Every time you turn the key — or press the button — on a modern vehicle, you are doing more than starting an engine. You are activating a sophisticated data collection system that tracks where you go, how you drive, who rides with you, and, in some vehicles, what your face looks like while you do it. Connected cars have quietly become one of the most invasive surveillance platforms in everyday life, and the legal and compliance implications for businesses that interact with vehicle data are only now beginning to receive the scrutiny they deserve.
What Modern Vehicles Actually Collect
The scope of data that today’s connected vehicles collect is genuinely staggering. According to industry research, approximately 50% of cars on US roads already had internet connections by 2021, with projections suggesting that figure will approach 95% by 2030. That ubiquity matters because an internet-connected vehicle is not simply a car — it is a data transmission terminal that operates continuously and often invisibly.
The categories of data collected vary by manufacturer and model, but commonly include precise GPS location data for every trip taken, speed, braking, and acceleration patterns, seatbelt usage and other safety-related behaviors, infotainment system usage including connected apps and media, biometric signals such as weight estimates from seat sensors, and in-cabin camera footage from driver-facing systems. Some automaker privacy policies have been drafted broadly enough to include even more sensitive categories. A 2023 analysis by Mozilla examined 25 major car brands and found that every single one failed to meet basic privacy and security standards — a conclusion significant enough that Mozilla called connected cars “the worst product category we have ever reviewed for privacy.”
The Data Broker Pipeline and Its Compliance Consequences
Vehicle data does not stay within the automaker ecosystem. It flows outward through a network of data brokers, insurers, and analytics platforms that buy, sell, and license consumer behavioral profiles. This pipeline has already produced enforcement actions. US regulators took action against General Motors for allegedly selling location data to data brokers without adequate consumer consent. Similar allegations have been leveled at other major manufacturers, and the Federal Trade Commission has made it clear that it views this category of data sharing as a priority enforcement area.
The insurance sector has been a particularly active participant in this market. Driving behavior data — collected through either the vehicle itself or opt-in telematics programs — is being used to calculate premiums, and the consequences for consumers can be significant. Some drivers have seen insurance costs increase after their data was shared with brokers, often without any clear notice that this would occur.
For businesses operating in sectors adjacent to vehicle data — whether as insurers, fleet managers, marketing platforms, or automotive technology vendors — the enforcement landscape is becoming clearer and more demanding. The standard that regulators are moving toward is not whether a consumer agreed to a privacy policy buried in a setup wizard. It is whether that consumer genuinely understood what they were consenting to and had a real opportunity to say no.
A Federal Mandate That Creates New Privacy Risk
The privacy stakes are about to escalate further. US federal law now requires automobile manufacturers to install advanced impaired-driving prevention technology in new passenger vehicles, including infrared biometric cameras and behavioral monitoring systems designed to detect intoxication or fatigue. The safety rationale is legitimate and well-intentioned — impaired driving remains a serious public health issue.
The compliance problem is that the legislation creating this mandate contains no provisions governing what automakers can do with the biometric and behavioral health data these systems will generate. That data — which could include eye movement patterns, reaction time metrics, and physiological signals — constitutes sensitive health information under many privacy frameworks. Yet nothing in the current regulatory structure prevents it from flowing into the same data broker pipelines that already carry location and driving behavior data.
Privacy advocates and compliance professionals have flagged this gap as one of the most significant emerging risks in the consumer data space. Biometric health data collected in the context of safety compliance is qualitatively different from location data or driving patterns. Under frameworks like the GDPR, it would attract heightened protections as a special category. Under CPRA, it would trigger additional obligations. But neither framework has yet been applied comprehensively to automotive contexts, and the absence of clear federal guidance leaves businesses in an uncertain position.
The Consent Problem at the Center of Vehicle Privacy
The most persistent compliance failure in the connected vehicle space is not outright deception — it is a structural consent problem that most businesses engaged with vehicle data have not yet adequately addressed.
Automakers and their partners routinely obtain consent through infotainment system setup screens, app installation flows, and terms of service agreements. From a technical standpoint, this creates a record of consent. From a regulatory standpoint, it increasingly does not. The FTC’s enforcement actions in adjacent spaces — most notably its 2026 case against Cox Media Group — have established that burying consent within mandatory terms of service does not constitute opt-in authorization under US consumer protection law. The GDPR has articulated the same principle explicitly for European consumers: consent must be freely given, specific, informed, and unambiguous, and it cannot be bundled with unrelated service terms.
