Today's Focus: Privacy & Personal Data Protection

On May 8, California Attorney General Bonta, the California Privacy Protection Agency, and a coalition of California district attorneys announced a $12.75 million settlement with General Motors and OnStar over the collection and sale of connected-vehicle data — precise geolocation and driving behavior — from hundreds of thousands of Californians, sent on to data brokers without adequate notice or consent. This is the largest CCPA penalty to date and the first state enforcement action grounded specifically in CCPA's data-minimization and purpose-limitation provisions. GM must stop selling driving data to consumer-reporting agencies (including LexisNexis and Verisk) for five years, delete retained driving data within 180 days absent affirmative consent, and build out a documented privacy-assessment program.

Why it matters: The action sets a new ceiling — and a new theory of liability — for connected-product, telematics, and IoT data. Companies that use behavioral or geolocation data beyond the narrow purpose collected for are now on notice that California will enforce the "necessary and proportionate" test directly, not just notice and consent.

CA AG press release · CA OAG enforcement page

The Italian Garante fined two banking-app providers approximately €6.624M and €5.877M (~€12.5M combined) for unlawful processing of millions of users' data via on-device monitoring that users had no realistic way to refuse and still use the apps. Defects were also identified in notice clarity, DPIA scope, retention design, and processor arrangements. Re-review fraud-detection and device-telemetry processing for Italian users; document necessity and proportionality. Gibson Dunn EU DP newsletter

The European Data Protection Board's 2026 Coordinated Enforcement Framework targets GDPR Articles 12–14 transparency obligations. Twenty-five DPAs will engage controllers across sectors through H1 2026, with a consolidated EDPB report in H2. Pre-emptively re-test layered privacy notices, plain-language standards, and disclosure of third-country transfers before a DPA letter arrives. EDPB launch

Connecticut Data Privacy Act amendments take effect July 1: neural data joins the sensitive-data definition under an opt-in posture; government identifiers, financial-account elements, and SSNs are added; minor protections expand to ages 13–17 with a blanket ban on targeted advertising and data sale regardless of consent. Reclassify any neural-interface / BCI / EEG product data and rewire minor-protection flows for CT before the effective date. Wiley alert

UK — DUAA complaints procedure commences in 31 days (19 June 2026). Controllers must operate an accessible complaints mechanism before ICO escalation. The same Act has already raised PECR fining ceilings to £17.5M or 4% of global turnover. Stand up a documented complaints workflow with intake, triage, response SLAs, and audit logging; publish the procedure in your privacy notice; train DSAR / privacy-ops staff on the new triage path. ICO commencement statement

Inventory every behavioral, telematics, or geolocation data flow leaving your products, and confirm each one passes CCPA's "necessary and proportionate" test on its own — not just notice and consent. California just enforced that test for the first time, with a $12.75M backstop.

Wednesday — AI Governance. Latest on the EU AI Act, US federal AI activity, and state-level AI legislation.

CyberEyeQ — Actionable Regulatory Intelligence

Questions or feedback? Reply to this email or write to [email protected].