California Continues Focus on Auto Industry with Record CCPA Enforcement Action

California regulators continue to focus their enforcement of data privacy regulations on automotive companies, this time via the largest California Consumer Privacy Act (“CCPA”) settlement to date.  General Motors (“GM”) has agreed to pay $12.75 million to resolve allegations that it unlawfully collected, retained, and sold Californians’ driving and location data without adequate consent.

‍

The enforcement action — brought by California Attorney General Rob Bonta, multiple California district attorneys, and supported by the California Privacy Protection Agency (“CPPA”) — marks a major escalation in privacy enforcement efforts and provides a roadmap for how regulators are likely to evaluate data practices going forward.
‍

GM’s Collection, Retention and Sale Practices

According to California authorities, GM collected highly sensitive data through its OnStar “Smart Driver” connected vehicle services, including geolocation data, driving behavior information, vehicle usage patterns, and other personally identifiable information.  Regulators further alleged that GM sold this information to data brokers, including LexisNexis Risk Solutions and Verisk Analytics, without obtaining sufficient consumer consent and despite statements suggesting the company would not sell such data.   Further, authorities alleged that this data was sold with the intent that it be used for the purpose of setting insurance rates, which is prohibited by California law.  GM was also alleged to retain the driver history data long after it was useful for the stated purpose of enabling OnStar emergency vehicle services.

‍

Attorney General Rob Bonta emphasized the sensitivity of the information involved, stating:

“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so. This trove of information included precise and personal location data that could identify the everyday habits and movements of Californians.”

‍

Reports indicated that the settlement requires GM to:

• - Pay $12.75 million in civil penalties;
• - Stop selling driver data to consumer reporting agencies for five years (including to data brokers);
• - Delete driving data retained by the company within 180 days, except for certain limited internal uses, absent affirmative, express consent from consumers; and
• - Develop and maintain a robust privacy program that is required to assess, mitigate, and document the risks of collecting data through OnStar, and report its privacy assessments to the U.S. Department of Justice (“DOJ”), and various California state regulators and authorities.

‍

Broader Settlement Impact

Data Minimization as an Enforcement Priority

California officials specifically characterized the matter as the first CCPA enforcement action by the DOJ centered on “data minimization.”  The CCPA and California Privacy Rights Act (“CPRA”) require businesses to limit personal information collection, use, retention, and sharing to what is “reasonably necessary and proportionate” for disclosed purposes. Regulators alleged GM violated this principle by retaining data longer than necessary and repurposing it for additional commercial uses.   Beyond standard notice-and-opt-out practices regarding the collection of data, businesses across a variety of industries must now carefully consider their retention purposes and whether or not certain data should be retained at all.

‍

Location Data Under Intense Scrutiny

The case continues a broader regulatory trend focusing on geolocation data. California regulators emphasized that precise location information can reveal highly personal details about consumers’ lives, including where they live, work, worship, and seek medical treatment.  Businesses that collect mobile, vehicle, wearable, or app-based location data should expect heightened regulatory attention.  Businesses seeking to use this data to interact with their consumers should be particularly cautious, as evidenced by the California laws regarding insurance scoring discussed above, or as shown in a settlement of an action brought by the San Diego County District Attorney’s Office against Target Corp., in which Target used geolocation information from consumer mobile devices to change pricing on its mobile app for specific items : https://www.legalreader.com/target-settle-phone-overcharging-lawsuit/.

‍

Looking Ahead

Although California has indicated through its communications and enforcement actions that it remains heavily focused on connected devices within the automotive industry, businesses across a wide variety of industries should take notice of the facts of this most recent enforcement action against GM.  On a fundamental level, businesses must audit their privacy notices and disclosures to consumers and business partners, and both the Federal Trade Commission and state regulators have focused heavily on alleged inconsistencies between public privacy statements and actual data practices of businesses. Additionally, data retention policies should be reviewed and reconsidered based on business purpose requirements of such data, with clear retention policies and data deletion procedures put into place.

‍

More specific to this particular enforcement action is the focus on geolocation data, which is quickly becoming a focus of data privacy regulators given that such data is collected by devices and applications related to a wide variety of industries, including the automotive industry, health technology, biometric security, and general e-commerce (as indicated by the Target settlement referenced above).  Ensuring that operational, business, and legal advisors are up to date on changing data privacy regulations and working in partnership with one another is critical to remain compliant as business practices around consumer data evolve.

‍

Zachary Soto, Partner, PAG Law
‍‍
‍^{Disclaimer: This publication is provided by PAG Law PLLC for general informational purposes only and does not constitute legal advice or create an attorney-client relationship between PAG Law and the reader. The content reflects the views of the author as of the date of publication and may not reflect subsequent developments in law, regulation, or policy. Readers should not act or refrain from acting on the basis of any information contained herein without seeking professional legal counsel tailored to their specific circumstances and jurisdiction. PAG Law expressly disclaims all liability with respect to actions taken or not taken based on any or all of the contents of this publication. This material may be considered attorney advertising in some jurisdictions.}

‍