The California Consumer Privacy Act (CCPA) just produced its largest penalty in history: $12.75 million against General Motors for selling driver location and behavior data to brokers LexisNexis and Verisk without proper consent. If you're a SaaS founder passing user data to analytics vendors, ad platforms, or integration partners, this settlement is your wake-up call.
What did General Motors do wrong?
From 2020 through 2024, GM sold data from hundreds of thousands of California OnStar subscribers to two data brokers, earning approximately $20 million nationwide. The data included names, precise GPS coordinates, hard braking events, speed thresholds, and where people parked their cars—behavioral telemetry that could "paint a picture of their everyday habits and movements," according to California Attorney General Rob Bonta.
The problem wasn't just what GM collected. It was the mismatch between promise and practice. GM told OnStar users their data would only power emergency services, navigation, and driver improvement features. The privacy notices never disclosed that the same telemetry was being packaged and sold to insurance-adjacent data brokers. California regulators called this the state's "first data minimization case"—GM retained driving data far longer than needed for OnStar services, then repurposed it for commercial sale.
Why SaaS companies should be alarmed
Diagram of SaaS third-party data sharing under CCPA
You're not selling cars, but you're probably doing something structurally similar: collecting user data for one stated purpose, then passing it to third parties under service-provider agreements that may not meet CCPA's strict contractual requirements.
Consider the mechanics. Your product collects email addresses, IP addresses, session data, and behavioral events. You send that data to:
- Analytics vendors (Mixpanel, Amplitude, Heap) for product insights
- Marketing platforms (HubSpot, Iterable, Braze) for lifecycle campaigns
- Ad networks (Google, Meta, LinkedIn) for retargeting
- Support tools (Intercom, Zendesk) for ticket routing
Under CCPA, each of those flows must meet one of two tests: either the disclosure qualifies as a "service provider" relationship (with specific contractual restrictions prohibiting the vendor from reusing your users' data), or it's a "sale" or "share" that triggers opt-out obligations and notice requirements. The GM settlement makes clear that vague privacy policies and boilerplate vendor contracts won't survive enforcement scrutiny.
CCPA penalties range from $2,500 per unintentional violation to $7,500 per intentional violation or violation involving a minor. Violations are typically counted per consumer—so if your vendor contract doesn't comply and you've shared data for 50,000 California users, the arithmetic gets painful fast.
How does this compare to previous CCPA enforcement?
The $12.75 million GM penalty dwarfs prior CCPA settlements: it's nearly five times the previous record. California Privacy Protection Agency Deputy Director Michael Macko signaled the shift at the IAPP Global Summit 2026, warning that fines "could become a cost of doing business if they're not higher."
Previous automaker cases set the pattern:
- Honda: $632,500 in March 2025 for excessive data collection
- Ford: $375,703 in March 2026 for adding friction to opt-out processes
GM's penalty jumped an order of magnitude because regulators stacked purpose limitation, data minimization, lack of notice, and deceptive privacy statements into a single enforcement action. The same playbook applies to SaaS: if you collect data for "improving your experience," then funnel it to a retargeting pixel or benchmarking database without explicit disclosure, you're replicating GM's mistake.
What specific CCPA violations should SaaS teams check for?
Missing or broken opt-out mechanisms
If you sell or share personal information (including for cross-context behavioral advertising), you must provide a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control (GPC) browser signals automatically. Enforcement actions have targeted links that lead nowhere, forms that don't work, and GPC signals that are ignored.
Non-compliant service provider contracts
Your vendor agreements must include purpose limitation clauses, prohibitions on sale or sharing, confidentiality terms, subcontractor flowdown requirements, and cooperation with consumer rights requests. Boilerplate MSAs don't cut it. If your contract lets the vendor use customer data for "product improvement" or "benchmarking," you may have just converted a service provider relationship into a data sale.
Deceptive practices involving minors
CCPA requires affirmative opt-in consent before selling or sharing personal information of consumers under 16. If your product has young users and you're passing their data to ad networks or analytics platforms, the penalty multiplier goes from $2,500 to $7,500 per violation.
Purpose limitation and data minimization failures
This is the GM playbook. CCPA now requires that collection, use, and retention be "reasonably necessary and proportionate" to disclosed purposes. If you told users you collect email for "account notifications" but you're also feeding it to a lookalike audience builder, that's a purpose mismatch. If you're retaining behavioral logs indefinitely when 90 days would suffice for your stated analytics use case, that's a minimization failure.
What should you do this week?
Run a privacy compliance scan of your site and app to identify third-party scripts and data flows you may have forgotten. Check that your privacy policy accurately reflects all the places user data actually goes—not just the ones you remember configuring two years ago when AI-generated code auto-installed an SDK.
Review your vendor contracts. If they don't explicitly restrict the vendor from retaining, using, or disclosing personal information for any purpose beyond the specific service you contracted for, you need amended Data Processing Agreements.
If you sell or share data (and remember: passing hashed emails to an ad platform for retargeting counts as "sharing" under CCPA), implement a functional opt-out mechanism and test it with GPC-enabled browsers.
The GM settlement makes one thing clear: California regulators are done with vague promises and retrofitted privacy policies. They're reading your vendor contracts, auditing your actual data flows, and counting violations per user. The next $12 million penalty won't go to an automaker—it'll go to a SaaS company that assumed "analytics" and "service provider" were magic words that made CCPA obligations disappear. Don't let it be yours.
Frequently Asked Questions
What counts as "selling" personal information under CCPA?
Selling includes disclosing personal information to a third party for monetary or other valuable consideration. Sharing hashed emails with ad platforms for retargeting qualifies, even without direct payment.
Do service provider contracts really need specific CCPA language?
Yes. Contracts must prohibit the vendor from retaining, using, or disclosing personal information for any purpose other than performing the specified service. Boilerplate confidentiality clauses don't satisfy this requirement.
How are CCPA violations counted for penalty purposes?
Violations are typically counted per consumer, not per incident. If you improperly shared data for 10,000 California users without required opt-out mechanisms, that's 10,000 potential violations at $2,500–$7,500 each.
Does CCPA require consent before placing cookies like GDPR does?
No—CCPA uses an opt-out model for most data collection. However, you must provide notice, a clear opt-out mechanism, and honor Global Privacy Control signals. Minors under 16 require opt-in consent before data sales.
What is data minimization and why did it matter in the GM case?
Data minimization requires that collection, use, and retention be reasonably necessary and proportionate to the disclosed purpose. GM retained driving data far beyond what OnStar services required, then repurposed it for commercial sale—violating both minimization and purpose limitation principles.
If my SaaS processes data for enterprise clients, am I still liable under CCPA?
Role classification depends on your actual data practices and contract terms. If you reuse customer data for benchmarking, product analytics beyond defined business purposes, or marketing optimization, you may not qualify as a pure service provider and could face direct CCPA obligations.