Consumer Protection Dispatch
On May 8, 2026, California Attorney General Rob Bonta, joined by district attorneys from San Francisco, Los Angeles, Napa and Sonoma counties, announced a proposed $12.75 million settlement with a connected vehicle services provider over alleged CCPA violations involving the collection, retention, use and disclosure of vehicle data. The California Privacy Protection Agency’s Enforcement Division assisted in the investigation, which followed a broader CPPA sweep of connected vehicle privacy practices.
The AG called it the largest CCPA penalty in California history—and the state’s first public enforcement action focused on the CCPA’s data minimization requirement.
Although the settlement involves connected vehicles, it signals how California regulators may evaluate data practices involving precise geolocation, behavioral data, connected devices, secondary data uses, retention and third-party disclosures more broadly.
Key terms of the proposed judgment include:
- Consent for driving data. Consent is required before collecting, using or disclosing covered driving data to a third party, subject to specified exceptions for emergency response, consumer-initiated communications, vehicle safety, legal compliance, diagnostics, warranty administration, cybersecurity, research, product improvement and related purposes.
- Enhanced consumer notices. The proposed judgment requires clear and conspicuous privacy notices during connected-services enrollment and requires dealer-facing materials to instruct personnel to provide consumers an opportunity to review applicably privacy notices and provide any required consent before enrollment.
- Additional consumer controls. California consumers can disable precise geolocation collection where the vehicle supports it and must be given a mechanism to disable remote data collection if they decline or unenroll from connected services, subject to limited exceptions.
- Maintain a privacy compliance program. The mandated privacy program requires the company to conduct privacy assessments and submit annual reports to California regulators which must be reviewed and approved by the company’s chief privacy officer.
The settlement is a notable indicator of how California will apply CCPA’s data minimization rule, a requirement that has drawn far less enforcement attention than the CCPA’s sale and sharing opt-out provisions.
Data Minimization as an Enforcement Theory
As AG Bonta stated, the action “underscores the importance of the data minimization in California’s privacy law,” including that “companies can’t just hold on to data and use it later for another purpose.” The CCPA requires that “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” Civil Code § 1798.100(c).
Identifying a reason to collect data is not enough. Businesses must also evaluate whether the volume and sensitivity of data collected, the retention period, and any subsequent use or disclosure remain reasonably necessary and proportionate to a disclosed, compatible purpose. In practice, businesses should be able to answer: Why is each data element collected? Why is it retained for a given period? Could a less sensitive, aggregated or de-identified dataset achieve the same goal?
Purpose Limitation and Secondary Uses of Data
The settlement illustrates how data minimization and purpose limitations work together. Section 1798.100(c) allows personal information to be processed for its original purpose or another disclosed, compatible purpose but prohibits processing incompatible with those purposes.
That doesn’t mean data collected through a consumer product can never be used for analytics, advertising, monetization or third-party purposes. But businesses must evaluate whether the secondary use is reasonably necessary and proportionate, and whether it triggers additional notice, consent or opt-out obligations. Before repurposing data, businesses should assess the original collection context, the disclosures made at the time of collection, consumers’ reasonable expectations and any CCPA rights the new use may trigger.
Precise Geolocation Remains a High-Risk Category
The matter also underscores the sensitivity of precise geolocation data. Connected products, mobile applications, wearables, vehicles, smart devices and other sensor-enabled services may collect location information that reveals highly personal details about where individual’s live, work, receive medical care, worship, attend school or spend time.
Businesses collecting precise geolocation data should evaluate whether precise location is needed for each stated purpose, whether less granular data would suffice, and whether the data can be deleted, aggregated or deidentified once the purpose is fulfilled.
Notices, Consent and Consumer Controls Should Match Actual Data Flows
The settlement makes clear that consumer disclosures must reflect actual backend data practices, particularly in connected-device ecosystems where enrollment may occur through websites, mobile apps, call centers, in-product interfaces, dealerships, retail partners or other intermediaries.
In connected-device environments, data may be collected automatically after enrollment or through embedded technology or related mobile apps. Companies therefore should test whether consumer choices are propagated across systems and honored by third-party integrations, vendors, service providers and other recipients.
Operationalizing Privacy Governance
The proposed judgment also highlights the importance of operationalizing privacy governance. Written policies mean little unless they are embedded in product development, data strategy, vendor management, retention, and business development. Companies should ensure privacy reviews are triggered before new data uses begin, that reviews are documented, and that privacy teams have visibility into data-sharing arrangements.
For secondary data uses, companies should document assessments covering notice, consumer choice, purpose compatibility, data minimization, sensitive data handling, retention, third-party contracts and downstream restrictions
Key Compliance Considerations
The lessons here extend well beyond connected vehicles. Any business collecting or monetizing personal information—through mobile apps, adtech, employee monitoring, wellness tech, AI systems or IoT—should audit whether actual data flows match disclosures, and whether data use and retention align with CCPA’s minimization and purpose limitation requirements.
This is especially pressing for companies using historical consumer data for AI training, personalization, analytics, or other secondary purposes. The key questions: Are those uses reasonably necessary and proportionate to the original collection purpose? Do contracts, consent flows, opt-out mechanisms, deletion practices and vendor controls reflect actual downstream use?
Pillsbury helps clients navigate privacy, AI governance and data-use regulation including compliance, investigations and litigation. Companies with questions about CCPA’s minimization and purpose limitation requirements, or related AI and data governance issues, should contact our Data Privacy & Cybersecurity team.