California and Texas are pursuing sharply different regulatory approaches to connected vehicle data, forcing automakers and aftermarket providers to navigate competing compliance obligations as over-the-air software updates expand the volume and sensitivity of data generated by modern vehicles.
The divergence has moved from legislative debate to active enforcement. In March 2025, the California Privacy Protection Agency (CPPA) settled with American Honda Motor Co. for $632,500 over alleged violations of the California Consumer Privacy Act (CCPA), covering how Honda disclosed location data to third-party advertisers and handled consumer privacy rights. One month earlier, in January 2025, the Texas Attorney General filed the first-ever enforcement action under the Texas Data Privacy and Security Act (TDPSA), suing Allstate and its analytics subsidiary Arity for allegedly collecting and selling geolocation and driving behavior data from over 45 million Americans without proper consent. The two actions, separated by weeks, signal that both states now treat vehicle-generated data as a high-priority enforcement area-but from markedly different regulatory philosophies.
Background
California's CPPA first announced a review of connected vehicle privacy practices in July 2023, marking the first time the agency used its enforcement review powers under the CCPA since the law's implementing regulations took effect. Under the CCPA, precise geolocation data is classified as sensitive personal information, granting consumers the right to know what data is collected, the right to delete it, and the right to opt out of its sale or sharing. In March 2025, the California Attorney General separately launched an investigatory sweep of the location data industry, including connected vehicle providers, to assess whether businesses were offering consumers adequate opt-out mechanisms.
Texas has taken a structurally different approach. The Texas Data Privacy and Security Act, enacted in 2023 with major provisions taking effect January 1, 2025, grants Texans rights to access, correct, delete, and obtain copies of personal data collected by businesses and requires businesses to obtain consent before collecting sensitive data. However, Texas does not provide an opt-out option from statutorily authorized DMV data-sharing arrangements. The state's enforcement posture focuses on covert collection rather than broad disclosure mandates.
Details
The enforcement gap between the two states is widening as OTA update capabilities expand the data surface area across connected vehicle fleets. Globally, over 78 million vehicles were equipped with OTA capabilities in 2024, with infotainment systems representing 34%, electronic control units 28%, telematics control units 22%, and safety and security modules 16% of total OTA deployment. The automotive OTA updates compliance market surpassed $4.8 billion in 2025 and is projected to reach $5.41 billion in 2026, with momentum tied to regulatory mandates for vehicle cybersecurity and software traceability. Each OTA update cycle can alter vehicle functionality, data collection parameters, and third-party data-sharing arrangements-changes that may require fresh disclosure under California's CCPA but may not trigger equivalent notification obligations in Texas.
On the legislative front, Texas is considering further expansion of vehicle data access rights. Texas HB 4555, introduced by State Representative Pat Curry, would require manufacturers to provide each vehicle owner with unrestricted access to all vehicle-generated data at no cost, through a standardized platform, without requiring the use of any manufacturer-mandated decryption device. The companion bill, SB 2748, would extend this mandate to include non-repair data, going beyond what existing right-to-repair agreements between OEMs and the repair industry currently cover. The Automotive Service Association has voiced opposition to state-level vehicle data laws, warning that multi-state repair facilities would face fragmented compliance requirements.
The Texas AG's lawsuit against Allstate and Arity illustrates how OTA-adjacent data flows can attract enforcement even under a comparatively permissive framework. According to the Texas AG, Arity embedded a software development kit into popular third-party mobile apps-including Life360, GasBuddy, and Routely-to continuously track users' real-time location, speed, acceleration, and braking without their knowledge or consent. The AG alleged that Arity marketed the resulting dataset as the "world's largest driving behavior database," which Allstate then used to underwrite insurance policies and sold to other carriers.
Outlook
Federal legislation remains uncertain. The REPAIR Act, a federal bill that would have created a national framework for vehicle data access, was not passed by the 118th Congress and was marked inactive as of January 2025. In December 2025, a new bill introduced in the U.S. House would require automakers to provide vehicle owners with access to and use of motor vehicle data, but it has not advanced. Without a federal standard, automakers and aftermarket data providers will continue to face a state-by-state patchwork. Industry groups are pushing for a single national rule; California and Texas show how far apart that starting point remains.
