed to a proposed $12.75 million settlement with California Attorney General Rob Bonta after allegations that the company sold drivers' data without proper consent. Specifically, GM collected geolocation, driving behavior, and other information through its OnStar connected services and shared it with insurance companies to set rates—all without adequately informing consumers or providing a clear opt-out mechanism. This guide uses the GM case as a cautionary tale to walk businesses through five key steps for CCPA compliance, from understanding what constitutes a data sale to implementing robust consent and opt-out processes.

Navigating CCPA Compliance: Lessons from the GM $12.75M Settlement — Source: www.bleepingcomputer.com

Prerequisites

Before diving into the step-by-step instructions, ensure your organization has the following in place:

Basic knowledge of CCPA – including definitions of personal information, sale of data, and consumer rights.
Data inventory – a complete map of what personal data you collect, where it comes from, how it's used, and with whom it's shared.
Legal counsel – preferably experienced in California privacy law, to review your compliance measures.
Technical team – developers and IT staff who can implement technical controls like opt-out mechanisms and privacy policy updates.

Step-by-Step Instructions for CCPA Compliance

Step 1: Understand What Constitutes a Sale of Data

The biggest mistake many companies make is narrowly defining “sale” as a direct exchange of money for data. Under CCPA, a sale is any transfer of personal information for valuable consideration—including sharing data with third parties for analytics, advertising, or risk assessment, as GM did with insurers. In the GM case, the company collected driver data (geolocation, speed, braking patterns) via OnStar and sold access to that data to insurance companies, which then used it to adjust premiums. The California Attorney General determined this violated CCPA because GM failed to disclose the sale and did not offer a clear “Do Not Sell” option.

Step 2: Implement Opt-Out Mechanisms

If your business sells personal information, you must provide a conspicuous “Do Not Sell My Personal Information” link on your website’s homepage and in any mobile app. Additionally, you must honor opt-out requests promptly. Here’s a simple HTML/JS implementation example for a opt-out button that stores the user’s preference in a cookie:

<!-- Add this button to your website footer or privacy page -->
<button id="opt-out-btn">Do Not Sell My Personal Information</button>

<script>
document.getElementById('opt-out-btn').addEventListener('click', function() {
  // Set a cookie to indicate opt-out
  document.cookie = "ccpa_opt_out=true; path=/; max-age=" + 365*24*60*60;
  alert('You have opted out of the sale of your personal information.');
  // Optionally send the opt-out preference to your server
  fetch('/api/opt-out', { method: 'POST' });
});
</script>

Remember to integrate this with your backend to stop sharing data for that user immediately.

Step 3: Update Your Privacy Policy

Your privacy policy must clearly list the categories of personal information you have sold in the preceding 12 months. For GM, this would have included:

Geolocation data
Driving behavior data (speed, hard braking, mileage)
Vehicle diagnostic data
Identification information (name, address, VIN)

Also include the categories of third parties (e.g., insurance companies) to whom you sold the data. Update this policy at least once every 12 months.

Step 4: Obtain Explicit Consent for Sensitive Data

GM’s case highlights the special treatment of sensitive data under CCPA (effective from 2023 via amendments). Geolocation and precise driving behavior are considered sensitive. Before collecting or selling such data, you must obtain explicit opt-in consent—not just a notice. For example, present a clear, unbundled consent checkbox when a user signs up for connected services, stating: “I agree to allow [Company] to share my precise location and driving data with third-party insurance providers.” Keep records of who gave consent and when.

Step 5: Conduct Regular Audits and Training

CPPA enforcement is not a one-time effort. Schedule quarterly audits to:

Verify that opt-out mechanisms are working.
Review data-sharing agreements with third parties to ensure they include contractual prohibitions against further sale.
Train all employees who handle consumer data on their obligations under CCPA, especially in sales, marketing, and product teams. Use the GM case as a real-world example of the consequences of noncompliance.

Document all audits and training sessions to demonstrate your good faith efforts if investigated.

Common Mistakes

Mistake 1: Assuming Data Sharing with Affiliates Is Not a Sale

Many companies mistakenly think sharing data with subsidiaries or affiliates does not count as a sale. CCPA defines sale broadly, so if your affiliate receives valuable consideration (e.g., access to your customer database for cross-selling) it is a sale. GM’s data went to insurers that were not direct affiliates of its OnStar division, but even internal transfers for a different business purpose can trigger sale requirements. Treat all third-party sharing as a potential sale unless you are sure it falls under an exception (e.g., service provider arrangement with strict contractual limits).

Mistake 2: Failing to Update Privacy Policies After Data Practices Change

GM had a privacy policy, but it did not adequately describe the sale of driver data to insurers. The company changed its data-sharing practices without updating its disclosures. If you add a new data use or new data recipient, update your privacy policy immediately. California requires that your notices reflect the current 12-month look-back period.

Mistake 3: Not Having a Process for Consumer Requests

CCPA gives consumers the right to know what data is being sold, opt out, and request deletion. GM allegedly failed to have a smooth process for consumers to exercise these rights. Make sure you have a dedicated email address, toll-free number, or web form to handle requests—and respond within 45 days (extendable by another 45 days with notice). Document each request and your response.

Mistake 4: Ignoring Geolocation Data as Personal Information

Location data is explicitly considered personal information under CCPA. Companies sometimes treat aggregated geolocation data as anonymized, but if it can be linked back to a device (especially a vehicle VIN), it is not anonymous. If you collect precise location, you must treat it as sensitive data and obtain opt-in consent.

Summary

The GM $12.75 million CCPA settlement serves as a powerful reminder: selling driver data—or any personal information—without clear disclosure and robust opt-out mechanisms can cost millions. This guide covered five essential steps: understanding what constitutes a sale, installing a “Do Not Sell” button, updating your privacy policy, obtaining explicit consent for sensitive data, and conducting regular audits and training. Avoid common pitfalls like assuming affiliate sharing is exempt or ignoring geolocation data. By following these steps, businesses can reduce their risk of enforcement actions and build trust with consumers. Compliance is not optional—it's a legal and ethical imperative.