California's CCPA enforcer said $12.75M might not be high enough
On May 8, California settled with General Motors for $12.75 million, the largest CCPA penalty in state history. California has been building that enforcement record since 2022.
Each year, the theory of liability has expanded and the penalty went up. Right now, GM is where that line currently sits. So, how did we get here? And, what comes next?
The 4 cases
Sephora, August 2022. The AG alleged Sephora shared customer data with advertising networks without disclosure. That sharing counted as a "sale" under California law even without direct payment. This case set the interpretation that later CCPA liability has followed. Sephora had 30 days to cure after receiving a notice of violation. It didn't. The AG ran a deeper investigation and found additional violations. Final penalty: $1.2 million.
Tractor Supply, September 2025. A consumer complaint opened the investigation. The CPPA found that Tractor Supply's "Do Not Sell My Personal Information" link didn't actually stop the sale or sharing of data, and that the company hadn't configured its site to recognize Global Privacy Control (GPC) signals as valid opt-outs until mid-2024. Final penalty: $1.35 million.
Disney, February 2026. The case came out of a 2024 investigative sweep targeting streaming services. Disney's opt-out process required users to submit separate requests for each device and app, even when logged into a single account. The AG's position: partial compliance is noncompliance. Final penalty: $2.75 million.
GM, May 2026. Through OnStar, GM collected driver location, behavior, and contact data. GM then sold that data to LexisNexis Risk Solutions and Verisk Analytics, making approximately $20 million between 2020 and 2024. California alleged the sales continued long after the data had served its original OnStar purpose and that notice was lacking as well as no specific consent had been obtained. California called it the state's first data minimization enforcement action. The settlement was coordinated across the AG's office, the CPPA, and county district attorneys. Final penalty: $12.75 million.
What triggers an investigation for CCPA
3 pathways have produced enforcement actions, so far.
Consumer complaints are direct. The CPPA reported at its September 2025 board meeting that hundreds of investigations were in progress, many at a stage where the target company didn't know it was under scrutiny. Complaint volume trends up each quarter.
Investigative sweeps are the AG's own mechanism for initiating cases without a complaint. California has run industry-specific sweeps annually since 2022, usually announced around Data Privacy Day in January. The 2024 sweep targeted streaming services and produced the Disney and Sling TV cases. A March 2025 sweep targeted location data brokers. These sweeps don't require a triggering event.
Regulatory monitoring produced the GM case. Investigators traced data from collection through downstream monetization, years later, and found the gap between what GM told consumers and what GM actually did. That investigation didn't start with a complaint.
What every case has in common
Each company had a gap between what it told consumers and what it actually did.
Sephora said it didn't sell data. It did. Tractor Supply had an opt-out link. It didn't work. Disney processed opt-out requests. Not across all devices. GM collected data for vehicle features. Then sold it to insurance brokers years later – without telling the consumer.
In each case, the company with the consumer relationship was liable for what its downstream partners did. Sephora was liable for what its advertising partners did. GM was liable for what LexisNexis and Verisk did with data GM sold to them. Third-party monetization doesn't change the liability analysis.
GPC noncompliance appears in nearly every case. Sephora, Tractor Supply, and Disney all failed to honor Global Privacy Control signals as valid opt-out requests. This has been California law since 2020. Regulators are still finding companies that haven't implemented it.
What to do about it
4 areas have generated the most liability across these cases.
Regulators test opt-out mechanisms in practice. They check whether requests actually propagate across devices, services, and third-party partners. If the signal doesn't flow, the policy doesn't matter.
Know where your data goes after it leaves your systems. What are your downstream partners doing with it, and does your consumer-facing disclosure actually cover that use? GM's liability traced from OnStar collection to what LexisNexis and Verisk did with the data years later.
Audit retention schedules against the purposes you disclosed to consumers. The GM settlement established that retaining and monetizing data past its original purpose is a data minimization violation. If you can't say why you're still holding a specific data set, that's a gap.
If your website doesn't recognize GPC signals as valid opt-out requests, you're out of compliance with California law that's been on the books since 2020.
The CPPA reported hundreds of active investigations at its September 2025 board meeting. The AG runs a new industry sweep every year. The penalty ceiling went from $2.75 million to $12.75 million in 3 months.
Two things make the next phase harder to ignore than the last one.
First, the fines are going up. CalPrivacy's Deputy Director of Enforcement said at the IAPP Global Summit this week that CCPA penalties "could become a cost of doing business if they're not higher." That's a regulator signaling publicly that $12.75M isn't the finish line.
Second, California changed how enforcement is funded. Under the old model, 91% of fine revenue went into a state investment fund. Under the new model, 95% of every penalty stays inside the privacy regulatory ecosystem, so it’s self-funding the next round of investigations, audits, and litigation. The CCPA enforcement machine is now self-replenishing.
There's one more detail from the GM complaint worth noting. GM had a formal internal privacy program since 2019. It included written restrictions on data use and requirements for impact assessments. California found that program and used it against GM - because GM couldn't produce a risk assessment covering its decision to sell the data. The settlement now requires GM's compliance reports to be reviewed by the CPO and delivered to the offices of the GC and CEO.
A privacy program on paper isn't compliance. California is now asking whether the program actually runs and can you show it.