Applied to connected vehicles, this means that a consumer who taps “Agree” on a setup screen to access navigation features has not necessarily consented to having their biometric data sold to insurance companies. Businesses that have built data products on the assumption that such consent is valid face real legal exposure as enforcement agencies and plaintiff attorneys turn their attention to the automotive data ecosystem.
What the Geographic Patchwork of Privacy Law Means for Auto Data
One of the distinctive compliance challenges of vehicle data is that cars travel across jurisdictions, but data subjects carry their legal rights with them regardless of where their vehicle happens to be at the moment data is collected.
In the European Union and the United Kingdom, consumers have the right to access the data collected about them, to request its deletion, and to object to its processing for certain purposes. These rights apply to vehicle data just as they apply to any other form of personal data. The GDPR’s definition of personal data is broad enough to encompass most categories of vehicle telemetry, particularly where that data can be linked to an identifiable individual.
In the United States, the picture is more fragmented. California’s CPRA provides the strongest consumer protections, including the right to opt out of the sale or sharing of personal information and heightened protections for sensitive personal information such as precise geolocation and biometric data. Other states have enacted varying forms of comprehensive privacy legislation, and the pace of new state-level privacy laws continues to accelerate.
For businesses operating across multiple states or internationally, this creates a compliance matrix that must account not just for where the business is incorporated or where data is processed, but for where consumers are located when their vehicle data is collected.
Practical Compliance Steps for Businesses Handling Vehicle Data
The connected vehicle privacy landscape is complex, but the core compliance obligations are consistent with the broader principles that govern consumer data in other contexts. Businesses handling vehicle-derived data should conduct a data inventory that maps every category of vehicle data they receive, process, store, or share. This includes data received from automakers, data brokers, fleet management systems, and telematics providers. The inventory should document the legal basis for processing each category and the consent mechanisms — if any — that support that basis.
Privacy notices must accurately describe vehicle data collection and processing in language that is intelligible to a non-technical reader. Notices that describe data collection in vague or aspirational terms, or that bury automotive data disclosures within general privacy policies, are unlikely to satisfy the specificity requirements that regulators are now enforcing.
Consent mechanisms should be designed to meet the standard of genuine choice rather than procedural compliance. For sensitive categories of data — biometrics, precise location, health-related signals — opt-in consent is the appropriate standard under most applicable frameworks. Pre-checked boxes, mandatory acceptance flows, and buried authorizations do not satisfy this standard.
Third-party vendor relationships deserve particular scrutiny. If your business purchases vehicle data from a broker, resells telematics insights, or integrates automotive data into a marketing or analytics platform, you share exposure for the adequacy of the consent obtained at the point of collection. Vendor due diligence should include a review of the consent practices and privacy notices through which underlying consumer data was obtained.
Finally, data subject rights programs should be designed to handle vehicle data requests. Consumers who exercise their rights under CPRA or GDPR are entitled to know what vehicle data has been collected, to receive copies of it, and in many cases to have it deleted. Organizations that have not built workflows to respond to these requests for automotive data categories are likely to find themselves unprepared as consumer awareness of these rights grows.
The Regulatory Horizon
The connected vehicle privacy space is at an inflection point. Enforcement actions against automakers and data brokers have established that regulators view vehicle data as consumer personal data subject to the full range of applicable privacy protections. The impending rollout of biometric monitoring systems under the federal impaired-driving mandate will dramatically expand both the quantity and sensitivity of data being generated in automotive contexts.
Businesses that treat vehicle data compliance as a peripheral concern — something to address when the first enforcement action lands — are taking on avoidable risk. The regulatory trajectory is clear. The companies that will navigate this landscape successfully are those that build their vehicle data practices around genuine consent, transparent disclosure, and robust data subject rights programs before regulators require them to.
How Captain Compliance Can Help
Managing consent across complex data ecosystems — including the emerging automotive data landscape — requires infrastructure, not just policies. Captain Compliance provides organizations with the tools to build consent management programs that meet the requirements of GDPR, CPRA, and the growing body of US state privacy law. From consent management platforms to Data Protection Impact Assessments and Data Subject Rights portals, Captain Compliance helps businesses get their data practices right before compliance failures become enforcement problems.
If your business handles vehicle data, telematics, or consumer behavioral profiles sourced from connected devices, now is the right time to evaluate your consent architecture and data sharing agreements. Contact us for a free consultation to understand where your exposure lies and what steps will bring your program into alignment with current and emerging requirements.
