A patchwork of state-level data privacy laws targeting connected and electric vehicles is expanding rapidly, forcing automakers to navigate a fragmented regulatory landscape with separate obligations for over-the-air software updates, geolocation tracking, and consumer consent disclosures. The rules-enacted or actively enforced across California, Oregon, Texas, Connecticut, and Virginia-differ substantially on data portability, opt-out mechanisms, and third-party sharing, creating what legal analysts at Nelson Mullins describe as a shift in which vehicle-generated data is no longer viewed as a byproduct of innovation, but as a category of highly sensitive consumer information warranting strict regulatory oversight.
Background
The regulatory wave follows years of scrutiny over the volume and sensitivity of data modern connected vehicles collect. According to a 2026 CNN investigation cited by legal analysts, 90 percent of new cars track driving every three seconds - monitoring speed, braking, phone use, and exact location. A 2023 Mozilla Foundation study found that 92 percent of car brands give drivers little or no control over their personal data-findings that have since underpinned legislative action in multiple states. At the federal level, the absence of a unified national framework has left the space open to state-by-state rulemaking. Unlike Europe's GDPR, the U.S. lacks a single, unified data privacy law governing connected vehicle data, creating compliance asymmetry for OEMs selling across state lines. The issue extends directly to OTA updates: because software-defined vehicles can alter data collection capabilities post-sale, regulators increasingly treat OTA mechanisms as a trigger for consent and disclosure obligations rather than merely a software logistics channel.
Details
California's Privacy Protection Agency (CPPA) launched a formal review of connected vehicle privacy practices in July 2023 and remains the most active state-level enforcer. In March 2025, the California AG announced an investigatory sweep into the location data industry, focusing on whether businesses were providing consumers with adequate rights to opt out of the sale or sharing of geolocation information-data classified as sensitive personal information under the CCPA. Oregon went further legislatively: Oregon updated its privacy law in 2025 to cover motor vehicle manufacturers and affiliates that control or process personal data obtained from a consumer's use of a motor vehicle, with a universal opt-out requirement taking effect in January 2026. These changes allow Oregon-registered vehicle owners to formally request access, deletion, and opt-out of the sale of vehicle-generated data, including back-end marketing profiles derived from telematics.
In Texas, enforcement took a litigation route. In January 2025, the Texas AG sued an insurer and its analytics affiliate for "unlawfully collecting, using, and selling over 45 million Americans' driving data to insurance companies," citing violations of the Texas Data Privacy and Security Act. Connecticut's AG separately issued dozens of violation notices and warning letters to companies in 2025, with a focus on connected vehicles and data showing drivers' location and driving habits. Virginia's Senate passed a bill in February 2026 that would amend Virginia's Consumer Data Protection Act to ban the sale of precise geolocation data.
At the federal level, the FTC's January 2026 settlement with General Motors and OnStar established a benchmark. The settlement includes a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies, and requires the manufacturer to provide customers the ability to disable geolocation data collection from their vehicles. Bipartisan federal legislation-the Auto Data Privacy and Autonomy Act, reintroduced in December 2025-would prohibit OEMs from sharing, selling, or leasing collected customer data without explicit consent and require access to vehicle data through NIST-defined technology-neutral standards, but the bill has not yet passed.
Industry projections estimate vehicle data monetization could reach as much as $750 billion by 2030, according to the bill's sponsors-a financial context regulators and litigants cite as an incentive for opaque data practices. The global automotive OTA updates compliance market, valued at $4.8 billion in 2025 - is projected to reach $18 billion by 2036, implying a 12.75% CAGR, according to Future Market Insights, with growth driven by mounting state-mandated data governance obligations alongside cybersecurity requirements.
Consumer advocates have also highlighted transparency gaps in OTA update disclosures. According to Consumer Reports, some automakers make it difficult for drivers to know what will change when they install an OTA update, with release notes that can be "quite terse".
Outlook
Legal analysts at Nelson Mullins project that in 2026, automakers should anticipate more aggressive enforcement, more state-specific rules, and more pressure to demonstrate responsible data stewardship. Automakers operating across multiple jurisdictions face a compounding burden: Oregon's opt-out rules, California's geolocation enforcement, Texas litigation risk, and prospective Virginia restrictions each carry distinct technical implementation requirements for connected vehicle platforms. California and New York have both enacted laws requiring that, by July 1, 2028, all connected vehicles offer a built-in method to immediately disable location tracking from inside the vehicle, signaling that hardware-level changes to future EV architectures will also be required. Without federal preemption, OEMs and their Tier-1 suppliers face the prospect of maintaining state-specific compliance architectures for data governance, consent management, and OTA update transparency across the U.S. market.
