🔴 TOP STORY
GM Fined $12.75M in Landmark CCPA Enforcement Action
California Attorney General Rob Bonta, partnering with the CPPA and multiple district attorneys, announced a $12.75 million civil penalty settlement with General Motors — the largest CCPA fine in California history and the first enforcement action under CCPA's data minimization and purpose limitation provisions. GM collected and sold precise geolocation and driving behavior data from its OnStar Smart Driver program to insurance data brokers LexisNexis and Verisk without adequate disclosure or consent. GM must stop selling driving data to consumer reporting agencies for five years and delete retained driving data within 180 days.
Why it matters: Any company collecting behavioral or location data through connected products faces the same exposure. California has now signaled it will enforce data minimization as aggressively as breach and opt-out failures.
What to do: Audit every data stream from connected products or services. Ensure explicit in-app consent dialogs exist before telematics or behavioral data is shared with third parties. Restrict downstream data sales programmatically and document your purpose limitation controls (PCF-01, PCF-04).
Source: CA AG Press Release | CPPA Announcement
---
ALSO TODAY
⚠️ 28 DAYS — UK DUA Act: Mandatory Complaint-Handling Rules Take Effect June 19
The UK ICO has issued a one-month warning: new mandatory data protection complaint-handling requirements under the Data (Use and Access) Act 2025 take effect June 19, 2026. All UK data controllers must establish accessible, multi-channel complaint processes (including social media), acknowledge complaints within 30 days, and update privacy notices — no grace period.
Source: ICO Guidance
---
🇪🇺 ACTIVE — EDPB Transparency Sweep Now Live Across 25 EU DPAs
The EDPB's 2026 Coordinated Enforcement Framework (CEF) action on GDPR Articles 12–14 is actively underway: 25 national DPAs are contacting controllers through formal investigations and fact-finding exercises. Fines can follow. A consolidated EDPB report is due H2 2026.
Source: EDPB CEF 2026
---
📅 67 DAYS — California DROP Platform: August 1 Enforcement Deadline
California's Delete Request and Opt-Out Platform (DROP) has been live since January 1, 2026. As of August 1, 2026, data brokers must process and fulfill DROP deletion requests with no cure period — non-fulfillment triggers immediate enforcement exposure.
Source: CPPA Regulations
---
⏰ DEADLINE ALERT
June 19, 2026 — 24 business days: UK DUA Act 2025 mandatory complaint-handling requirements take effect for all UK data controllers. No grace period. Update privacy notices and build multi-channel complaint intake now.
---
✅ ONE THING TO DO TODAY
Review your privacy notices for complaint-handling language. If you have UK customers or users, add a clear statement of the right to complain — and verify your team has a 30-day acknowledgement workflow in place before June 19.
---
Tomorrow's Focus: AI Governance — the week's most significant AI regulation and policy developments.
CyberEyeQ — Actionable Regulatory Intelligence | [email protected]