Written by: Haim Ravia, Dotan Hammer
In a significant wave of privacy enforcement, state attorneys general and financial regulators in California, Texas, and New York have targeted major corporations over the alleged mishandling of consumer data. From the secret sale of driving habits to “surveillance” of streaming behavior and cybersecurity lapses, these actions signal a tightening grip on how Big Tech, automotive giants, and financial institutions manage personal information.
California Attorney General Rob Bonta recently announced a $12.75 million settlement with General Motors (GM) regarding the illegal sale of location and driving data belonging to hundreds of thousands of Californians. This marks the largest penalty for a California Consumer Privacy Act (CCPA) violation to date and the state’s first enforcement action focused on “data minimization”.
The investigation revealed that between 2020 and 2024, GM sold precise geolocation and driving behavior data to data brokers, including LexisNexis and Verisk Analytics, to develop driver-rating products for insurance companies. While GM reportedly generated $20 million nationwide from these sales, it allegedly misled consumers by stating it did not sell such data and implying that information was only used for OnStar services. Under the settlement, GM must cease selling driving data to consumer reporting agencies for five years and delete all unnecessarily retained data.
Simultaneously, Texas Attorney General Ken Paxton filed a landmark lawsuit against Netflix, accusing the streaming giant of a “bait-and-switch” surveillance operation. The lawsuit alleges Netflix spent years promising an ad-free, kid-friendly platform while quietly recording billions of “behavioral events” for monetization. Texas claims Netflix operates as a “logging company” that records every click, pause, and scroll to build detailed consumer profiles, which it then shares with data brokers like Experian and Acxiom.
A central component of the Texas suit is Netflix’s use of “dark patterns,” such as autoplay, which the state claims are engineered to be addictive and keep users—especially children—glued to screens to maximize data harvesting. The state seeks to force Netflix to disable autoplay on kids’ profiles by default and stop collecting children’s behavioral data without express parental consent.
In New York, the Department of Financial Services (DFS) secured a $2.25 million penalty from Delta Dental for violations of the state’s nation-leading cybersecurity regulation. An investigation found that inadequate incident response policies allowed threat actors to exploit a 2023 vulnerability in MOVEit Transfer software, leading to the exfiltration of sensitive personal data. The exposed information included Social Security numbers, financial account details, and patient health records. DFS determined that Delta Dental failed to dispose of data that was no longer necessary and neglected to report the breach within the required 72-hour window.
Click here to read the California Attorney General’s announcement of the settlement with GM.
Click here to read the Texas Attorney General’s announcement of the lawsuit against Netflix.
Click here to read the NY DFS’s announcement of the settlement with Delta Dental.
