From "Paper Compliance" to "Technical Verification": The $12.75M GM Settlement and Beyond

The era of "checking the box" on privacy is over.

California regulators have moved past simple policy audits and are now "pen-testing" the actual technical architecture of corporate data flows. With the recent announcement of a $12.75 million penalty against General Motors—the largest CCPA-related settlement to date—the California Attorney General (OAG) and the California Privacy Protection Agency (CPPA) have laid out a clear enforcement playbook for 2026.

Enforcement Background: Three Hard Lessons

To understand the current risk landscape, companies must look at the specific "failure points" highlighted in recent major actions:

1. General Motors ($12.75M) - The Transparency Gap From 2020 to 2024: GM allegedly sold the driving behavior (GPS, braking, acceleration) of hundreds of thousands of OnStar subscribers to data brokers like LexisNexis and Verisk for insurance risk-scoring.

• The Violation: While GM told users the data was for "emergency services" or "improving driver skills," it failed to disclose the $20M it was earning from selling that data.

• The Precedent: Regulators are now strictly enforcing Data Minimization. If a business collects data for Service A, it cannot use it for "Monetization B" without explicit, clear disclosure and a functional opt-out.

2. The Walt Disney Co. ($2.75M) - The Identity Resolution Double Standard: In early 2026, Disney settled over claims that its streaming services (Disney+, Hulu, ESPN+) recognized users across devices for advertising, but failed to honor opt-outs across those same devices.

• The Violation: If a user opted out on an iPad, the data sharing often continued on their Smart TV or laptop.

• The Precedent: If you are "smart enough" to link a user’s identity across devices for profit, you must be "smart enough" to propagate their opt-out signal across those same devices. Account-level recognition implies account-level suppression.

3. DoorDash ($375K) - The "Non-Monetary" Sale: This landmark case targeted participation in "marketing co-operatives" where data is exchanged for "valuable consideration" rather than cash.

• The Violation: DoorDash shared customer names and transaction histories with a co-op to gain the opportunity to market to other members' customers.

• The Precedent: There is no such thing as "free" data sharing in a marketing context. If you receive a benefit (like "lookalike" audience access), it is a sale under the CCPA.

2026 Action Items: Fulsome Compliance

If you are managing privacy risk today, your to-do list should move beyond the legal department and into the DevOps and Marketing silos:

• Inventory "Marketing Co-ops" & Pixels: Audit every agreement where customer data is shared with a vendor for "analytics," "optimization," or "credits." If the vendor is allowed to use that data to benefit other clients, you are likely "selling" or "sharing" under the CCPA and must provide a "Do Not Sell" link.

• Implement "Downstream" Propagation: The GM settlement required the company to contact data brokers and request they delete previously sold data. Ensure vendor contracts (DPAs) include "cascading delete" triggers and that you have a technical process to send these signals when a user exercises their rights.

• Audit for "Friction" and Dark Patterns: Recent actions against companies like Ford and Sling TV show that regulators are targeting "friction." If your opt-out process requires more than two clicks, asks for "extra" info from logged-in users, or uses confusing language, it is a liability.

• Operationalize Global Privacy Control (GPC): California law requires businesses to honor browser-level opt-out signals automatically. Technical teams must verify that when a GPC signal is detected, all tracking pixels and third-party data "pings" are suppressed without user intervention.

• Bridge the Data-Silo Gap: Establish a monthly "Data Flow Sync" between Marketing, IT, and Legal. The most common enforcement trigger is a marketing team deploying a new SDK or "identity graph" tool that the privacy team hasn't mapped for opt-out compliance.